Bug 877354 - ldap_connection_expire_timeout doesn't expire ldap connections
ldap_connection_expire_timeout doesn't expire ldap connections
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
: Regression
Depends On:
Blocks: 881827
  Show dependency treegraph
 
Reported: 2012-11-16 05:40 EST by Kaushik Banerjee
Modified: 2013-02-21 04:40 EST (History)
4 users (show)

See Also:
Fixed In Version: sssd-1.9.2-21.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:40:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kaushik Banerjee 2012-11-16 05:40:33 EST
Description of problem:
ldap_connection_expire_timeout doesn't expire ldap connections

Version-Release number of selected component (if applicable):
1.9.2-13

How reproducible:
Always

Steps to Reproduce:
1. domain section in sssd.conf

[domain/LDAP]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://cobra.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
ldap_connection_expire_timeout = 100

2. # getent passwd puser1;netstat -antp | grep 389;sleep 105;netstat -antp | grep 389
puser1:*:2001:2001:Posix User1:/home/puser1:
tcp        0      0 10.65.201.200:40926         10.65.206.93:389            ESTABLISHED 7163/sssd_be        
tcp        0      0 10.65.201.200:40926         10.65.206.93:389            ESTABLISHED 7163/sssd_be

Actual results:
Connection doesn't expire after "ldap_connection_expire_timeout" is over.

Expected results:
Connection should expire

Additional info:
Comment 3 Jakub Hrozek 2012-11-17 14:32:27 EST
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1649
Comment 4 Jakub Hrozek 2012-11-17 14:56:15 EST
FWIW, this regressed only when using non-authenticated connection. Authenticated connections including GSSAPI still timed out fine.

It's still a regression, though. A patch is on the upstream list.
Comment 6 Kaushik Banerjee 2012-11-22 02:53:26 EST
Verified in version 1.9.2-21

Output of beaker automation run:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ldap_connection_timeout_001 Single Domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [16:58:17] ::  Sleeping for 5 seconds
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Option ldap_connection_expire_timeout has value 100'
puser1:*:1001:1001:Posix User1:/home/puser1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd puser1'
:: [16:58:23] ::  Sleeping for 110 seconds
user_srv1:*:1002:1002:User Srv1:/home/user_srv1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd user_srv1'
:: [   PASS   ] :: Connection was expired after 100 secs and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'connection is about to expire, releasing it'
spawn ssh -o StrictHostKeyChecking=no root@dell-pe1950-05.rhts.eng.brq.redhat.com /etc/init.d/dirsrv stop instance1
root@dell-pe1950-05.rhts.eng.brq.redhat.com's password: 
Shutting down dirsrv: 
    instance1...[  OK  ]

user_srv2:*:1999:1999:User SRV2:/home/user_srv2:
:: [   PASS   ] :: Running 'getent passwd user_srv2'
:: [17:01:20] ::  Sleeping for 105 seconds

MARK-LWD-LOOP -- 2012-11-21 17:02:24 --
tcp        0      0 10.34.54.35:52129           10.34.42.26:2389            ESTABLISHED 16081/sssd_be       
Group_srv2:*:1999:
:: [   PASS   ] :: Running 'getent group Group_srv2'
:: [   PASS   ] :: Connection was expired after 100 secs and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'connection is about to expire, releasing it'
spawn ssh -o StrictHostKeyChecking=no root@dell-pe1950-05.rhts.eng.brq.redhat.com /etc/init.d/dirsrv start instance1
root@dell-pe1950-05.rhts.eng.brq.redhat.com's password: 
Starting dirsrv: 
    instance1...[  OK  ]

'058e30c3-61bb-4574-8da5-568d03fb819c'
ldap-connection-timeout-001-Single-Domain result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ldap_connection_timeout_002 MultiDomain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [17:03:11] ::  Sleeping for 5 seconds
puser1:*:1001:1001:Posix User1:/home/puser1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd puser1'
:: [17:03:16] ::  Sleeping for 105 seconds
user_srv1:*:1002:1002:User Srv1:/home/user_srv1:/bin/bash
:: [   PASS   ] :: Running 'getent passwd user_srv1'
:: [   PASS   ] :: Connection expired after 100 seconds for DOMAIN1 and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_DOMAIN1.log' should contain 'connection is about to expire, releasing it'
user_srv2:*:1999:1999:User SRV2:/home/user_srv2:
:: [   PASS   ] :: Running 'getent passwd user_srv2'
:: [17:05:02] ::  Sleeping for 205 seconds

MARK-LWD-LOOP -- 2012-11-21 17:07:24 --
Group_srv2:*:1999:
:: [   PASS   ] :: Running 'getent group Group_srv2'
:: [   PASS   ] :: Connection expired after 200 seconds for DOMAIN2 and new connection established after that
:: [   PASS   ] :: File '/var/log/sssd/sssd_DOMAIN2.log' should contain 'connection is about to expire, releasing it'
'db2b8114-b28c-4240-8fde-f5618bd9895d'
ldap-connection-timeout-002-MultiDomain result: PASS
Comment 7 errata-xmlrpc 2013-02-21 04:40:29 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.