[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problems connecting to ldaps:// under high load with ppc64 client



Matthias Leopold <matthias.leopold@meduniwien.ac.at> writes:

> hi,
>
> i'm operating an owncloud server that connects to an IBM Tivoli 
> Directory Server as LDAP backend. the ldap admin tells me he is seeing 
> "null binds" from my owncloud server in his logs:
>
> 2016-05-24T14:32:56.349452+2:00 srvr_ssl_read: EIO in handshake. 
> EWOULDBLOCK timeout. Read: -2 of 0
> 2016-05-24T14:32:56.350445+2:00 GLPSSL019E The SSL layer has reported an 
> unidentified internal error, SSL extended error code:406.
> 2016-05-24T14:32:56.351813+2:00 GLPSRV022E Failed to initialize secure 
> connection from client (connection ID: 61786, IP address: x.x.x.x, Port: 
> 59921).
> 2016-05-24T14:32:56.357220+2:00 GLPSRV044W Client connection from 
> x.x.x.x bound as NULL closed by server.
>
> i investigated on my server and noticed that it has problems connecting 
> to the ldaps://ldap.example.com uri (which is the ITDS server) under 
> high client system load, whereas connection to ldap://ldap.example.com 
> is ok.
>
> $ ldapsearch -v -x -z 0 -H ldaps://ldap.example.com -b 
> "ou=groups,dc=example,dc=com" -v "objectClass=posixGroup"
> ldap_initialize( ldaps://ldap.example.com:636/??base )
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> my server (RHEL 7 on a ppc64 LPAR) is using the openldap 
> clients/libraries. the high load that is causing the problems is on _my_ 
> server. is there any specific tuning (besides increasing RAM/CPU) i can 
> do to optimize ldaps client queries? i'm thinking of tuning the tcp 
> stack or something similar, but i'm not an expert on this. where can i 
> look for debug info? i have strace and tcpdump output
>
> thx
> matthias

Hi Matthias,

as Quanah already stated RHEL7 builds use MozNSS and thus this problem
might be specific to these. If it is possible, please, try this
scenario with some OpenSSL-built OpenLDAP binaries (e.g. ones from
http://ltb-project.org). If these work correctly feel free to file a bug
to our bugzilla.redhat.com including all possible information. Anyway,
do not hesitate to contact our access.redhat.com customer assistance.

--
Matus Honek
Associate Software Engineer @ Red Hat, Inc.