Bug 1445188 – Misleading error message - Incoming BER Element was 3 bytes

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1445188 - Misleading error message - Incoming BER Element was 3 bytes

Summary:	Misleading error message - Incoming BER Element was 3 bytes

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	x86_64 Linux

Priority	low Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	mreynolds
QA Contact:	Viktor Ashirov
Docs Contact:	Marc Muehlfeld

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-04-25 04:32 EDT by Amita Sharma
Modified:	2018-05-15 14:35 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	389-ds-base-1.3.7.5-10.el7
Doc Type:	Bug Fix
Doc Text:	Clear error message when sending TLS data to a non-LDAPS port Previously, Directory Server decoded TLS protocol handshakes sent to a port that was configured to use plain text as an LDAPMessage data type. However, decoding failed and the server reported the misleading "BER was 3 bytes, but actually was <greater>" error. With this update, Directory Server detects if TLS data is sent to a port configured for plain text and returns the following error message to the client: Incoming BER Element may be misformed. This may indicate an attempt to use TLS on a plaintext port, IE ldaps://localhost:389. Check your client LDAP_URI settings. As a result, the new error message indicates that an incorrect client configuration causes the problem.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-04-10 10:16:50 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0811	None	None	None	2018-04-10 10:17 EDT

Groups: None (edit)

Description Amita Sharma 2017-04-25 04:32:07 EDT

Description of problem:
Because of a wrong port number used in commandline for ladpmodify, I am getting in error logs - 
[25/Apr/2017:03:03:32.806827033 -0400] - ERR - log_ber_too_big_error - conn=12 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. 

which is misleading

Version-Release number of selected component (if applicable):
389-ds-base-1.3.6.1-9.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure MMR with SSL

2. execute - /usr/lib64/mozldap/ldapmodify -Z -P "/etc/dirsrv/slapd-M1/cert8.db" -W secret12 -p 30100 -h localhost -D "cn=directory manager" -w Secret123 << EOF
dn: uid=new_user4,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
uid: new_user4
sn: new_user4
cn: new_user4
EOF

where 30100 is non-ssl port (wrong port number)

3. you will get below on command line -
ldap_simple_bind: Can't contact LDAP server
	SSL error -5938 (Encountered end of file.)

4. And in error messages, it will show -
[25/Apr/2017:03:13:17.830291071 -0400] - ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
[25/Apr/2017:03:22:08.700482270 -0400] - ERR - log_ber_too_big_error - conn=22 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.


Actual results:
Error message for a wrong port-

[25/Apr/2017:03:13:17.830291071 -0400] - ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
[25/Apr/2017:03:22:08.700482270 -0400] - ERR - log_ber_too_big_error - conn=22 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.


Expected results:
Errors message should be helpful in pointing out the mistake.


Additional info:

Comment 2 Amita Sharma 2017-04-25 05:08:18 EDT

Here the error message says "ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase."

Even if you try to change the nsslapd-maxbersize attribute in cn=config to increase, it does not help to resolve the issue and leads to more confusion.

Comment 3 wibrown@redhat.com 2017-09-11 19:49:32 EDT

I've seen this before. It's when you use TLS on a ldap:// port. This could be easy to detect and fix but I seem to remember last I looked at it, it was more annoying than I thought.

Comment 4 wibrown@redhat.com 2017-09-11 19:53:54 EDT

Upstream ticket:
https://pagure.io/389-ds-base/issue/49377

Comment 9 Amita Sharma 2017-11-21 05:47:43 EST

After discussion on IRC it is clear that we can still get both of these error messages in some cases. Hence marking bug as verified. Thanks @wibrown

Comment 10 wibrown@redhat.com 2017-12-05 04:43:29 EST

You're welcome Amita!

Comment 17 errata-xmlrpc 2018-04-10 10:16:50 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811

Note You need to log in before you can comment on or make changes to this bug.