Re: python-ldap hanging for 15 minutes under certain conditions
Hi On 7 February 2011 19:29, Rich Megginson wrote: > On 02/05/2011 01:42 PM, Michael Wood wrote: >> >> Hi >> >> On 4 February 2011 17:35, Rich Megginson wrote: >>> >>> On 02/03/2011 11:59 PM, Michael Wood wrote: On 4 February 2011 08:32, James Andrewartha wrote: >> >> [...] > > Debian uses GnuTLS because OpenSSL has the non-GPL compatible > advertising clause, and libldap is linked into many GPL applications. > So Ah, good point. > the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I Or switch to something else. >>> >>> OpenLDAP 2.4.23 supports Mozilla NSS (triple licensed GPLv2+/LGPLv2+/MPL) >>> for crypto >>> Fedora 14 and later use this instead of OpenSSL >> >> Interesting. But co-incidentally, there's a thread currently on the >> libcurl mailing list about comparisons between different SSL/TLS libs >> that are supported by libcurl. Howard Chu posted about GnuTLS and >> later about NSS. In the NSS message he said: >> >> "I understand that RedHat is now building their OpenLDAP packages with our >> MozNSS support. I don't believe this combination is ready for primetime by >> any >> measure. They still don't even have release quality code for handling PEM >> files, and their current experimental code crashes/misbehaves in common >> (for >> OpenSSL) deployment scenarios. > > No doubt Howard has been alarmed by the frequency of my patch submissions > and the severity of the bugs they fix. Ah, sorry for opening up a can of worms :) >> https://bugzilla.mozilla.org/show_bug.cgi?id=402712 > > This is for adding the PEMNSS module to Mozilla NSS upstream. The code has > been used for years now, first in nss_compat_ossl (a library wrapper that > implements OpenSSL APIs with Mozilla NSS code) and in libnsspem in > RHEL/Fedora (part of the RHEL/Fedora nss package). I am not wedded to PEM. Perhaps NSS is the answer. Now someone just needs to convince Debian and/or Ubuntu of that :) I have no idea if anyone's tried. >> https://bugzilla.redhat.com/show_bug.cgi?id=642433"; > > This has already been fixed both in OpenLDAP upstream and in current > RHEL/Fedora code. > > IMHO OpenLDAP with MozNSS is close to being stable. I'm not just saying > that - I'm prepared to "put my money where my mouth is" and so is my > employer, Red Hat, who has committed to using OpenLDAP with MozNSS in Fedora > and RHEL. Also note that two of the core Mozilla NSS developers, including > those working on Mozilla PEMNSS, are also Red Hat employees. OK > You can also use OpenLDAP with MozNSS without using PEM files at all if you > are concerned about using the libnsspem module - > http://www.openldap.org/faq/index.cgi?file=1514 Well, as I said above, I'm not wedded to PEM. I am using Ubuntu for reasons not related to OpenLDAP and so would prefer to use official Ubuntu packages rather than compiling OpenLDAP myself and then having to keep it up to date. So for me, I think it would be best if Ubuntu switched to an SSL library for OpenLDAP that did not cause me problems like I had when using python-ldap -> OpenLDAP -> GnuTLS. Of course, the chances of Ubuntu switching just because I think it would be best are minimal :) Especially because I am not intimately familiar with all the issues. > Why is Fedora/Red Hat doing this at all? Why bother? > https://fedoraproject.org/wiki/FedoraCryptoConsolidation Thanks for that link. I agree it's a worthy goal and it sounds like NSS is the way to go. I hope Debian and Ubuntu follow suit. -- Michael Wood -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 02/05/2011 01:42 PM, Michael Wood wrote: > Hi > > On 4 February 2011 17:35, Rich Megginson wrote: >> On 02/03/2011 11:59 PM, Michael Wood wrote: >>> On 4 February 2011 08:32, James Andrewarthawrote: > [...] Debian uses GnuTLS because OpenSSL has the non-GPL compatible advertising clause, and libldap is linked into many GPL applications. So >>> Ah, good point. >>> the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I >>> Or switch to something else. >> OpenLDAP 2.4.23 supports Mozilla NSS (triple licensed GPLv2+/LGPLv2+/MPL) >> for crypto >> Fedora 14 and later use this instead of OpenSSL > Interesting. But co-incidentally, there's a thread currently on the > libcurl mailing list about comparisons between different SSL/TLS libs > that are supported by libcurl. Howard Chu posted about GnuTLS and > later about NSS. In the NSS message he said: > > "I understand that RedHat is now building their OpenLDAP packages with our > MozNSS support. I don't believe this combination is ready for primetime by any > measure. They still don't even have release quality code for handling PEM > files, and their current experimental code crashes/misbehaves in common (for > OpenSSL) deployment scenarios. No doubt Howard has been alarmed by the frequency of my patch submissions and the severity of the bugs they fix. > https://bugzilla.mozilla.org/show_bug.cgi?id=402712 This is for adding the PEMNSS module to Mozilla NSS upstream. The code has been used for years now, first in nss_compat_ossl (a library wrapper that implements OpenSSL APIs with Mozilla NSS code) and in libnsspem in RHEL/Fedora (part of the RHEL/Fedora nss package). > https://bugzilla.redhat.com/show_bug.cgi?id=642433"; This has already been fixed both in OpenLDAP upstream and in current RHEL/Fedora code. IMHO OpenLDAP with MozNSS is close to being stable. I'm not just saying that - I'm prepared to "put my money where my mouth is" and so is my employer, Red Hat, who has committed to using OpenLDAP with MozNSS in Fedora and RHEL. Also note that two of the core Mozilla NSS developers, including those working on Mozilla PEMNSS, are also Red Hat employees. You can also use OpenLDAP with MozNSS without using PEM files at all if you are concerned about using the libnsspem module - http://www.openldap.org/faq/index.cgi?file=1514 Why is Fedora/Red Hat doing this at all? Why bother? https://fedoraproject.org/wiki/FedoraCryptoConsolidation > Here's the link to the message in libcurl's mailing list archive: > http://curl.haxx.se/mail/lib-2011-02/0043.html > -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Hi On 4 February 2011 17:35, Rich Megginson wrote: > On 02/03/2011 11:59 PM, Michael Wood wrote: >> >> On 4 February 2011 08:32, James Andrewartha wrote: [...] >>> Debian uses GnuTLS because OpenSSL has the non-GPL compatible >>> advertising clause, and libldap is linked into many GPL applications. So >> >> Ah, good point. >> >>> the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I >> >> Or switch to something else. > > OpenLDAP 2.4.23 supports Mozilla NSS (triple licensed GPLv2+/LGPLv2+/MPL) > for crypto > Fedora 14 and later use this instead of OpenSSL Interesting. But co-incidentally, there's a thread currently on the libcurl mailing list about comparisons between different SSL/TLS libs that are supported by libcurl. Howard Chu posted about GnuTLS and later about NSS. In the NSS message he said: "I understand that RedHat is now building their OpenLDAP packages with our MozNSS support. I don't believe this combination is ready for primetime by any measure. They still don't even have release quality code for handling PEM files, and their current experimental code crashes/misbehaves in common (for OpenSSL) deployment scenarios. https://bugzilla.mozilla.org/show_bug.cgi?id=402712 https://bugzilla.redhat.com/show_bug.cgi?id=642433"; Here's the link to the message in libcurl's mailing list archive: http://curl.haxx.se/mail/lib-2011-02/0043.html -- Michael Wood -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 02/04/2011 09:15 AM, Michael Ströder wrote: > Rich Megginson wrote: >> OpenLDAP 2.4.23 supports Mozilla NSS (triple licensed >> GPLv2+/LGPLv2+/MPL) for crypto >> Fedora 14 and later use this instead of OpenSSL > I see some benefits using Mozilla NSS especially with LDAP clients. But I > wonder whether we could use it from python-ldap via OpenLDAP just like Mozilla > clients use it. Yes. I've been using it for a while like that. For more information: http://www.openldap.org/faq/index.cgi?file=1514 > I'm thinking of support for PKCS#11 tokens and adding trusted > certs. See the above FAQ - there is some information there about use of tokens other than the default builtin softtoken. > Ciao, Michael. -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Rich Megginson wrote: > OpenLDAP 2.4.23 supports Mozilla NSS (triple licensed > GPLv2+/LGPLv2+/MPL) for crypto > Fedora 14 and later use this instead of OpenSSL I see some benefits using Mozilla NSS especially with LDAP clients. But I wonder whether we could use it from python-ldap via OpenLDAP just like Mozilla clients use it. I'm thinking of support for PKCS#11 tokens and adding trusted certs. Ciao, Michael. -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Michael Wood wrote: > I do hold out some hope that issues like this in GnuTLS (or in > the software using GnuTLS?) can get fixed, though. The issues with GnuTLS are known since years now I suspect that