Ubuntu
openldap package

  1. Bug #1557248
  2. Comment #16

Comment 16 for bug 1557248

Revision history for this message
Maciej Puzio (maciej-puzio) wrote :

I can confirm that the following packages from xenial-proposed fix the bug:
slapd 2.4.42+dfsg-2ubuntu3.1
libldap-2.4-2 2.4.42+dfsg-2ubuntu3.1
ldap-utils 2.4.42+dfsg-2ubuntu3.1

I did not test the packages in wily-proposed. Setting the test environment is not trivial, and I don't think it is worthwhile to make this effort for the release that goes out of support in two months, and has been already superseded by a LTS release.

I apologize for a delay in replying to the verification request. This was caused by an unpleasant surprise encountered while testing the new packages. I attempted to recreate the test environment to mimic the setup in which I originally encountered this bug, but I did so slightly differently - and discovered another OpenLDAP bug that had basically the same symptoms. It was not immediately clear whether this situation was some unfixed edge case of the bug reported here, or if it was an entirely separate bug. Further analysis showed that it was the latter, the root cause is entirely different and similarities are coincidental. For reference, report for the new bug can be found at http://www.openldap.org/its/index.cgi?findid=8427

Testing methodology and environment:

Tests were done with both fixed and unfixed versions of affected packages, i.e. 2.4.42+dfsg-2ubuntu3 and 2.4.42+dfsg-2ubuntu3.1. Note that symptoms of this bug are intermittent, and several iterations may be needed for them to surface.

1. Configure two LDAP servers in dual master replication setup using slapd.conf config file as shown below.
2. Provide the servers with TLS certificates that are correct but use 1024-bit public key. (Note: SECURE256 requires 4096-bit RSA key)
3. Set tls_reqcert to allow in slapd.conf.
4. Start slapd on both servers.
5. Stop and restart slapd on server A.
6. Server B will write errors to syslog:
   slapd: do_syncrep2: rid=001 (-1) Can't contact LDAP server
   slapd: do_syncrepl: rid=001 rc -1 retrying (9 retries left)

Result when using fixed packages:
After predefined time server B will retry replication, and we won't see any further error messages.

Result when using unfixed packages:
Server B produces the following messages in a loop:
   slapd: do_syncrepl: rid=001 rc -1 retrying (8 retries left)
   slapd: slap_client_connect: URI=ldaps://10.0.0.1 DN="cn=root,dc=test" ldap_sasl_bind_s failed (-1)

The relevant parts of slapd.conf: (for server A at 10.0.0.1)

loglevel 1
serverID 001
moduleload syncprov
TLSCipherSuite SECURE256:-VERS-SSL3.0
TLSCACertificateFile /etc/ldap/ssl/ca.pem
TLSCertificateFile /etc/ldap/ssl/srvA.pem
TLSCertificateKeyFile /etc/ldap/ssl/srvA.key
syncrepl rid=001
        provider=ldaps://10.0.0.2
        type=refreshAndPersist
        retry="30 10 300 +"
        searchbase="dc=test"
        attrs="*,+"
        bindmethod=simple
        binddn="cn=root,dc=test"
        credentials="plaintext-password"
        tls_reqcert=allow
        keepalive="240:5:10"
mirrormode TRUE
overlay syncprov
syncprov-checkpoint 10 1440