Bug 877354 - ldap_connection_expire_timeout doesn't expire ldap connections
Summary: ldap_connection_expire_timeout doesn't expire ldap connections
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 881827
TreeView+ depends on / blocked
 
Reported: 2012-11-16 10:40 UTC by Kaushik Banerjee
Modified: 2020-05-02 17:06 UTC (History)
4 users (show)

Fixed In Version: sssd-1.9.2-21.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:40:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2691 None None None 2020-05-02 17:06:21 UTC
Red Hat Product Errata RHSA-2013:0508 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Kaushik Banerjee 2012-11-16 10:40:33 UTC
Description of problem:
ldap_connection_expire_timeout doesn't expire ldap connections

Version-Release number of selected component (if applicable):
1.9.2-13

How reproducible:
Always

Steps to Reproduce:
1. domain section in sssd.conf

[domain/LDAP]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://cobra.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
ldap_connection_expire_timeout = 100

2. # getent passwd puser1;netstat -antp | grep 389;sleep 105;netstat -antp | grep 389
puser1:*:2001:2001:Posix User1:/home/puser1:
tcp        0      0 10.65.201.200:40926         10.65.206.93:389            ESTABLISHED 7163/sssd_be        
tcp        0      0 10.65.201.200:40926         10.65.206.93:389            ESTABLISHED 7163/sssd_be

Actual results:
Connection doesn't expire after "ldap_connection_expire_timeout" is over.

Expected results:
Connection should expire

Additional info:

Comment 3 Jakub Hrozek 2012-11-17 19:32:27 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1649

Comment 4 Jakub Hrozek 2012-11-17 19:56:15 UTC
FWIW, this regressed only when using non-authenticated connection. Authenticated connections including GSSAPI still timed out fine.

It's still a regression, though. A patch is on the upstream list.

Comment 6 Kaushik Banerjee 2012-11-22 07:53:26 UTC
Verified in version 1.9.2-21

Output of beaker automation run:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ldap_connection_timeout_001 Single Domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [16:58:17] ::  Sleeping for 5 seconds
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Option ldap_connection_expire_timeout has value 100'
puser1:*:1001:1001:Posix User1:/home/puser1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd puser1'
:: [16:58:23] ::  Sleeping for 110 seconds
user_srv1:*:1002:1002:User Srv1:/home/user_srv1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd user_srv1'
:: [   PASS   ] :: Connection was expired after 100 secs and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'connection is about to expire, releasing it'
spawn ssh -o StrictHostKeyChecking=no root@dell-pe1950-05.rhts.eng.brq.redhat.com /etc/init.d/dirsrv stop instance1
root@dell-pe1950-05.rhts.eng.brq.redhat.com's password: 
Shutting down dirsrv: 
    instance1...[  OK  ]

user_srv2:*:1999:1999:User SRV2:/home/user_srv2:
:: [   PASS   ] :: Running 'getent passwd user_srv2'
:: [17:01:20] ::  Sleeping for 105 seconds

MARK-LWD-LOOP -- 2012-11-21 17:02:24 --
tcp        0      0 10.34.54.35:52129           10.34.42.26:2389            ESTABLISHED 16081/sssd_be       
Group_srv2:*:1999:
:: [   PASS   ] :: Running 'getent group Group_srv2'
:: [   PASS   ] :: Connection was expired after 100 secs and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'connection is about to expire, releasing it'
spawn ssh -o StrictHostKeyChecking=no root@dell-pe1950-05.rhts.eng.brq.redhat.com /etc/init.d/dirsrv start instance1
root@dell-pe1950-05.rhts.eng.brq.redhat.com's password: 
Starting dirsrv: 
    instance1...[  OK  ]

'058e30c3-61bb-4574-8da5-568d03fb819c'
ldap-connection-timeout-001-Single-Domain result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ldap_connection_timeout_002 MultiDomain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [17:03:11] ::  Sleeping for 5 seconds
puser1:*:1001:1001:Posix User1:/home/puser1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd puser1'
:: [17:03:16] ::  Sleeping for 105 seconds
user_srv1:*:1002:1002:User Srv1:/home/user_srv1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd user_srv1'
:: [   PASS   ] :: Connection expired after 100 seconds for DOMAIN1 and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_DOMAIN1.log' should contain 'connection is about to expire, releasing it'
user_srv2:*:1999:1999:User SRV2:/home/user_srv2:
:: [   PASS   ] :: Running 'getent passwd user_srv2'
:: [17:05:02] ::  Sleeping for 205 seconds

MARK-LWD-LOOP -- 2012-11-21 17:07:24 --
Group_srv2:*:1999:
:: [   PASS   ] :: Running 'getent group Group_srv2'
:: [   PASS   ] :: Connection expired after 200 seconds for DOMAIN2 and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_DOMAIN2.log' should contain 'connection is about to expire, releasing it'
'db2b8114-b28c-4240-8fde-f5618bd9895d'
ldap-connection-timeout-002-MultiDomain result: PASS

Comment 7 errata-xmlrpc 2013-02-21 09:40:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.