[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)

To: openldap-its@OpenLDAP.org
Subject: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)
From: mikedotjackson@gmail.com
Date: Thu, 31 Aug 2017 13:05:10 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Mike Jackson
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.157.185.162)


Push replication via TLS fails to remote servers where the TCP/IP round-trip
time is greater than 100ms. When the return packets finally arrive, the
initiating server will close the connection with RST RST RST, which results in
TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection
will function normally and replication will occur.

The 100ms time limit comes from here:

servers/slapd/back-ldap/back-ldap.h:    #define   LDAP_BACK_RESULT_UTIMEOUT
(100000)

Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005.

HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported
the config keyword that sets the timeout number of retries"

In addition, the back_ldap man page is not up to date.


My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000)  (900ms)
and recompile. Problem immediately went away, but this is not a correct approach
and the retry counter should be runtime configurable.

Prev by Date: Re: (ITS#6835) extend pwFailureTime timestamp to microsecond resolution to improve pwdMaxFailure enforcement
Next by Date: Re: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)
Index(es):
- Chronological
- Thread