475726 – saslauthd: very slow network failure detection

Bug 475726 - saslauthd: very slow network failure detection

Summary: saslauthd: very slow network failure detection

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	cyrus-sasl
Sub Component:
Version:	5.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-10 05:54 UTC by Kazuo Ito
Modified:	2009-09-02 10:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-02 10:12:57 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch proposal (1.00 KB, patch) 2008-12-10 05:58 UTC, Kazuo Ito	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2009:1330	0	normal	SHIPPED_LIVE	cyrus-sasl bug fix update	2009-09-01 10:35:49 UTC

Description Kazuo Ito 2008-12-10 05:54:40 UTC

Description of problem:

When saslauthd is configured to have two ldap servers, say ldap1
and ldap2, and network connection to ldap1 is down after link
between saslauthd and ldap1 is established, it takes about 15 minutes
for saslauthd to detect the network down and start connecting to ldap2 --
it responds to all the authentication requests with user unknown
in the meanwhile.

Version-Release number of selected component (if applicable):

cyrus-sasl-2.1.22-4 in RHEL5.2

How reproducible:

Always

Steps to Reproduce:
1. set up two ldap servers, say ldap1 and ldap2
   ldap1       ldap2       auth
     |           |          |
   ==============================
2. configure saslauthd on another server as follows:
ldap_servers: ldap://ldap1 ldap://ldap2
ldap_filter: uid=%u
ldap_search_base: ou=people,dc=example,dc=com
ldap_bind_dn: cn=binduser,dc=example,dc=com
ldap_password: ******
3. start saslauthd with "-a ldap" option
4. authenticate some requests
5. unplug ldap1 from the network
6. authenticate some more requests

Actual results:

Authentication attempts fails with user unknown error
for more than 10 minutes.

Expected results:

saslauthd resumes authenticating requests after
"ldap_timeout" seconds.

Additional info:

We've tracked down the problem to the version of OpenLDAP (2.3.27)
that doesn't do setsockopt(SO_KEEPALIVE) nor does it honor
LDAP_OPT_TIMEOUT option in ldap_result().

OpenLDAP 2.4 has fixed these problems, and the fix for SO_KEEPALIVE has
been there since 2.3.28, just one revision ahead of the one in RHEL5,
but we still need a little bit of help from saslauthd,
i.e. ldap_set_option(LDAP_OPT_TIMEOUT).  A patch proposal is attached.

Comment 1 Kazuo Ito 2008-12-10 05:58:24 UTC

Created attachment 326452 [details]
patch proposal

Comment 6 errata-xmlrpc 2009-09-02 10:12:57 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1330.html

Note You need to log in before you can comment on or make changes to this bug.