[Issue 10052] New: ldapsearch error "can't contact LDAP Server" <1%

[openldap-its]

https://bugs.openldap.org/show_bug.cgi?id=10052

          Issue ID: 10052
           Summary: ldapsearch error "can't contact LDAP Server" <1%
           Product: OpenLDAP
           Version: 2.4.44
          Hardware: x86_64
                OS: Linux
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: client tools
          Assignee: b...@openldap.org
          Reporter: w3ea...@yahoo.com
  Target Milestone: ---

version used:  2.4.44 that is from Amazon2 core
OS: AWS Linux2

Details:
Users reported occasional issues with AD server authentication with
MicroStrategy. Open case with MicroStrategy and learnt then use openldap
library for the AD authentication. We were able to reproduce the issue with
ldapsearch like below. 

ldapsearch -H ldaps://$REMOTEHOST:$REMOTEPORT \
 -x -D "CN=??????" \
 -y pssd.txt -LLL \
 -b "OU=???????" "(sAMAccountName=????)" dn

We use crontab to query AD once every minute, and we were able to see a few
issues each day, error rate is more than 1/1000 but less than 1/100. The error
looks like below -

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Not much info was logged other than this. 

We tried all kinds of stuff but it didn't help, eg. the ldap.conf settings to
ignore certs validation, simplify the cert folder files etc. and the like.

We think perhaps the TLS might be the issue, so we setup an nginx node within
the same vpc, which communicates with AD server over TLS, but terminates TLS
and talk to other ec2 with clear text. We were not able to see any errors. 

So we have proved, for some reason, then ldapsearch over ldaps fails with a low
percentage. 

I previously reported case 10049, but it was closed. The message is like
openldap is using other components for https/tls; so possibly bugs from other
libraires. 

So to prove this issue is indeep on openldap, I schedule the same ldapsearch on
the nginx box itself. Knowing nginx was using the same openssl library (openssl
1.0.2k), we reproduced the same, ~1% "can't contact LDAP server" error, on the
nginx box. So this error is perhaps more related to openldap, or perhaps Cyrus
SASL? (cyrus-sasl-lib   2.1.26). 

My question is whether this sounds like an openldap bug. Please advise. Thanks

-- 
You are receiving this mail because:
You are on the CC list for the issue.