Re: ldap user login attempt kills slapd service

[Matus Honek]

I must have missed the e-mail below from you, sorry for that. The link
to the archives is http://www.openldap.org/lists/openldap-technical/.

The related Red Hat Bugzilla is
https://bugzilla.redhat.com/show_bug.cgi?id=1335194

>From the backtraces provided by Liz in the case it seems to be
technically (except for presence of back_relay) the same as ITS#7384. So
it does not seem to be MozNSS-related. I will let Liz to include
additional backtraces (etc.) if asked for it.

"Real, Elizabeth (392K)"  writes:

> I reported the bug to red hat.
>
> What is the openldap technical URL where all of the submitted requests are 
> listed on?
>
> Thank you,
> Liz
>
>

-- 
Matúš Honěk
Associate Software Engineer @ Red Hat, Inc.

Re: ldap user login attempt kills slapd service

[Matus Honek]

Hello,

as OpenLDAP distributed with RHEL uses NSS for crypto (which is
deprecated by OpenLDAP upstream community) please contact Red Hat
customer support with the issue. There, please supply full debug-level
logs from all servers and client. I have noticed the suppressed log lines
from journal in logs you have supplied bellow, which is not sufficient.
Thank you for your understanding.

"Real, Elizabeth (392K)"  writes:

> Openldap gurus:
>
> Here is my setup,
>
> LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40. 
> Both servers are configured with multi-master replication. Ldaps is enabled 
> and a ppolicy applied.
>
> LDAPCLIENT: My ldap client is running RHEL7.2 as well, sssd 1.13.0, and 
> openldap client 2.4.40.
>
> I have been troubleshooting this problem for a while and can’t figure out why 
> everytime I try to login to an ldap client with a test user account the slapd 
> service on only one of my ldap servers gets killed.
>
> Both getent and ldapsearch return the expected information when ran on the 
> ldap client:
> ldapclient ~]# getent passwd realtest
> realtest:*:1004:312:Liz RealTest:/home/real:/bin/tcsh
>
> ldapclient ~]# ldapsearch -x -s sub -b 'ou=People,dc=cluster,dc=sec312' 
> '(uid=realtest)'
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: ldap user login attempt kills slapd service

[Real, Elizabeth (392K)]

I reported the bug to red hat.

What is the openldap technical URL where all of the submitted requests are 
listed on?

Thank you,
Liz


From: Matus Honek <mho...@redhat.com<mailto:mho...@redhat.com>>
Date: Wednesday, May 11, 2016 at 4:13 AM
To: Elizabeth Real Chavez 
<elizabeth.r...@jpl.nasa.gov<mailto:elizabeth.r...@jpl.nasa.gov>>, 
"openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>" 
<openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>>
Subject: Re: ldap user login attempt kills slapd service

Hello,

as OpenLDAP distributed with RHEL uses NSS for crypto (which is
deprecated by OpenLDAP upstream community) please contact Red Hat
customer support with the issue. There, please supply full debug-level
logs from all servers and client. I have noticed the suppressed log lines
from journal in logs you have supplied bellow, which is not sufficient.
Thank you for your understanding.

"Real, Elizabeth (392K)" 
<elizabeth.r...@jpl.nasa.gov<mailto:elizabeth.r...@jpl.nasa.gov>> writes:

Openldap gurus:

Here is my setup,

LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40. Both 
servers are configured with multi-master replication. Ldaps is enabled and a 
ppolicy applied.

LDAPCLIENT: My ldap client is running RHEL7.2 as well, sssd 1.13.0, and 
openldap client 2.4.40.

I have been troubleshooting this problem for a while and can’t figure out why 
everytime I try to login to an ldap client with a test user account the slapd 
service on only one of my ldap servers gets killed.

