Bug 877354

Summary: ldap_connection_expire_timeout doesn't expire ldap connections
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: grajaiya, jgalipea, okos, pbrezina
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-21.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:40:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 881827    

Description Kaushik Banerjee 2012-11-16 10:40:33 UTC 
Description of problem:
ldap_connection_expire_timeout doesn't expire ldap connections

Version-Release number of selected component (if applicable):
1.9.2-13

How reproducible:
Always

Steps to Reproduce:
1. domain section in sssd.conf

[domain/LDAP]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://cobra.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
ldap_connection_expire_timeout = 100

2. # getent passwd puser1;netstat -antp | grep 389;sleep 105;netstat -antp | grep 389
puser1:*:2001:2001:Posix User1:/home/puser1:
tcp        0      0 10.65.201.200:40926         10.65.206.93:389            ESTABLISHED 7163/sssd_be        
tcp        0      0 10.65.201.200:40926         10.65.206.93:389            ESTABLISHED 7163/sssd_be

Actual results:
Connection doesn't expire after "ldap_connection_expire_timeout" is over.

Expected results:
Connection should expire

Additional info:
Comment 3 Jakub Hrozek 2012-11-17 19:32:27 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1649
Comment 4 Jakub Hrozek 2012-11-17 19:56:15 UTC 
FWIW, this regressed only when using non-authenticated connection. Authenticated connections including GSSAPI still timed out fine.

It's still a regression, though. A patch is on the upstream list.
Comment 6 Kaushik Banerjee 2012-11-22 07:53:26 UTC 
Verified in version 1.9.2-21

Output of beaker automation run:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ldap_connection_timeout_001 Single Domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [16:58:17] ::  Sleeping for 5 seconds
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Option ldap_connection_expire_timeout has value 100'
puser1:*:1001:1001:Posix User1:/home/puser1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd puser1'
:: [16:58:23] ::  Sleeping for 110 seconds
user_srv1:*:1002:1002:User Srv1:/home/user_srv1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd user_srv1'
:: [   PASS   ] :: Connection was expired after 100 secs and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'connection is about to expire, releasing it'
spawn ssh -o StrictHostKeyChecking=no root.eng.brq.redhat.com /etc/init.d/dirsrv stop instance1
root.eng.brq.redhat.com's password: 
Shutting down dirsrv: 
    instance1...[  OK  ]

user_srv2:*:1999:1999:User SRV2:/home/user_srv2:
:: [   PASS   ] :: Running 'getent passwd user_srv2'
:: [17:01:20] ::  Sleeping for 105 seconds

MARK-LWD-LOOP -- 2012-11-21 17:02:24 --
tcp        0      0 10.34.54.35:52129           10.34.42.26:2389            ESTABLISHED 16081/sssd_be       
Group_srv2:*:1999:
:: [   PASS   ] :: Running 'getent group Group_srv2'
:: [   PASS   ] :: Connection was expired after 100 secs and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'connection is about to expire, releasing it'
spawn ssh -o StrictHostKeyChecking=no root.eng.brq.redhat.com /etc/init.d/dirsrv start instance1
root.eng.brq.redhat.com's password: 
Starting dirsrv: 
    instance1...[  OK  ]

'058e30c3-61bb-4574-8da5-568d03fb819c'
ldap-connection-timeout-001-Single-Domain result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ldap_connection_timeout_002 MultiDomain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [17:03:11] ::  Sleeping for 5 seconds
puser1:*:1001:1001:Posix User1:/home/puser1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd puser1'
:: [17:03:16] ::  Sleeping for 105 seconds
user_srv1:*:1002:1002:User Srv1:/home/user_srv1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd user_srv1'
:: [   PASS   ] :: Connection expired after 100 seconds for DOMAIN1 and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_DOMAIN1.log' should contain 'connection is about to expire, releasing it'
user_srv2:*:1999:1999:User SRV2:/home/user_srv2:
:: [   PASS   ] :: Running 'getent passwd user_srv2'
:: [17:05:02] ::  Sleeping for 205 seconds

MARK-LWD-LOOP -- 2012-11-21 17:07:24 --
Group_srv2:*:1999:
:: [   PASS   ] :: Running 'getent group Group_srv2'
:: [   PASS   ] :: Connection expired after 200 seconds for DOMAIN2 and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_DOMAIN2.log' should contain 'connection is about to expire, releasing it'
'db2b8114-b28c-4240-8fde-f5618bd9895d'
ldap-connection-timeout-002-MultiDomain result: PASS
Comment 7 errata-xmlrpc 2013-02-21 09:40:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html