https://bugs.openldap.org/show_bug.cgi?id=10052
Issue ID: 10052 Summary: ldapsearch error "can't contact LDAP Server" <1% Product: OpenLDAP Version: 2.4.44 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs@openldap.org Reporter: w3eagle@yahoo.com Target Milestone: ---
version used: 2.4.44 that is from Amazon2 core OS: AWS Linux2
Details: Users reported occasional issues with AD server authentication with MicroStrategy. Open case with MicroStrategy and learnt then use openldap library for the AD authentication. We were able to reproduce the issue with ldapsearch like below.
ldapsearch -H ldaps://$REMOTEHOST:$REMOTEPORT \ -x -D "CN=??????" \ -y pssd.txt -LLL \ -b "OU=???????" "(sAMAccountName=????)" dn
We use crontab to query AD once every minute, and we were able to see a few issues each day, error rate is more than 1/1000 but less than 1/100. The error looks like below -
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Not much info was logged other than this.
We tried all kinds of stuff but it didn't help, eg. the ldap.conf settings to ignore certs validation, simplify the cert folder files etc. and the like.
We think perhaps the TLS might be the issue, so we setup an nginx node within the same vpc, which communicates with AD server over TLS, but terminates TLS and talk to other ec2 with clear text. We were not able to see any errors.
So we have proved, for some reason, then ldapsearch over ldaps fails with a low percentage.
I previously reported case 10049, but it was closed. The message is like openldap is using other components for https/tls; so possibly bugs from other libraires.
So to prove this issue is indeep on openldap, I schedule the same ldapsearch on the nginx box itself. Knowing nginx was using the same openssl library (openssl 1.0.2k), we reproduced the same, ~1% "can't contact LDAP server" error, on the nginx box. So this error is perhaps more related to openldap, or perhaps Cyrus SASL? (cyrus-sasl-lib 2.1.26).
My question is whether this sounds like an openldap bug. Please advise. Thanks