python-ldap hanging for 15 minutes under certain conditions
Hi
I'm trying to do a search against Samba 4's LDAP server and it works,
but the bind and search are both successful, everything hangs when I
try to unbind from the LDAP server. If anyone could enlighten me I
would be grateful.
I've run into the same issue on various different Linux machines with
a range of OpenLDAP and python-ldap versions, but it seems to work
fine on a Mac running Leopard.
e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and
python-ldap 2.3.10-1ubuntu1.
I've also tried upgrading python-ldap to 2.3.12, but that does not
seep to have helped.
def test(username, password):
base = "DC=example,DC=com"
userbase = "CN=Users," + base
userdn = "CN=%s,%s" % (username, userbase)
ldap_server = "ldap://example.com";
conn = ldap.initialize(ldap_server)
conn.set_option(ldap.OPT_REFERRALS, 0) # Doesn't appear to make a difference
conn.start_tls_s()
try:
conn.simple_bind_s(userdn, password)
logging.debug("Bind succeeded for '%s'", username)
except ldap.LDAPError, e:
logging.warn("Authentication failed for '%s'", username)
return False
res = conn.search_s("CN=Some Group,CN=Users,DC=bluebird,DC=co,DC=za",
ldap.SCOPE_BASE, filterstr="(member=%s)" % userdn,
attrlist=["member"])
if len(res) != 1:
logging.debug("User '%s' is not in the Some Group group", username)
conn.unbind()
return False
logging.debug("User '%s' appears to be in the Some Group group", username)
conn.unbind() # <- hangs here for 15 minutes.
logging.debug("Unbound.")
return True
--
Michael Wood
--
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 02/03/2011 04:34 AM, Michael Wood wrote:
> Hi
>
> I'm trying to do a search against Samba 4's LDAP server and it works,
> but the bind and search are both successful, everything hangs when I
> try to unbind from the LDAP server. If anyone could enlighten me I
> would be grateful.
>
> I've run into the same issue on various different Linux machines with
> a range of OpenLDAP and python-ldap versions, but it seems to work
> fine on a Mac running Leopard.
>
> e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and
> python-ldap 2.3.10-1ubuntu1.
>
> I've also tried upgrading python-ldap to 2.3.12, but that does not
> seep to have helped.
Try enabling ldap debug logging - before the first call to
ldap.initialize, add this:
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)
> def test(username, password):
> base = "DC=example,DC=com"
> userbase = "CN=Users," + base
> userdn = "CN=%s,%s" % (username, userbase)
> ldap_server = "ldap://example.com";
> conn = ldap.initialize(ldap_server)
> conn.set_option(ldap.OPT_REFERRALS, 0) # Doesn't appear to make a
> difference
> conn.start_tls_s()
> try:
> conn.simple_bind_s(userdn, password)
> logging.debug("Bind succeeded for '%s'", username)
> except ldap.LDAPError, e:
> logging.warn("Authentication failed for '%s'", username)
> return False
> res = conn.search_s("CN=Some Group,CN=Users,DC=bluebird,DC=co,DC=za",
> ldap.SCOPE_BASE, filterstr="(member=%s)" % userdn,
> attrlist=["member"])
> if len(res) != 1:
> logging.debug("User '%s' is not in the Some Group group", username)
> conn.unbind()
> return False
> logging.debug("User '%s' appears to be in the Some Group group",
> username)
> conn.unbind() #<- hangs here for 15 minutes.
> logging.debug("Unbound.")
