Bug 1445188

Summary: Misleading error message - Incoming BER Element was 3 bytes
Product: Red Hat Enterprise Linux 7 Reporter: Amita Sharma <amsharma>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: low    
Version: 7.4CC: amsharma, cobrown, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.7.5-10.el7 Doc Type: Bug Fix
Doc Text:
Clear error message when sending TLS data to a non-LDAPS port Previously, Directory Server decoded TLS protocol handshakes sent to a port that was configured to use plain text as an *LDAPMessage* data type. However, decoding failed and the server reported the misleading "BER was 3 bytes, but actually was <greater>" error. With this update, Directory Server detects if TLS data is sent to a port configured for plain text and returns the following error message to the client: Incoming BER Element may be misformed. This may indicate an attempt to use TLS on a plaintext port, IE ldaps://localhost:389. Check your client LDAP_URI settings. As a result, the new error message indicates that an incorrect client configuration causes the problem.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 14:16:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amita Sharma 2017-04-25 08:32:07 UTC 
Description of problem:
Because of a wrong port number used in commandline for ladpmodify, I am getting in error logs - 
[25/Apr/2017:03:03:32.806827033 -0400] - ERR - log_ber_too_big_error - conn=12 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. 

which is misleading

Version-Release number of selected component (if applicable):
389-ds-base-1.3.6.1-9.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure MMR with SSL

2. execute - /usr/lib64/mozldap/ldapmodify -Z -P "/etc/dirsrv/slapd-M1/cert8.db" -W secret12 -p 30100 -h localhost -D "cn=directory manager" -w Secret123 << EOF
dn: uid=new_user4,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
uid: new_user4
sn: new_user4
cn: new_user4
EOF

where 30100 is non-ssl port (wrong port number)

3. you will get below on command line -
ldap_simple_bind: Can't contact LDAP server
	SSL error -5938 (Encountered end of file.)

4. And in error messages, it will show -
[25/Apr/2017:03:13:17.830291071 -0400] - ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
[25/Apr/2017:03:22:08.700482270 -0400] - ERR - log_ber_too_big_error - conn=22 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.


Actual results:
Error message for a wrong port-

[25/Apr/2017:03:13:17.830291071 -0400] - ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
[25/Apr/2017:03:22:08.700482270 -0400] - ERR - log_ber_too_big_error - conn=22 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.


Expected results:
Errors message should be helpful in pointing out the mistake.


Additional info:
Comment 2 Amita Sharma 2017-04-25 09:08:18 UTC 
Here the error message says "ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase."

Even if you try to change the nsslapd-maxbersize attribute in cn=config to increase, it does not help to resolve the issue and leads to more confusion.
Comment 3 wibrown@redhat.com 2017-09-11 23:49:32 UTC 
I've seen this before. It's when you use TLS on a ldap:// port. This could be easy to detect and fix but I seem to remember last I looked at it, it was more annoying than I thought.
Comment 4 wibrown@redhat.com 2017-09-11 23:53:54 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/49377
Comment 9 Amita Sharma 2017-11-21 10:47:43 UTC 
After discussion on IRC it is clear that we can still get both of these error messages in some cases. Hence marking bug as verified. Thanks @wibrown
Comment 10 wibrown@redhat.com 2017-12-05 09:43:29 UTC 
You're welcome Amita!
Comment 17 errata-xmlrpc 2018-04-10 14:16:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811