| Summary: | OpenLDAP linked to MozNSS has severe performance issues with StartTLS | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Quanah Gibson-Mount <quanah> |
| Component: | openldap | Assignee: | Jan Vcelak <jvcelak> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | jplans, jvcelak, rmeggins, tsmetana |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-01-06 09:51:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Quanah Gibson-Mount
2012-01-05 17:50:29 UTC
Cannot reproduce
steps:
1) grabbed latest openldap 2.4 branch source code from git (OPENLDAP_REL_ENG_2_4) - HEAD commit is
commit 14171f88ac1a5162c0d801e071163cc1b6de8aeb
Author: Quanah Gibson-Mount <quanah>
Date: Tue Jan 3 12:20:15 2012 -0800
ITS#7117
2) built from source into local install directories - one version built with moznss, one built with openssl
3) setup and configured server for TLS/SSL
4) on each server, did the following:
LDAPTLS_CACERT=~/save/CA/cacert.pem time bin/ldapsearch -xLLL -ZZ -H ldap://localhost.localdomain:1389/ -s base -b ""
the one built with moznss yields results similar to the following:
0.00user 0.00system 0:00.02elapsed 57%CPU (0avgtext+0avgdata 15344maxresident)k
0inputs+0outputs (0major+1051minor)pagefaults 0swaps
the one built with openssl yields results similar to the following:
0.02user 0.00system 0:00.04elapsed 64%CPU (0avgtext+0avgdata 17184maxresident)k
0inputs+0outputs (0major+1163minor)pagefaults 0swaps
i.e. the difference is negligible
Please provide more information so that we can reproduce the issue you are seeing.
The issue was reported against the OpenLDAP 2.4.23 packages as built and provided by RedHat. I fail to see how verifying this issue is fixed in a later build has any relation to a problem with the RHEL provided packages. The RHEL 6.2 openldap package doesn't go strictly by the version of the upstream package - many of those fixes have been backported to the RHEL 6.2 openldap 2.4.23 package, but only the release tag has changed, not the 2.4.23 - so for example many openldap moznss patches went in between 2.4.23-5 and 2.4.23-19 If you look at the rpm changelog you can see that - unfortunately the changelog does not list the upstream its, so it's a bit of work to go back from the rh bz to the openldap its For example, ITS#7034 is rhbz#701678 and rhbz#709407 which was fixed in openldap-2.4.23-19.el6, which looks like it was included in the upstream openldap 2.4.28 That's why I was testing with the latest openldap releng 2.4 branch code, since, at least as far as moznss patches go, it's almost the same - and since, if I have to fix this bug, I'm going to have to eventually work backwards to the openldap 2.4 branch source code, and then to the master branch in order to format and submit an acceptable patch to the openldap its system, I figured I would save some time Additional steps: 1) installed the openldap-servers 2.4.23-20 package on RHEL 6.2 x86_64 2) setup server and configured for TLS 3) LDAPTLS_CACERT=~/save/CA/cacert.pem time ldapsearch -xLLL -ZZ -H ldap://localhost.localdomain:1389/ -s base -b "" dn: objectClass: top objectClass: OpenLDAProotDSE 0.00user 0.00system 0:00.02elapsed 53%CPU (0avgtext+0avgdata 14608maxresident)k 0inputs+0outputs (0major+1003minor)pagefaults 0swaps ldapsearch returns immediately - same as other tests performed with source code from git 2.4 branch Please provide more information. Close this out for now, package being used is 2.4.23-15, not 2.4.23-20. Advised customer to upgrade to current package build. |