This bug was fixed in the package openldap - 2.4.49+dfsg-2ubuntu1.8
---------------
openldap (2.4.49+dfsg-2ubuntu1.8) focal; urgency=medium
* d/p/ITS-8650-loop-on-incomplete-TLS-handshake.patch:
Import upstream patch to properly retry gnutls_handshake() after it
returns GNUTLS_E_AGAIN. (ITS#8650) (LP: #1921562)
-- Utkarsh Gupta <[email protected]> Thu, 08 Apr 2021
09:52:01 +0530
** Changed in: openldap (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1921562
Title:
Intermittent hangs during ldap_search_ext when TLS enabled
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Focal:
Fix Released
Status in openldap source package in Groovy:
Fix Released
Bug description:
[Impact]
========
When connecting to an LDAP server with TLS, ldap_search_ext can hang
if during the initial TLS handshake a signal is received by the
process. The cause of this bug is the same as
https://bugs.openldap.org/show_bug.cgi?id=8650.
In our case this bug cause failures in the SSSD LDAP backend at least
once per day, resulting in authentication errors followed by a sssd_be
restart after a timeout has been hit.
[Test Plan]
===========
When using openldap on 20.04, this bug causes failures in the SSSD
LDAP backend, resulting in authentication errors followed by a sssd_be
restart after a timeout has been hit:
Mar 19 19:05:31 mail auth[867454]: pam_sss(dovecot:auth): received for user
redacted: 4 (System error)
Mar 19 19:05:32 mail sssd_be[867455]: Starting up
With the patched version, this should no longer be a problem.
[Where Problems Could Occur]
============================
With this patch applied, there may be few edge cases in (and varying
b/w) different versions of GnuTLS. And also some bits that are
discussed in https://bugs.openldap.org/show_bug.cgi?id=8650.
But that said, the patched version is already being run in production
for over two weeks time (at the time of writing - 07/04/21). So I
believe the SRU will clearly benefit from this and has lower risk of
regression.
[More Info]
===========
A reduced version of the patch linked above can be found attached to
this bug report. This patch has been applied to version 2.4.49+dfsg-
2ubuntu1.7 and has been running in production for approximately a week
and the issue has no longer occurred. No other issues have appeared
during this period.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openldap/+bug/1921562/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