everybody setting up a serious (Open-)LDAP deployment just builds with OpenSSL and therefore nobody is using GnuTLS seriously. So nobody sees a benefit for investing in getting GnuTLS improved. Ciao, Michael. -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 02/03/2011 11:59 PM, Michael Wood wrote: > On 4 February 2011 08:32, James Andrewartha wrote: >> On 04/02/11 03:31, Michael Ströder wrote: >>> Michael Wood wrote: On 3 February 2011 18:16, Rich Megginson wrote: > On 02/03/2011 04:34 AM, Michael Wood wrote: >> e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and >> python-ldap 2.3.10-1ubuntu1. [..] But I thought it was worth a try to recompile OpenLDAP and link with OpenSSL instead of GnuTLS. After doing that, the problem went away! >>> That was my first idea when I read that you're using Ubuntu (based on >>> Debian). >>> There have been so many issues with OpenLDAP linked with GnuTLS during the >>> last years. I really wonder why the Debian folks force everybody to use >>> this. >>> IMO that's a major issue with Debian. >> Debian uses GnuTLS because OpenSSL has the non-GPL compatible >> advertising clause, and libldap is linked into many GPL applications. So > Ah, good point. > >> the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I > Or switch to something else. OpenLDAP 2.4.23 supports Mozilla NSS (triple licensed GPLv2+/LGPLv2+/MPL) for crypto Fedora 14 and later use this instead of OpenSSL >> have no hope of either occurring. > I understand your lack of hope wrt. the licensing situation and I > suppose switching to another SSL/TLS library is unlikely at this > point. I do hold out some hope that issues like this in GnuTLS (or in > the software using GnuTLS?) can get fixed, though. > -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 4 February 2011 08:32, James Andrewartha wrote: > On 04/02/11 03:31, Michael Ströder wrote: >> Michael Wood wrote: >>> On 3 February 2011 18:16, Rich Megginson wrote: On 02/03/2011 04:34 AM, Michael Wood wrote: > e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and > python-ldap 2.3.10-1ubuntu1. >>> [..] >>> But I thought it was worth a try to recompile OpenLDAP and link with >>> OpenSSL instead of GnuTLS. >>> >>> After doing that, the problem went away! >> >> That was my first idea when I read that you're using Ubuntu (based on >> Debian). >> There have been so many issues with OpenLDAP linked with GnuTLS during the >> last years. I really wonder why the Debian folks force everybody to use this. >> IMO that's a major issue with Debian. > > Debian uses GnuTLS because OpenSSL has the non-GPL compatible > advertising clause, and libldap is linked into many GPL applications. So Ah, good point. > the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I Or switch to something else. > have no hope of either occurring. I understand your lack of hope wrt. the licensing situation and I suppose switching to another SSL/TLS library is unlikely at this point. I do hold out some hope that issues like this in GnuTLS (or in the software using GnuTLS?) can get fixed, though. -- Michael Wood -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 04/02/11 03:31, Michael Ströder wrote: > Michael Wood wrote: >> On 3 February 2011 18:16, Rich Megginson wrote: >>> On 02/03/2011 04:34 AM, Michael Wood wrote: e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and python-ldap 2.3.10-1ubuntu1. >> [..] >> But I thought it was worth a try to recompile OpenLDAP and link with >> OpenSSL instead of GnuTLS. >> >> After doing that, the problem went away! > > That was my first idea when I read that you're using Ubuntu (based on Debian). > There have been so many issues with OpenLDAP linked with GnuTLS during the > last years. I really wonder why the Debian folks force everybody to use this. > IMO that's a major issue with Debian. Debian uses GnuTLS because OpenSSL has the non-GPL compatible advertising clause, and libldap is linked into many GPL applications. So the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I have no hope of either occurring. James Andrewartha -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Hi 2011/2/3 Michael Ströder : > Michael Wood wrote: >> On 3 February 2011 18:16, Rich Megginson wrote: >>> On 02/03/2011 04:34 AM, Michael Wood wrote: e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and python-ldap 2.3.10-1ubuntu1. >> [..] >> But I thought it was worth a try to recompile OpenLDAP and link with >> OpenSSL instead of GnuTLS. >> >> After doing that, the problem went