hi,
i'm operating an owncloud server that connects to an IBM Tivoli Directory Server as LDAP backend. the ldap admin tells me he is seeing "null binds" from my owncloud server in his logs:
2016-05-24T14:32:56.349452+2:00 srvr_ssl_read: EIO in handshake. EWOULDBLOCK timeout. Read: -2 of 0 2016-05-24T14:32:56.350445+2:00 GLPSSL019E The SSL layer has reported an unidentified internal error, SSL extended error code:406. 2016-05-24T14:32:56.351813+2:00 GLPSRV022E Failed to initialize secure connection from client (connection ID: 61786, IP address: x.x.x.x, Port: 59921). 2016-05-24T14:32:56.357220+2:00 GLPSRV044W Client connection from x.x.x.x bound as NULL closed by server.
i investigated on my server and noticed that it has problems connecting to the ldaps://ldap.example.com uri (which is the ITDS server) under high client system load, whereas connection to ldap://ldap.example.com is ok.
$ ldapsearch -v -x -z 0 -H ldaps://ldap.example.com -b "ou=groups,dc=example,dc=com" -v "objectClass=posixGroup" ldap_initialize( ldaps://ldap.example.com:636/??base ) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
my server (RHEL 7 on a ppc64 LPAR) is using the openldap clients/libraries. the high load that is causing the problems is on _my_ server. is there any specific tuning (besides increasing RAM/CPU) i can do to optimize ldaps client queries? i'm thinking of tuning the tcp stack or something similar, but i'm not an expert on this. where can i look for debug info? i have strace and tcpdump output
thx matthias
--On Wednesday, May 25, 2016 5:13 PM +0200 Matthias Leopold matthias.leopold@meduniwien.ac.at wrote:
my server (RHEL 7 on a ppc64 LPAR) is using the openldap clients/libraries. the high load that is causing the problems is on _my_ server. is there any specific tuning (besides increasing RAM/CPU) i can do to optimize ldaps client queries? i'm thinking of tuning the tcp stack or something similar, but i'm not an expert on this. where can i look for debug info? i have strace and tcpdump output
Are you using the client libraries shipped by RHEL? If so, I would note they link to MozNSS rather than OpenSSL, and this is not supported by the OpenLDAP project. I would strongly advise avoiding the RHEL built client libraries entirely, and use sane packages linked to OpenSSL.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Matthias Leopold matthias.leopold@meduniwien.ac.at writes:
hi,
i'm operating an owncloud server that connects to an IBM Tivoli Directory Server as LDAP backend. the ldap admin tells me he is seeing "null binds" from my owncloud server in his logs:
2016-05-24T14:32:56.349452+2:00 srvr_ssl_read: EIO in handshake. EWOULDBLOCK timeout. Read: -2 of 0 2016-05-24T14:32:56.350445+2:00 GLPSSL019E The SSL layer has reported an unidentified internal error, SSL extended error code:406. 2016-05-24T14:32:56.351813+2:00 GLPSRV022E Failed to initialize secure connection from client (connection ID: 61786, IP address: x.x.x.x, Port: 59921). 2016-05-24T14:32:56.357220+2:00 GLPSRV044W Client connection from x.x.x.x bound as NULL closed by server.
i investigated on my server and noticed that it has problems connecting to the ldaps://ldap.example.com uri (which is the ITDS server) under high client system load, whereas connection to ldap://ldap.example.com is ok.
$ ldapsearch -v -x -z 0 -H ldaps://ldap.example.com -b "ou=groups,dc=example,dc=com" -v "objectClass=posixGroup" ldap_initialize( ldaps://ldap.example.com:636/??base ) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
my server (RHEL 7 on a ppc64 LPAR) is using the openldap clients/libraries. the high load that is causing the problems is on _my_ server. is there any specific tuning (besides increasing RAM/CPU) i can do to optimize ldaps client queries? i'm thinking of tuning the tcp stack or something similar, but i'm not an expert on this. where can i look for debug info? i have strace and tcpdump output
thx matthias
Hi Matthias,
as Quanah already stated RHEL7 builds use MozNSS and thus this problem might be specific to these. If it is possible, please, try this scenario with some OpenSSL-built OpenLDAP binaries (e.g. ones from http://ltb-project.org). If these work correctly feel free to file a bug to our bugzilla.redhat.com including all possible information. Anyway, do not hesitate to contact our access.redhat.com customer assistance.
-- Matus Honek Associate Software Engineer @ Red Hat, Inc.
openldap-technical@openldap.org
-
Matthias Leopold -
Matus Honek -
Quanah Gibson-Mount