[Bug 2090806] Re: TIMEOUT and NETWORK_TIMEOUT don't work when SSL is involved

Matthew Ruffell Sat, 25 Jan 2025 19:20:41 -0800

Performing verification for noble.

I setup a fresh noble VM according to the testcase. The opendlap version
is:


$ sudo apt-cache policy slapd | grep Installed
  Installed: 2.6.7+dfsg-1~exp1ubuntu8.1
  
from -updates.

Running the reproducer:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap    7851  0.0  0.1 1224136 7988 ?        Ssl  03:06   0:00 
/usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F 
/etc/ldap/slapd.d
$ sudo kill -STOP 7851
$ ldapsearch -x -H ldaps://example.com

top shows ldapsearch running at 100% CPU for over a minute now, so much for the
30 second timeout.

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND  
                                                                      
   7869 ubuntu    20   0   20724  11084   6784 R  99.7   0.3   1:08.92 
ldapsearch                                                                     

   
If you leave ldapsearch running, it will never timeout, and stay constantly
at 100% CPU.

I then sent SIGCONT to the slapd process:

$ sudo kill -CONT 7851

and we are back to normal:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

I then enabled -proposed, and installed openldap
2.6.7+dfsg-1~exp1ubuntu8.2

Re-running the reproducer:

I added a time to the second ldapsearch, to show the timeout working
effectively.

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap    8559  0.0  0.2 1224140 8344 ?        Ssl  03:10   0:00 
/usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F 
/etc/ldap/slapd.d
$ sudo kill -STOP 8559
$ time ldapsearch -x -H ldaps://example.com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

real    0m30.040s
user    0m0.012s
sys     0m0.007s

A perfect 30 second timeout, with appropriate error message. top shows 0% CPU
the whole time.

The package in -proposed fixes the issue. Happy to mark verified for
noble.

** Tags removed: verification-needed-noble
** Tags added: verification-done-noble

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2090806

Title:
  TIMEOUT and NETWORK_TIMEOUT don't work when SSL is involved

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2090806/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2090806] Re: TIMEOUT and NETWORK_TIMEOUT don't work when SSL is involved

Reply via email to