7:13 a.m.
hi,
i'm operating an owncloud server that connects to an IBM Tivoli
Directory Server as LDAP backend. the ldap admin tells me he is seeing
"null binds" from my owncloud server in his logs:
2016-05-24T14:32:56.349452+2:00 srvr_ssl_read: EIO in handshake.
EWOULDBLOCK timeout. Read: -2 of 0
2016-05-24T14:32:56.350445+2:00 GLPSSL019E The SSL layer has reported an
unidentified internal error, SSL extended error code:406.
2016-05-24T14:32:56.351813+2:00 GLPSRV022E Failed to initialize secure
connection from client (connection ID: 61786, IP address: x.x.x.x, Port:
59921).
2016-05-24T14:32:56.357220+2:00 GLPSRV044W Client connection from
x.x.x.x bound as NULL closed by server.
i investigated on my server and noticed that it has problems connecting
to the ldaps://ldap.example.com uri (which is the ITDS server) under
high client system load, whereas connection to ldap://ldap.example.com
is ok.
$ ldapsearch -v -x -z 0 -H ldaps://ldap.example.com -b
"ou=groups,dc=example,dc=com" -v "objectClass=posixGroup"
ldap_initialize( ldaps://ldap.example.com:636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
my server (RHEL 7 on a ppc64 LPAR) is using the openldap
clients/libraries. the high load that is causing the problems is on _my_
server. is there any specific tuning (besides increasing RAM/CPU) i can
do to optimize ldaps client queries? i'm thinking of tuning the tcp
stack or something similar, but i'm not an expert on this. where can i
look for debug info? i have strace and tcpdump output
thx
matthias
12:51 p.m.
--On Wednesday, May 25, 2016 5:13 PM +0200 Matthias Leopold
<matthias.leopold(a)meduniwien.ac.at> wrote:
my server (RHEL 7 on a ppc64 LPAR) is using the openldap
clients/libraries. the high load that is causing the problems is on _my_
server. is there any specific tuning (besides increasing RAM/CPU) i can
do to optimize ldaps client queries? i'm thinking of tuning the tcp stack
or something similar, but i'm not an expert on this. where can i look for
debug info? i have strace and tcpdump output
Are you using the client libraries shipped by RHEL? If so, I would note
they link to MozNSS rather than OpenSSL, and this is not supported by the
OpenLDAP project. I would strongly advise avoiding the RHEL built client
libraries entirely, and use sane packages linked to OpenSSL.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc
1:59 a.m.
Matthias Leopold <matthias.leopold(a)meduniwien.ac.at> writes:
hi,
i'm operating an owncloud server that connects to an IBM Tivoli
Directory Server as LDAP backend. the ldap admin tells me he is seeing
"null binds" from my owncloud server in his logs:
2016-05-24T14:32:56.349452+2:00 srvr_ssl_read: EIO in handshake.
EWOULDBLOCK timeout. Read: -2 of 0
2016-05-24T14:32:56.350445+2:00 GLPSSL019E The SSL layer has reported an
unidentified internal error, SSL extended error code:406.
2016-05-24T14:32:56.351813+2:00 GLPSRV022E Failed to initialize secure
connection from client (connection ID: 61786, IP address: x.x.x.x, Port:
59921).
2016-05-24T14:32:56.357220+2:00 GLPSRV044W Client connection from
x.x.x.x bound as NULL closed by server.
i investigated on my server and noticed that it has problems connecting
to the ldaps://ldap.example.com uri (which is the ITDS server) under
high client system load, whereas connection to ldap://ldap.example.com
is ok.
$ ldapsearch -v -x -z 0 -H ldaps://ldap.example.com -b
"ou=groups,dc=example,dc=com" -v "objectClass=posixGroup"
ldap_initialize( ldaps://ldap.example.com:636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
my server (RHEL 7 on a ppc64 LPAR) is using the openldap
clients/libraries. the high load that is causing the problems is on _my_
server. is there any specific tuning (besides increasing RAM/CPU) i can
do to optimize ldaps client queries? i'm thinking of tuning the tcp
stack or something similar, but i'm not an expert on this. where can i
look for debug info? i have strace and tcpdump output
thx
matthias
Hi Matthias,
as Quanah already stated RHEL7 builds use MozNSS and thus this problem
might be specific to these. If it is possible, please, try this
scenario with some OpenSSL-built OpenLDAP binaries (e.g. ones from
http://ltb-project.org). If these work correctly feel free to file a bug
to our bugzilla.redhat.com including all possible information. Anyway,
do not hesitate to contact our access.redhat.com customer assistance.
--
Matus Honek
Associate Software Engineer @ Red Hat, Inc.
2564
days inactive
2566
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Matthias Leopold -
Matus Honek -
Quanah Gibson-Mount