Long delays enumerating users

Bug #66741 reported by Marco Gaiarin

This bug report was converted into a question: question #55201: Long delays enumerating users.

6
Affects Status Importance Assigned to Milestone
libnss-ldap (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: libnss-ldap

I've setup a Ubuntu Dapper client to get account and group from an LDAP server via ldaps:// URI (so, using SSL) but i've got strange delays.

Seems that a simple ``getent passwd'' start to `enumerate' all certificates files and spend some time and CPU power on them.

Note that:

1) the behaviour it's the same with or without nscd running
2) the behaviour it's the same with CA_CACERTDIR or CA_CACERT in /etc/ldap/ldap.conf; or tls_cacertdir or tls_cacertfile in /etc/libnss-ldap.conf
3) the server are debian sarge, and i access the (two) ldap server with:
uri ldaps://ldap.sv.lnf.it/ ldaps://ldap2.sv.lnf.it/
and clearly commenting out the host statement.
4) i've removed all the certificates apart that used for my ldap server and speedups are visible; i've still half a dozen of certificates here, and there's still a little delay.
5) if i try a direct query with ldapsearch, there's no delay at all.

Please, help me. ;)

Revision history for this message
Mike Dahlgren (dahlgren) wrote :

Hi there,
Since this bug report is almost two years old, I was wondering if this is still an issue or if it can be reproduced?
Thanks,
~Mike

Revision history for this message
Marco Gaiarin (marcogaio) wrote :

Still an issue (Ubuntu hardy just upgraded), but on a different way.

Effectively there's no more delay 'enumerating' certificates, but still there's are some trouble or at least things that i cannot explain. For example:

1) the only way to have libnss-ldap/libpam-ldap using correct cerificate are to put it as 'TLS_CACERT /etc/ssl/certs/LNFFVG.pem' in /etc/ldap/ldap.conf (libldap 'global' config file); if i put 'tls_cacertfile /etc/ssl/certs/LNFFVG.pem' on /etc/ldap.conf, they are completely ignored.

2) seems that now setting TLS_CACERTDIR (for /etc/ldap/ldap.conf) or tls_cacertdir (for /etc/ldap.conf) does nothing, eg you have to select the certificate explicitly to make it work.

Clearly my CA certificate are on place, correctly 'hashed' with c_rehash.

The second problem seems a general libldap bug or misunderstanding, because if i comment out TLS_CACERT on /etc/ldap/ldap.conf also simple tools like ldapsearch stop to work. Boh.

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 66741] Re: Long delays enumerating users

On Fri, Sep 05, 2008 at 02:27:16PM -0000, Marco Gaiarin wrote:
> 2) seems that now setting TLS_CACERTDIR (for /etc/ldap/ldap.conf) or
> tls_cacertdir (for /etc/ldap.conf) does nothing, eg you have to select
> the certificate explicitly to make it work.

Openldap 2.4 is compiled against gnutls which doesn't support
TLS_CACERTDIR.

See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/242313.

> Clearly my CA certificate are on place, correctly 'hashed' with
> c_rehash.
>
> The second problem seems a general libldap bug or misunderstanding,
> because if i comment out TLS_CACERT on /etc/ldap/ldap.conf also simple
> tools like ldapsearch stop to work. Boh.
>

Make sure that you're not using self-signed certificates on the clients.

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Revision history for this message
Marco Gaiarin (marcogaio) wrote :

Mandi! Mathias Gug
  In chel dì si favelave...

> Openldap 2.4 is compiled against gnutls which doesn't support
> TLS_CACERTDIR.
> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/242313.

Uh, oh... this clearly solve this bug, because if TLS_CACERTDIR does
not work anymore, clearly there's no certificates to 'enumerate'...
;-)))

Issue 1 remain: why i've to set the 'global' /etc/ldap/ldap.conf
CA certificate via TLS_CACERTDIR because the 'local' /etc/ldap.conf
CA certificate via tls_cacertfile does not work?

Say me if i've to open a new bug, i've searched for 'tls_cacertfile' on
launchpad but seems that there's no reference... no, wait a moment:

 https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/241128

seems i've to use tls_checkpeer=yes, i'll do some tests. ;)

> Make sure that you're not using self-signed certificates on the clients.

No, i use a local CA built with TinyCA.

--
Marco ``Gaio'' Gaiarin | LUG Pordenone (http://www.pordenone.linux.it)
P.zza S. Tommaso, 20 | Lilliput BBS (http://bbs.lilliput.linux.it)
Cimpello di Fiume Veneto | Azione Cattolica - Concordia-Pordenone
33080 Pordenone (Italia) | (http://www.ac.concordia-pordenone.it)
Tel. +39-0434-56-1305 | http://www.gaiarin.it/ <email address hidden>

Revision history for this message
Marco Gaiarin (marcogaio) wrote :

> Say me if i've to open a new bug, i've searched for 'tls_cacertfile' on
> launchpad but seems that there's no reference... no, wait a moment:

> https://bugs.launchpad.net/ubuntu/+source/libnss-
> ldap/+bug/241128

> seems i've to use tls_checkpeer=yes, i'll do some tests. ;)

No, whatever i set tls_checkpeer in /etc/ldap.conf, i *have* to set
TLS_CACERT on /etc/ldap/ldap.conf to make it work.

Say me if i can do something more to debug this...

Revision history for this message
Gaetan Nadon (memsize) wrote :

Thank you for taking the time to report this issue and helping to make Ubuntu better. Examining the information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We appreciate the difficulties you are facing, but it would make more sense to raise problems you are having in the support tracker at https://answers.launchpad.net/ubuntu if you are uncertain if they are bugs. For help on reporting bugs, see https://help.ubuntu.com/community/ReportingBugs .

BugSquad

Changed in libnss-ldap:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.