RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1658423 - openldap and concurrency error connecting to ldaps server
Summary: openldap and concurrency error connecting to ldaps server
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openldap
Version: 7.6
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matus Honek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-12 02:50 UTC by ryan.brothers
Modified: 2019-06-06 15:24 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-06 15:24:09 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description ryan.brothers 2018-12-12 02:50:05 UTC
Description of problem:
I hope you can assist with a problem I'm having with openldap and concurrency.  Please let me know if there's a different place to report this.

I am running CentOS 7 on x86_64, and starting with openldap-2.4.44-13, I am seeing errors when running multiple processes concurrently that connect to a LDAP server over SSL.  It seems there is some sort of race condition with multiple processes trying to write to the cache directory at the same time (such as /tmp/openldap-tlsmc-certs--CC).  I confirmed the problem still occurs with the latest openldap-2.4.44-20.  If I downgrade to openldap-2.4.44-5, I can't get the problem to occur.

When the issue happens, all calls fail with an error "Can't contact LDAP server".  If I try to connect again, I get the same error as the cache seems to be corrupt.

To fix it, I have to manually delete the cache directory in /tmp, re-run one of the processes by itself, and then the other processes can run successfully as the cache is now rebuilt.

Please let me know if I can supply more information to help with this issue.

Version-Release number of selected component (if applicable):
openldap-2.4.44-20

How reproducible:
If I run the below command multiple times concurrently, I can get the problem to reproduce with an error of "Can't contact LDAP server".

Steps to Reproduce:
1. Run the below command in multiple ssh sessions concurrently:

ldapsearch -H "ldaps://server"

Actual results:
"Can't contact LDAP server"

Expected results:
Connection is made to LDAP server

Comment 2 Matus Honek 2018-12-17 14:40:46 UTC
Hello,

thanks for the report. The concurrency handling in this case is only on the level of the process itself. When multiple process try to do the extraction using the same configuration, a collision may occur (which is indeed a bug). We'll look into ways how to fix this bug efficiently.

In the meantime, two workarounds come on my mind:
- Do not use NSS database configuration, use PEM files (OpenSSL style of configuration) for the TLS_* options.
- Before the troublesome calls, do a single dummy (e.g. ldapwhoami) call with the very same configuration. This will create the /tmp/openldap-tlsmc-* directory structure and all the subsequent calls will only read files from there.

Regards.

Comment 4 Matus Honek 2019-06-06 15:24:09 UTC
Hello,

given the support level in this phase of RHEL 7, and given there is a workaround by using PEM files instead of NSS DB, I'm closing this bug as WONTFIX. Should there be sufficient justification for a need to develop a fix, please provide the justification, preferably contacting our customer support.

Thank you for you understanding.


Note You need to log in before you can comment on or make changes to this bug.