Ubuntu
libnss-ldap package

Long delays enumerating users

Asked by Marco Gaiarin

Binary package hint: libnss-ldap

I've setup a Ubuntu Dapper client to get account and group from an LDAP server via ldaps:// URI (so, using SSL) but i've got strange delays.

Seems that a simple ``getent passwd'' start to `enumerate' all certificates files and spend some time and CPU power on them.

Note that:

1) the behaviour it's the same with or without nscd running
2) the behaviour it's the same with CA_CACERTDIR or CA_CACERT in /etc/ldap/ldap.conf; or tls_cacertdir or tls_cacertfile in /etc/libnss-ldap.conf
3) the server are debian sarge, and i access the (two) ldap server with:
uri ldaps://ldap.sv.lnf.it/ ldaps://ldap2.sv.lnf.it/
and clearly commenting out the host statement.
4) i've removed all the certificates apart that used for my ldap server and speedups are visible; i've still half a dozen of certificates here, and there's still a little delay.
5) if i try a direct query with ldapsearch, there's no delay at all.

Please, help me. ;)

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu libnss-ldap Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:

This question was originally filed as bug #66741.

Revision history for this message
Mike Dahlgren (dahlgren) said : 		#1

Hi there,
Since this bug report is almost two years old, I was wondering if this is still an issue or if it can be reproduced?
Thanks,
~Mike

Revision history for this message
Marco Gaiarin (marcogaio) said : 		#2

Still an issue (Ubuntu hardy just upgraded), but on a different way.

Effectively there's no more delay 'enumerating' certificates, but still there's are some trouble or at least things that i cannot explain. For example:

1) the only way to have libnss-ldap/libpam-ldap using correct cerificate are to put it as 'TLS_CACERT /etc/ssl/certs/LNFFVG.pem' in /etc/ldap/ldap.conf (libldap 'global' config file); if i put 'tls_cacertfile /etc/ssl/certs/LNFFVG.pem' on /etc/ldap.conf, they are completely ignored.

2) seems that now setting TLS_CACERTDIR (for /etc/ldap/ldap.conf) or tls_cacertdir (for /etc/ldap.conf) does nothing, eg you have to select the certificate explicitly to make it work.

Clearly my CA certificate are on place, correctly 'hashed' with c_rehash.

The second problem seems a general libldap bug or misunderstanding, because if i comment out TLS_CACERT on /etc/ldap/ldap.conf also simple tools like ldapsearch stop to work. Boh.

Revision history for this message
Mathias Gug (mathiaz) said : 		#3

On Fri, Sep 05, 2008 at 02:27:16PM -0000, Marco Gaiarin wrote:
> 2) seems that now setting TLS_CACERTDIR (for /etc/ldap/ldap.conf) or
> tls_cacertdir (for /etc/ldap.conf) does nothing, eg you have to select
> the certificate explicitly to make it work.

Openldap 2.4 is compiled against gnutls which doesn't support
TLS_CACERTDIR.

See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/242313.

> Clearly my CA certificate are on place, correctly 'hashed' with
> c_rehash.
>
> The second problem seems a general libldap bug or misunderstanding,
> because if i comment out TLS_CACERT on /etc/ldap/ldap.conf also simple
> tools like ldapsearch stop to work. Boh.
>

Make sure that you're not using self-signed certificates on the clients.

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Revision history for this message
Marco Gaiarin (marcogaio) said : 		#4

Mandi! Mathias Gug
  In chel dì si favelave...

> Openldap 2.4 is compiled against gnutls which doesn't support
> TLS_CACERTDIR.
> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/242313.

Uh, oh... this clearly solve this bug, because if TLS_CACERTDIR does
not work anymore, clearly there's no certificates to 'enumerate'...
;-)))

Issue 1 remain: why i've to set the 'global' /etc/ldap/ldap.conf
CA certificate via TLS_CACERTDIR because the 'local' /etc/ldap.conf
CA certificate via tls_cacertfile does not work?

Say me if i've to open a new bug, i've searched for 'tls_cacertfile' on
launchpad but seems that there's no reference... no, wait a moment:

 https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/241128

seems i've to use tls_checkpeer=yes, i'll do some tests. ;)

> Make sure that you're not using self-signed certificates on the clients.

No, i use a local CA built with TinyCA.

--
Marco ``Gaio'' Gaiarin | LUG Pordenone (http://www.pordenone.linux.it)
P.zza S. Tommaso, 20 | Lilliput BBS (http://bbs.lilliput.linux.it)
Cimpello di Fiume Veneto | Azione Cattolica - Concordia-Pordenone
33080 Pordenone (Italia) | (http://www.ac.concordia-pordenone.it)
Tel. +39-0434-56-1305 | http://www.gaiarin.it/ <email address hidden>

Revision history for this message
Marco Gaiarin (marcogaio) said : 		#5

> Say me if i've to open a new bug, i've searched for 'tls_cacertfile' on
> launchpad but seems that there's no reference... no, wait a moment:

> https://bugs.launchpad.net/ubuntu/+source/libnss-
> ldap/+bug/241128

> seems i've to use tls_checkpeer=yes, i'll do some tests. ;)

No, whatever i set tls_checkpeer in /etc/ldap.conf, i *have* to set
TLS_CACERT on /etc/ldap/ldap.conf to make it work.

Say me if i can do something more to debug this...

Revision history for this message
Gaetan Nadon (memsize) said : 		#6

Thank you for taking the time to report this issue and helping to make Ubuntu better. Examining the information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We appreciate the difficulties you are facing, but it would make more sense to raise problems you are having in the support tracker at https://answers.launchpad.net/ubuntu if you are uncertain if they are bugs. For help on reporting bugs, see https://help.ubuntu.com/community/ReportingBugs .

BugSquad

Revision history for this message
Launchpad Janitor (janitor) said : 		#7

This question was expired because it remained in the 'Open' state without activity for the last 15 days.