[Date Prev][Date Next]
Re: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)
- From: firstname.lastname@example.org
- Date: Thu, 31 Aug 2017 16:00:10 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: Mike Jackson
> Version: 2.4.45
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (184.108.40.206)
> Push replication via TLS fails to remote servers where the TCP/IP round-trip
> time is greater than 100ms. When the return packets finally arrive, the
> initiating server will close the connection with RST RST RST, which results in
> TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection
> will function normally and replication will occur.
> The 100ms time limit comes from here:
> servers/slapd/back-ldap/back-ldap.h: #define LDAP_BACK_RESULT_UTIMEOUT
> Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005.
> HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported
> the config keyword that sets the timeout number of retries"
> In addition, the back_ldap man page is not up to date.
> My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000) (900ms)
> and recompile. Problem immediately went away, but this is not a correct approach
> and the retry counter should be runtime configurable.
back-ldap has been fixed to use the configured timeout for exops here. Fix is
in git master.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/