Comment 0 for bug 1921562

When connecting to an LDAP server with TLS, ldap_search_ext can hang if during the initial TLS handshake a signal is received by the process. The cause of this bug is the same as https://bugs.openldap.org/show_bug.cgi?id=8650 which was fixed in https://git.openldap.org/openldap/openldap/-/commit/735e1ab and was released as part of version 2.4.50. This bug effects Ubuntu 20.04 LTS and potentially earlier Ubuntu releases. Later Ubuntu releases use an openldap version that is at least 2.4.50 and are therefore not affected.

In our case this bug cause failures in the SSSD LDAP backend at least once per day, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit:

Mar 19 19:05:31 mail auth[867454]: pam_sss(dovecot:auth): received for user redacted: 4 (System error)
Mar 19 19:05:32 mail sssd_be[867455]: Starting up

A reduced version of the patch linked above can be found attached to this bug report. This patch has been applied to version 2.4.49+dfsg-2ubuntu1.7 and has been running in production for approximately a week and the issue has no longer occurred. No other issues have appeared during this period.

As this bug affects al systems using LDAP with TLS , I suggest that the fix for this bug is ported to Ubuntu 20.04 LTS and potentially earlier versions.