Both getent and ldapsearch return the expected information when ran on the ldap 
client:
ldapclient ~]# getent passwd realtest
realtest:*:1004:312:Liz RealTest:/home/real:/bin/tcsh

ldapclient ~]# ldapsearch -x -s sub -b 'ou=People,dc=cluster,dc=sec312' 
'(uid=realtest)'
# extended LDIF
#
# LDAPv3
# base 

Re: ldap user login attempt kills slapd service

[Quanah Gibson-Mount]

I suggest avoiding packages provided by RH.  This has been noted numerous 
times on the list.  If you are unable to build OpenLDAP yourself, you may 
want to look at the packages from the LTB project.  If you require support, 
you may wish to contact Symas.


<http://ltb-project.org/wiki/download#openldap>
<https://symas.com/products/openldap-directory/>

--Quanah

--On Wednesday, May 11, 2016 12:19 AM + "Real, Elizabeth (392K)" 
<elizabeth.r...@jpl.nasa.gov> wrote:





Quanah,


Because I had an ssh issue while using openldap 2.4.39 and it was
suggested I used openldap 2.4.40 that came with rhel72 instead. What do
you suggest?


Thank you,
Liz
_
From: Quanah Gibson-Mount <qua...@zimbra.com>
Sent: Tuesday, May 10, 2016 4:03 PM
Subject: Re: ldap user login attempt kills slapd service
To: <openldap-technical@openldap.org>, Real, Elizabeth (392K)
<elizabeth.r...@jpl.nasa.gov>


--On Tuesday, May 10, 2016 11:58 PM + "Real, Elizabeth (392K)"
<elizabeth.r...@jpl.nasa.gov> wrote:



Openldap gurus:


Here is my setup,


LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40.
Both servers are configured with multi-master replication. Ldaps is
enabled and a ppolicy applied.


The RHEL packages of OpenLDAP are known broken. Why are you using them?

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc






--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

Re: ldap user login attempt kills slapd service

[Real, Elizabeth (392K)]

Quanah,

Because I had an ssh issue while using openldap 2.4.39 and it was suggested I 
used openldap 2.4.40 that came with rhel72 instead. What do you suggest?

Thank you,
Liz
_
From: Quanah Gibson-Mount <qua...@zimbra.com<mailto:qua...@zimbra.com>>
Sent: Tuesday, May 10, 2016 4:03 PM
Subject: Re: ldap user login attempt kills slapd service
To: <openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>>, 
Real, Elizabeth (392K) 
<elizabeth.r...@jpl.nasa.gov<mailto:elizabeth.r...@jpl.nasa.gov>>


--On Tuesday, May 10, 2016 11:58 PM + "Real, Elizabeth (392K)"
<elizabeth.r...@jpl.nasa.gov<mailto:elizabeth.r...@jpl.nasa.gov>> wrote:

>
> Openldap gurus:
>
>
> Here is my setup,
>
>
> LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40.
> Both servers are configured with multi-master replication. Ldaps is
> enabled and a ppolicy applied.

The RHEL packages of OpenLDAP are known broken. Why are you using them?

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc

Re: ldap user login attempt kills slapd service

[Quanah Gibson-Mount]

--On Tuesday, May 10, 2016 11:58 PM + "Real, Elizabeth (392K)" 
 wrote:




Openldap gurus:


Here is my setup,


LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40.
Both servers are configured with multi-master replication. Ldaps is
enabled and a ppolicy applied.


The RHEL packages of OpenLDAP are known broken.  Why are you using them?

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

ldap user login attempt kills slapd service

[Real, Elizabeth (392K)]

Openldap gurus:

Here is my setup,

LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40. Both 
servers are configured with multi-master replication. Ldaps is enabled and a 
ppolicy applied.

LDAPCLIENT: My ldap client is running RHEL7.2 as well, sssd 1.13.0, and 
openldap client 2.4.40.

I have been troubleshooting this problem for a while and can’t figure out why 
everytime I try to login to an ldap client with a test user account the slapd 
service on only one of my ldap servers gets killed.

Both getent and ldapsearch return the expected information when ran on the ldap 
client:
ldapclient ~]# getent passwd realtest
realtest:*:1004:312:Liz RealTest:/home/real:/bin/tcsh

ldapclient ~]# ldapsearch -x -s sub -b 'ou=People,dc=cluster,dc=sec312' 
'(uid=realtest)'
# extended LDIF
#
# LDAPv3
# base