| 2021-03-27 01:06:42 |
Vincent Vanlaer |
bug |
|
|
added bug |
| 2021-03-27 01:06:42 |
Vincent Vanlaer |
attachment added |
|
retry-tls-connect-on-eintr-eagain.patch https://bugs.launchpad.net/bugs/1921562/+attachment/5481337/+files/retry-tls-connect-on-eintr-eagain.patch |
|
| 2021-03-27 01:07:51 |
Launchpad Janitor |
openldap (Ubuntu): status |
New |
Confirmed |
|
| 2021-03-27 01:07:57 |
Bert Van de Poel |
bug |
|
|
added subscriber Bert Van de Poel |
| 2021-03-27 01:09:58 |
Bert Van de Poel |
bug watch added |
|
https://bugs.openldap.org/show_bug.cgi?id=8650 |
|
| 2021-03-27 01:09:58 |
Bert Van de Poel |
bug task added |
|
openldap |
|
| 2021-03-27 01:10:43 |
Vincent Vanlaer |
description |
When connecting to an LDAP server with TLS, ldap_search_ext can hang if during the initial TLS handshake a signal is received by the process. The cause of this bug is the same as https://bugs.openldap.org/show_bug.cgi?id=8650 which was fixed in https://git.openldap.org/openldap/openldap/-/commit/735e1ab and was released as part of version 2.4.50. This bug effects Ubuntu 20.04 LTS and potentially earlier Ubuntu releases. Later Ubuntu releases use an openldap version that is at least 2.4.50 and are therefore not affected.
In our case this bug cause failures in the SSSD LDAP backend at least once per day, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit:
Mar 19 19:05:31 mail auth[867454]: pam_sss(dovecot:auth): received for user redacted: 4 (System error)
Mar 19 19:05:32 mail sssd_be[867455]: Starting up
A reduced version of the patch linked above can be found attached to this bug report. This patch has been applied to version 2.4.49+dfsg-2ubuntu1.7 and has been running in production for approximately a week and the issue has no longer occurred. No other issues have appeared during this period.
As this bug affects al systems using LDAP with TLS , I suggest that the fix for this bug is ported to Ubuntu 20.04 LTS and potentially earlier versions. |
When connecting to an LDAP server with TLS, ldap_search_ext can hang if during the initial TLS handshake a signal is received by the process. The cause of this bug is the same as https://bugs.openldap.org/show_bug.cgi?id=8650 which was fixed in https://git.openldap.org/openldap/openldap/-/commit/735e1ab and was released as part of version 2.4.50. This bug effects Ubuntu 20.04 LTS and potentially earlier Ubuntu releases. Later Ubuntu releases use an openldap version that is at least 2.4.50 and are therefore not affected.
In our case this bug cause failures in the SSSD LDAP backend at least once per day, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit:
Mar 19 19:05:31 mail auth[867454]: pam_sss(dovecot:auth): received for user redacted: 4 (System error)
Mar 19 19:05:32 mail sssd_be[867455]: Starting up
A reduced version of the patch linked above can be found attached to this bug report. This patch has been applied to version 2.4.49+dfsg-2ubuntu1.7 and has been running in production for approximately a week and the issue has no longer occurred. No other issues have appeared during this period.
As this bug affects all systems using LDAP with TLS, I suggest that the fix for this bug is ported to Ubuntu 20.04 LTS and potentially earlier versions. |
|
| 2021-03-27 01:23:29 |
Bug Watch Updater |
openldap: status |
Unknown |
Fix Released |
|
| 2021-03-27 01:23:29 |
Bug Watch Updater |
openldap: importance |
Unknown |
Medium |
|
| 2021-03-27 01:23:34 |
Bug Watch Updater |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861838 |
|
| 2021-03-27 04:27:20 |
Ubuntu Foundations Team Bug Bot |
tags |
focal |
focal patch |
|
| 2021-03-27 04:27:30 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2021-04-05 14:32:30 |
Utkarsh Gupta |
nominated for series |
|
Ubuntu Focal |
|
| 2021-04-05 14:32:30 |
Utkarsh Gupta |
bug task added |
|
openldap (Ubuntu Focal) |
|
| 2021-04-05 14:32:40 |
Utkarsh Gupta |
openldap (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2021-04-05 14:32:45 |
Utkarsh Gupta |
openldap (Ubuntu Focal): status |
New |
Triaged |
|
| 2021-04-05 14:33:06 |
Utkarsh Gupta |
tags |
focal patch |
bitesize focal patch server-next |
|
| 2021-04-08 04:32:47 |
Utkarsh Gupta |
openldap (Ubuntu Focal): assignee |
|
Utkarsh Gupta (utkarsh) |
|
| 2021-04-08 04:32:50 |
Utkarsh Gupta |
openldap (Ubuntu Focal): status |
Triaged |
In Progress |
|
| 2021-04-08 04:35:14 |
Utkarsh Gupta |
bug |
|
|
added subscriber Utkarsh Gupta |
| 2021-04-08 05:15:19 |
Utkarsh Gupta |
description |
When connecting to an LDAP server with TLS, ldap_search_ext can hang if during the initial TLS handshake a signal is received by the process. The cause of this bug is the same as https://bugs.openldap.org/show_bug.cgi?id=8650 which was fixed in https://git.openldap.org/openldap/openldap/-/commit/735e1ab and was released as part of version 2.4.50. This bug effects Ubuntu 20.04 LTS and potentially earlier Ubuntu releases. Later Ubuntu releases use an openldap version that is at least 2.4.50 and are therefore not affected.
