https://bugs.openldap.org/show_bug.cgi?id=10052
Issue ID: 10052 Summary: ldapsearch error "can't contact LDAP Server" <1% Product: OpenLDAP Version: 2.4.44 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs@openldap.org Reporter: w3eagle@yahoo.com Target Milestone: ---
version used: 2.4.44 that is from Amazon2 core OS: AWS Linux2
Details: Users reported occasional issues with AD server authentication with MicroStrategy. Open case with MicroStrategy and learnt then use openldap library for the AD authentication. We were able to reproduce the issue with ldapsearch like below.
ldapsearch -H ldaps://$REMOTEHOST:$REMOTEPORT \ -x -D "CN=??????" \ -y pssd.txt -LLL \ -b "OU=???????" "(sAMAccountName=????)" dn
We use crontab to query AD once every minute, and we were able to see a few issues each day, error rate is more than 1/1000 but less than 1/100. The error looks like below -
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Not much info was logged other than this.
We tried all kinds of stuff but it didn't help, eg. the ldap.conf settings to ignore certs validation, simplify the cert folder files etc. and the like.
We think perhaps the TLS might be the issue, so we setup an nginx node within the same vpc, which communicates with AD server over TLS, but terminates TLS and talk to other ec2 with clear text. We were not able to see any errors.
So we have proved, for some reason, then ldapsearch over ldaps fails with a low percentage.
I previously reported case 10049, but it was closed. The message is like openldap is using other components for https/tls; so possibly bugs from other libraires.
So to prove this issue is indeep on openldap, I schedule the same ldapsearch on the nginx box itself. Knowing nginx was using the same openssl library (openssl 1.0.2k), we reproduced the same, ~1% "can't contact LDAP server" error, on the nginx box. So this error is perhaps more related to openldap, or perhaps Cyrus SASL? (cyrus-sasl-lib 2.1.26).
My question is whether this sounds like an openldap bug. Please advise. Thanks
https://bugs.openldap.org/show_bug.cgi?id=10052
--- Comment #1 from w3eagle@yahoo.com --- Just to be clear, when we use nginx with ldaps to upper Ad server, but terminate TLS on nginx, and use port 389 to talk to nodes that does the ldapsearch like below, there was no errors. searches are good 100%, instead of about 1% can't contact LDAP errors.
ldapsearch -H ldap://nginxbox \ -x -D "CN=??????" \ -y pssd.txt -LLL \ -b "OU=???????" "(sAMAccountName=????)" dn
Above has not failure at all when over nginx reverse proxy
https://bugs.openldap.org/show_bug.cgi?id=10052
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Hello,
I'm banning your account. If you create a new one I will ban it as well. You are abusing the ticketing system.
https://bugs.openldap.org/show_bug.cgi?id=10052
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Keywords|needs_review | Resolution|--- |INVALID
https://bugs.openldap.org/show_bug.cgi?id=10052
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org