away! > > That was my first idea when I read that you're using Ubuntu (based on Debian). > There have been so many issues with OpenLDAP linked with GnuTLS during the > last years. I really wonder why the Debian folks force everybody to use this. > IMO that's a major issue with Debian. OK, well, next time I'll know. I suppose it's one way to get GnuTLS to improve :) The strange thing is that ldapsearch on the command line did not have the same problem. Thanks. -- Michael Wood -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Michael Wood wrote: > On 3 February 2011 18:16, Rich Megginson wrote: >> On 02/03/2011 04:34 AM, Michael Wood wrote: >>> e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and >>> python-ldap 2.3.10-1ubuntu1. > [..] > But I thought it was worth a try to recompile OpenLDAP and link with > OpenSSL instead of GnuTLS. > > After doing that, the problem went away! That was my first idea when I read that you're using Ubuntu (based on Debian). There have been so many issues with OpenLDAP linked with GnuTLS during the last years. I really wonder why the Debian folks force everybody to use this. IMO that's a major issue with Debian. Ciao, Michael. -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Hi On 3 February 2011 18:16, Rich Megginson wrote: > On 02/03/2011 04:34 AM, Michael Wood wrote: >> Hi >> >> I'm trying to do a search against Samba 4's LDAP server and it works, >> but the bind and search are both successful, everything hangs when I >> try to unbind from the LDAP server. If anyone could enlighten me I >> would be grateful. >> >> I've run into the same issue on various different Linux machines with >> a range of OpenLDAP and python-ldap versions, but it seems to work >> fine on a Mac running Leopard. >> >> e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and >> python-ldap 2.3.10-1ubuntu1. >> >> I've also tried upgrading python-ldap to 2.3.12, but that does not >> seep to have helped. > Try enabling ldap debug logging - before the first call to > ldap.initialize, add this: > ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1) Thanks for the suggestion. I'll give it a try tomorrow. In the mean time, someone pointed me at this: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6673&selectid=6673&usearchives=1 It did not seem to match my situation because it talks about broken TCP connections: "When a network connection to the LDAP server fails (is severed with iptables in my set-up)" But I thought it was worth a try to recompile OpenLDAP and link with OpenSSL instead of GnuTLS. After doing that, the problem went away! So this seems not to have anything to do with python-ldap. -- Michael Wood -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 02/03/2011 04:34 AM, Michael Wood wrote: > Hi > > I'm trying to do a search against Samba 4's LDAP server and it works, > but the bind and search are both successful, everything hangs when I > try to unbind from the LDAP server. If anyone could enlighten me I > would be grateful. > > I've run into the same issue on various different Linux machines with > a range of OpenLDAP and python-ldap versions, but it seems to work > fine on a Mac running Leopard. > > e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and > python-ldap 2.3.10-1ubuntu1. > > I've also tried upgrading python-ldap to 2.3.12, but that does not > seep to have helped. Try enabling ldap debug logging - before the first call to ldap.initialize, add this: ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1) > def test(username, password): > base = "DC=example,DC=com" > userbase = "CN=Users," + base > userdn = "CN=%s,%s" % (username, userbase) > ldap_server = "ldap://example.com"; > conn = ldap.initialize(ldap_server) > conn.set_option(ldap.OPT_REFERRALS, 0) # Doesn't appear to make a > difference > conn.start_tls_s() > try: > conn.simple_bind_s(userdn, password) > logging.debug("Bind succeeded for '%s'", username) > except ldap.LDAPError, e: > logging.warn("Authentication failed for '%s'", username) > return False > res = conn.search_s("CN=Some Group,CN=Users,DC=bluebird,DC=co,DC=za", > ldap.SCOPE_BASE, filterstr="(member=%s)" % userdn, > attrlist=["member"]) > if len(res) != 1: > logging.debug("User '%s' is not in the Some Group group", username) > conn.unbind() > return False > logging.debug("User '%s' appears to be in the Some Group group", > username) > conn.unbind() #<- hangs here for 15 minutes. > logging.debug("Unbound.") > return True > -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev