[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Spurious Start TLS failed errors on proxyed bind OpenLDAP 2.4.40

To: Janne Peltonen <janne.peltonen@helsinki.fi>, openldap-technical@openldap.org
Subject: Re: Spurious Start TLS failed errors on proxyed bind OpenLDAP 2.4.40
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 22 Jan 2019 06:42:52 -0800
Content-disposition: inline
In-reply-to: <20190122131004.GB1861@helsinki.fi>
References: <20190122131004.GB1861@helsinki.fi>

--On Tuesday, January 22, 2019 3:10 PM +0200 Janne Peltonen<janne.peltonen@helsinki.fi> wrote:

Quanah Gibson-Mount wrote:

But we seem to be getting spurious Start TLS failed messages also
without any competing connections. Here's one using ldap+STARTTLS but
no other ACCEPTs anywhere near:

These aren't spurious - your TLS library has genuinely failed to start a
session. Which TLS library are you using? What OS are you running on?
The most common cause for periodic failures is running out of entropy
for the PRNG.

They noted RHEL7 and 2.4.40, which would mean MozNSS, as the most recent
RHEL7 build of 2.4.44 switched back to OpenSSL. I would just add this to
the many reasons not to use RHEL for OpenLDAP.


The fact that they keep switching the TLS libraries they're linking to? I
can roll out my own RPMs and keep them linked to the very same library
all the time, but do you think linking to OpenSSL could help resolve my
issue? Running out of entropy with only a few starttls calls per second,
or only a few ldaps connections per second, seems to be a bit weird to me.


Hi Janne,

RedHat pursued linking OpenLDAP against MozNSS against the advice of theOpenLDAP foundation. We reluctantly included those patches in the 2.4series, but they were a constant source of problems. RedHat never disclosedto the OpenLDAP project why exactly they abandoned MozNSS and switched backto OpenSSL.

Regardless, you should at the least update to the latest RHEL7 version fromRH to see if it offers any relief from the issue you are encountering.There are also alternatives to the RH build that you can use on RH, such as:

a) The Symas OpenLDAP for Linux packages (currently at 2.4.47). See<https://symas.com/linux-openldap-support-symas-corporation/>,<https://symas.com/linuxopenldap/>. These packages are provided for free,with the option of having paid support.

b) The LTB project:<https://ltb-project.org/documentation/openldap-rpm#yum_repository>

c) The Symas commercial version of OpenLDAP, which requires a supportcontract and has additional features: <https://symas.com/symasopenldap/>


Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Spurious Start TLS failed errors on proxyed bind OpenLDAP 2.4.40
  - From: Janne Peltonen <janne.peltonen@helsinki.fi>

References:
- Re: Spurious Start TLS failed errors on proxyed bind OpenLDAP 2.4.40
  - From: Janne Peltonen <janne.peltonen@helsinki.fi>

Prev by Date: Re: Spurious Start TLS failed errors on proxyed bind OpenLDAP 2.4.40
Next by Date: Re: Spurious Start TLS failed errors on proxyed bind OpenLDAP 2.4.40
Index(es):
- Chronological
- Thread