Hello
I've found one problem
I have latest openldap release 2.4.3 (but it is similar on former versions too).
There is small delay (1-2s) on beginning when I query ldap server from the same machine over TLS or SSL. Without SSL is no delay.
Is it bug or is it normal? How can I debug it more?
QUERY with delay: from ldap1 to ldap1 (the same machine) [root@ldap1 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
QUERY without delay: from ldap1 to ldap1 (the same machine without TLS) [root@ldap1 ~]# ldapsearch24 -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d from ldap1 to ldap2 [root@ldap1 ~]# ldapsearch24 -Z -h ldap2.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d from ldap2 to ldap1 [root@ldap2 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
I think my DNS/hosts settings are correct
My testing environment:
servers: ldap1.ldapnet.tmapy.cz ldap2.ldapnet.tmapy.cz ldap3.ldapnet.tmapy.cz
from ldap1 config: slapd.conf TLSCACertificateFile /etc/pki/tls/cacert.pem TLSCertificateFile /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem TLSCertificateKeyFile /etc/pki/tls/private/ldap1.ldapnet.tmapy.cz-key.pem
[root@ldap1 ~]# hostname ldap1.ldapnet.tmapy.cz
[root@ldap1 ~]# grep ldap1 /etc/hosts 192.168.241.10 ldap1.ldapnet.tmapy.cz
[root@ldap1 ~]# ifconfig eth0 eth0 inet adr:192.168.241.10 Všesměr:192.168.241.255 Maska:255.255.255.0
[root@ldap1 ~]# grep ldap1 /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem Subject: C=CS, ST=Kraj kralovehradecky, O=T-MAPY spol. s r.o.,OU=ldapnet, CN=ldap1.ldapnet.tmapy.cz
Pavel Lisy
--On Tuesday, December 08, 2009 10:55 AM +0100 Pavel Lisy pali@tmapy.cz wrote:
There is no 2.4.3 release. I'm going to take a wild guess that you mean 2.4.20, in which case, the issue you are discussing is ITS#6412, which is fixed in RE24 and will be part of the 2.4.21 release.
The openldap-its list is for discussing filed ITSes, not general questions. If you have a bug to report, please file an ITS at http://www.openldap.org/its. If you have a general question about the software, including *if* something is a bug, then please use the openldap-software@openldap.org list.
Thanks!
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, December 08, 2009 8:02 AM -0800 Quanah Gibson-Mount quanah@zimbra.com wrote:
The other bit would be that of course SSL/TLS connections are going to take a small amount of time longer, since they have to negotiate encryption. So they will always be slower than an unencrypted connection.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount píše v Út 08. 12. 2009 v 08:58 -0800:
Maybe but I'm not sure about it.
There is not visible difference when I query remote ldap server with or without TLS/SSL.
But when I query local ldap server (on the same machine) delay is 1-2s
Do you know how to debug it?
Pavel