Server running Moodle 1.9 on fully patched RHEL 6.1.
>From time to time, a specific Apache child process loses the ability to
>connect to any LDAP server over SSL. It is not clear how processes get into
>this state (lsof, and adding %P %k %T %X to LogFormat, show no obvious
>differences), but once they do, all attempts to reach ldaps:// URLs via either
>ldap_connect/ldap_bind or curl_init/curl_exec from that specific httpd child
>process fail.
Reducing Apache MaxRequestsPerChild (currently at 200) appears to reduce the
incidence of this problem, but it never goes away entirely. apachectl graceful
appears to stop it for a while.
ldapserver1 and ldapserver2 are most certainly up, actively serving other
clients with no resource constraints. Capturing network traffic, we see a
completed 3-way handshake, then an immediate FIN from the client with no data
pushed. If I run passthru("/usr/bin/ldapsearch -x -LLL -H
ldaps://ldapserver1.com ou=People") in the same PHP script where ldap_bind and
curl_init("ldaps://") fail, only the external ldapsearch binary succeeds.
In PHP, jacking up ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7) results in
the PHP error log output below, suggesting that the problem is in moznss, or
the OpenLDAP linkage thereto.
What else can I do here?
ldap_create
ldap_url_parse_ext(ldaps://ldapserver1.com/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver1.com:636
ldap_new_socket: 25
ldap_prepare_socket: 25
ldap_connect_to_host: Trying 172.20.9.5:636
ldap_pvt_connect: fd: 25 tm: 20 async: 0
ldap_ndelay_on: 25
ldap_int_poll: fd: 25 tm: 20
ldap_is_sock_ready: 25
ldap_ndelay_off: 25
ldap_pvt_connect: 0
TLS: error: could not initialize moznss security context - error -5925:The
one-time function was previously called and failed. Its error code is no longer
available
TLS: can't create ssl handle.
ldap_err2string
ldap_err2string
ldap_create
ldap_url_parse_ext(ldaps://ldapserver2.com/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver2.com:636
ldap_new_socket: 25
ldap_prepare_socket: 25
ldap_connect_to_host: Trying 172.20.9.6:636
ldap_pvt_connect: fd: 25 tm: 20 async: 0
ldap_ndelay_on: 25
ldap_int_poll: fd: 25 tm: 20
ldap_is_sock_ready: 25
ldap_ndelay_off: 25
ldap_pvt_connect: 0
TLS: error: could not initialize moznss security context - error -5925:The
one-time function was previously called and failed. Its error code is no longer
available
TLS: can't create ssl handle.
ldap_err2string
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529
_______________________________________________
rhelv6-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv6-list
