[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)

mikedotjackson@gmail.com wrote:
> Full_Name: Mike Jackson
> Version: 2.4.45
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Push replication via TLS fails to remote servers where the TCP/IP round-trip
> time is greater than 100ms. When the return packets finally arrive, the
> initiating server will close the connection with RST RST RST, which results in
> TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection
> will function normally and replication will occur.
> The 100ms time limit comes from here:
> servers/slapd/back-ldap/back-ldap.h:    #define   LDAP_BACK_RESULT_UTIMEOUT
> (100000)
> Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005.
> HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported
> the config keyword that sets the timeout number of retries"
> In addition, the back_ldap man page is not up to date.
> My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000)  (900ms)
> and recompile. Problem immediately went away, but this is not a correct approach
> and the retry counter should be runtime configurable.

back-ldap has been fixed to use the configured timeout for exops here. Fix is 
in git master.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/