In our case this bug cause failures in the SSSD LDAP backend at least once per day, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit:
Mar 19 19:05:31 mail auth[867454]: pam_sss(dovecot:auth): received for user redacted: 4 (System error)
Mar 19 19:05:32 mail sssd_be[867455]: Starting up
A reduced version of the patch linked above can be found attached to this bug report. This patch has been applied to version 2.4.49+dfsg-2ubuntu1.7 and has been running in production for approximately a week and the issue has no longer occurred. No other issues have appeared during this period.
As this bug affects all systems using LDAP with TLS, I suggest that the fix for this bug is ported to Ubuntu 20.04 LTS and potentially earlier versions. |
[Impact]
========
When connecting to an LDAP server with TLS, ldap_search_ext can hang if during the initial TLS handshake a signal is received by the process. The cause of this bug is the same as https://bugs.openldap.org/show_bug.cgi?id=8650.
In our case this bug cause failures in the SSSD LDAP backend at least once per day, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit.
[Test Plan]
===========
When using openldap on 20.04, this bug causes failures in the SSSD LDAP backend, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit:
Mar 19 19:05:31 mail auth[867454]: pam_sss(dovecot:auth): received for user redacted: 4 (System error)
Mar 19 19:05:32 mail sssd_be[867455]: Starting up
With the patched version, this should no longer be a problem.
[Where Problems Could Occur]
============================
With this patch applied, there may be few edge cases in (and varying b/w) different versions of GnuTLS. And also some bits that are discussed in https://bugs.openldap.org/show_bug.cgi?id=8650.
But that said, the patched version is already being run in production for over two weeks time (at the time of writing - 07/04/21). So I believe the SRU will clearly benefit from this and has lower risk of regression.
[More Info]
===========
A reduced version of the patch linked above can be found attached to this bug report. This patch has been applied to version 2.4.49+dfsg-2ubuntu1.7 and has been running in production for approximately a week and the issue has no longer occurred. No other issues have appeared during this period. |
|
| 2021-04-08 05:27:48 |
Utkarsh Gupta |
merge proposal linked |
|
https://code.launchpad.net/~utkarsh/ubuntu/+source/openldap/+git/openldap/+merge/400754 |
|
| 2021-04-08 05:38:14 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-04-08 05:38:14 |
Christian Ehrhardt |
bug task added |
|
openldap (Ubuntu Groovy) |
|
| 2021-04-08 05:38:20 |
Christian Ehrhardt |
openldap (Ubuntu Groovy): status |
New |
Fix Released |
|
| 2021-04-14 23:26:14 |
Robie Basak |
openldap (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-04-14 23:26:16 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-04-14 23:26:17 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
| 2021-04-14 23:26:22 |
Robie Basak |
tags |
bitesize focal patch server-next |
bitesize focal patch server-next verification-needed verification-needed-focal |
|
| 2021-04-24 23:38:09 |
Vincent Vanlaer |
tags |
bitesize focal patch server-next verification-needed verification-needed-focal |
bitesize focal patch server-next verification-done-focal verification-needed |
|
| 2021-04-25 08:28:29 |
Utkarsh Gupta |
tags |
bitesize focal patch server-next verification-done-focal verification-needed |
bitesize focal patch server-next verification-done verification-done-focal |
|
| 2021-04-26 15:53:27 |
Launchpad Janitor |
openldap (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-04-26 15:53:32 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