> return True
>
--
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Hi On 3 February 2011 18:16, Rich Megginson wrote: > On 02/03/2011 04:34 AM, Michael Wood wrote: >> Hi >> >> I'm trying to do a search against Samba 4's LDAP server and it works, >> but the bind and search are both successful, everything hangs when I >> try to unbind from the LDAP server. If anyone could enlighten me I >> would be grateful. >> >> I've run into the same issue on various different Linux machines with >> a range of OpenLDAP and python-ldap versions, but it seems to work >> fine on a Mac running Leopard. >> >> e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and >> python-ldap 2.3.10-1ubuntu1. >> >> I've also tried upgrading python-ldap to 2.3.12, but that does not >> seep to have helped. > Try enabling ldap debug logging - before the first call to > ldap.initialize, add this: > ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1) Thanks for the suggestion. I'll give it a try tomorrow. In the mean time, someone pointed me at this: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6673&selectid=6673&usearchives=1 It did not seem to match my situation because it talks about broken TCP connections: "When a network connection to the LDAP server fails (is severed with iptables in my set-up)" But I thought it was worth a try to recompile OpenLDAP and link with OpenSSL instead of GnuTLS. After doing that, the problem went away! So this seems not to have anything to do with python-ldap. -- Michael Wood -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Michael Wood wrote: > On 3 February 2011 18:16, Rich Megginson wrote: >> On 02/03/2011 04:34 AM, Michael Wood wrote: >>> e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and >>> python-ldap 2.3.10-1ubuntu1. > [..] > But I thought it was worth a try to recompile OpenLDAP and link with > OpenSSL instead of GnuTLS. > > After doing that, the problem went away! That was my first idea when I read that you're using Ubuntu (based on Debian). There have been so many issues with OpenLDAP linked with GnuTLS during the last years. I really wonder why the Debian folks force everybody to use this. IMO that's a major issue with Debian. Ciao, Michael. -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
Hi 2011/2/3 Michael Ströder : > Michael Wood wrote: >> On 3 February 2011 18:16, Rich Megginson wrote: >>> On 02/03/2011 04:34 AM, Michael Wood wrote: e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and python-ldap 2.3.10-1ubuntu1. >> [..] >> But I thought it was worth a try to recompile OpenLDAP and link with >> OpenSSL instead of GnuTLS. >> >> After doing that, the problem went away! > > That was my first idea when I read that you're using Ubuntu (based on Debian). > There have been so many issues with OpenLDAP linked with GnuTLS during the > last years. I really wonder why the Debian folks force everybody to use this. > IMO that's a major issue with Debian. OK, well, next time I'll know. I suppose it's one way to get GnuTLS to improve :) The strange thing is that ldapsearch on the command line did not have the same problem. Thanks. -- Michael Wood -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 04/02/11 03:31, Michael Ströder wrote: > Michael Wood wrote: >> On 3 February 2011 18:16, Rich Megginson wrote: >>> On 02/03/2011 04:34 AM, Michael Wood wrote: e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and python-ldap 2.3.10-1ubuntu1. >> [..] >> But I thought it was worth a try to recompile OpenLDAP and link with >> OpenSSL instead of GnuTLS. >> >> After doing that, the problem went away! > > That was my first idea when I read that you're using Ubuntu (based on Debian). > There have been so many issues with OpenLDAP linked with GnuTLS during the > last years. I really wonder why the Debian folks force everybody to use this. > IMO that's a major issue with Debian. Debian uses GnuTLS because OpenSSL has the non-GPL compatible advertising clause, and libldap is linked into many GPL applications. So the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I have no hope of either occurring. James Andrewartha -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: python-ldap hanging for 15 minutes under certain conditions
On 4 February 2011 08:32, James Andrewartha wrote: > On 04/02/11 03:31, Michael Ströder wrote: >> Michael Wood wrote: >>> On 3 February 2011 18:16, Rich Megginson wrote: On 02/03/2011 04:34 AM, Michael Wood wrote: > e.g. Ubuntu Lucid Lynx with libldap2-dev version 2.4.21-0ubuntu5.3 and > python-ldap 2.3.10-1ubuntu1. >>> [..] >>> But I thought it was worth a try to recompile OpenLDAP and link with >>> OpenSSL instead of GnuTLS. >>> >>> After doing that, the problem went away! >> >> That was my first idea when I read that you're using Ubuntu (based on >> Debian). >> There have been so many issues with OpenLDAP linked with GnuTLS during the >> last years. I really wonder why the Debian folks force everybody to use this. >> IMO that's a major issue with Debian. > > Debian uses GnuTLS because OpenSSL has the non-GPL compatible > advertising clause, and libldap is linked into many GPL applications. So Ah, good point. > the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I Or switch to something else. > have no hope of either occurring. I understand your lack of hope wrt. the licensing situation and I suppose switching to another SSL/TLS library is unlikely at this point. I do hold out some hope that issues like this in GnuTLS (or in the software using GnuTLS?) can get fixed, though. -- Michael Wood -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
