[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problems on EAGAIN? (was: TLS connect from remote host to slapd hangs)

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Rainer Clasen

> > I've run the server under strace. slapd starts sending the CA
> > certificates and after several successfull write()s one call to write()
> > returns EAGAIN. Up to then the client received some certificates and
> > then blocks.

> after figuring out, that slapd picks the CAPath from ldap.conf in
> addition to a CAFile in slapd.conf I was able to workaround this problem
> by limiting the set of CA certificates the server knows to a small
> subset.

Yes, I guess this area needs to be cleared up. libldap automatically reads
ldap.conf when it initializes. Since slapd uses libldap, that means the
settings in ldap.conf will be read in addition to the settings in slapd.conf.
The libldap initialization occurs before slapd.conf is read, so the
slapd.conf settings will override the ldap.conf settings, and thus your
workaround succeeds.

The 2.1 documentation mildly suggests that the CApath option not be used.
Sometimes I feel that it should never have been provided, as it mostly just
causes confusion.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support