Hello
I've found one problem
I have latest openldap release 2.4.3 (but it is similar on former versions too).
There is small delay (1-2s) on beginning when I query ldap server from the same machine over TLS or SSL. Without SSL is no delay.
Is it bug or is it normal? How can I debug it more?
QUERY with delay: from ldap1 to ldap1 (the same machine) [root@ldap1 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
QUERY without delay: from ldap1 to ldap1 (the same machine without TLS) [root@ldap1 ~]# ldapsearch24 -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d from ldap1 to ldap2 [root@ldap1 ~]# ldapsearch24 -Z -h ldap2.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d from ldap2 to ldap1 [root@ldap2 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
I think my DNS/hosts settings are correct
My testing environment:
servers: ldap1.ldapnet.tmapy.cz ldap2.ldapnet.tmapy.cz ldap3.ldapnet.tmapy.cz
from ldap1 config: slapd.conf TLSCACertificateFile /etc/pki/tls/cacert.pem TLSCertificateFile /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem TLSCertificateKeyFile /etc/pki/tls/private/ldap1.ldapnet.tmapy.cz-key.pem
[root@ldap1 ~]# hostname ldap1.ldapnet.tmapy.cz
[root@ldap1 ~]# grep ldap1 /etc/hosts 192.168.241.10 ldap1.ldapnet.tmapy.cz
[root@ldap1 ~]# ifconfig eth0 eth0 inet adr:192.168.241.10 Všesměr:192.168.241.255 Maska:255.255.255.0
[root@ldap1 ~]# grep ldap1 /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem Subject: C=CS, ST=Kraj kralovehradecky, O=T-MAPY spol. s r.o.,OU=ldapnet, CN=ldap1.ldapnet.tmapy.cz
Pavel Lisy
--On Tuesday, December 08, 2009 10:55 AM +0100 Pavel Lisy pali@tmapy.cz wrote:
Hello
I've found one problem
I have latest openldap release 2.4.3 (but it is similar on former versions too).
There is no 2.4.3 release. I'm going to take a wild guess that you mean 2.4.20, in which case, the issue you are discussing is ITS#6412, which is fixed in RE24 and will be part of the 2.4.21 release.
The openldap-its list is for discussing filed ITSes, not general questions. If you have a bug to report, please file an ITS at http://www.openldap.org/its. If you have a general question about the software, including *if* something is a bug, then please use the openldap-software@openldap.org list.
Thanks!
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, December 08, 2009 8:02 AM -0800 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Tuesday, December 08, 2009 10:55 AM +0100 Pavel Lisy pali@tmapy.cz wrote:
Hello
I've found one problem
I have latest openldap release 2.4.3 (but it is similar on former versions too).
The other bit would be that of course SSL/TLS connections are going to take a small amount of time longer, since they have to negotiate encryption. So they will always be slower than an unencrypted connection.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount píše v Út 08. 12. 2009 v 08:58 -0800:
--On Tuesday, December 08, 2009 8:02 AM -0800 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Tuesday, December 08, 2009 10:55 AM +0100 Pavel Lisy pali@tmapy.cz wrote:
Hello
I've found one problem
I have latest openldap release 2.4.3 (but it is similar on former versions too).
The other bit would be that of course SSL/TLS connections are going to take a small amount of time longer, since they have to negotiate encryption. So they will always be slower than an unencrypted connection.
Maybe but I'm not sure about it.
There is not visible difference when I query remote ldap server with or without TLS/SSL.
But when I query local ldap server (on the same machine) delay is 1-2s
Do you know how to debug it?
Pavel
Quanah Gibson-Mount píše v Út 08. 12. 2009 v 08:02 -0800:
--On Tuesday, December 08, 2009 10:55 AM +0100 Pavel Lisy pali@tmapy.cz wrote:
Hello
I've found one problem
I have latest openldap release 2.4.3 (but it is similar on former versions too).
There is no 2.4.3 release. I'm going to take a wild guess that you mean 2.4.20, in which case, the issue you are discussing is ITS#6412, which is fixed in RE24 and will be part of the 2.4.21 release.
My mistake. I've mixed it with latest samba version 3.4.3. I'm using 2.4.19 version. I will try 2.4.21. Do you know when it will be ready?
The openldap-its list is for discussing filed ITSes, not general questions. If you have a bug to report, please file an ITS at http://www.openldap.org/its. If you have a general question about the software, including *if* something is a bug, then please use the openldap-software@openldap.org list.
I didn't know it. Thanks for your help.
Pavel
-
Pavel Lisy -
Pavel Lisý
-
Quanah Gibson-Mount