-
Bug
-
Resolution: Done-Errata
-
Major
-
rhel-8.8.0.z
-
None
-
None
-
rhel-sst-idm-ds
-
ssg_idm
-
0
-
QE ack
-
False
-
-
None
-
None
-
None
Upstream issue: https://github.com/389ds/389-ds-base/issues/6096
What were you trying to do that didn't work?
After upgrading IPA packages, customer is noticing more LDAP connections getting closed with closed IO timeout (nsslapd-ioblocktimeout) - T2
The weird thing is that these connections were closed by the server way before the IOblock timeout would normally kick out.
In the following log excerpt, the connection was closed after ~2 seconds while the IOblock timeout is set at 10 seconds:
$ grep "conn=81714 " access [10/Nov/2023:11:36:28.008537037 +0100] conn=81714 fd=1207 slot=1207 connection from <CLIENT_IP> to <SERVER_IP> [10/Nov/2023:11:36:28.009761098 +0100] conn=81714 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci" [10/Nov/2023:11:36:28.011306146 +0100] conn=81714 op=0 RESULT err=0 tag=101 nentries=1 wtime=0.000295198 optime=0.001545429 etime=0.001839160 [10/Nov/2023:11:36:28.104657885 +0100] conn=81714 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Nov/2023:11:36:29.716857610 +0100] conn=81714 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000077784 optime=1.612214193 etime=1.612290895, SASL bind in progress [10/Nov/2023:11:36:29.723828025 +0100] conn=81714 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Nov/2023:11:36:29.960137105 +0100] conn=81714 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000093647 optime=0.236313819 etime=0.236405865, SASL bind in progress [10/Nov/2023:11:36:29.961984390 +0100] conn=81714 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Nov/2023:11:36:29.963229265 +0100] conn=81714 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000083632 optime=0.001250999 etime=0.001333229 dn="fqdn=<HOSTNAME>,cn=computers,cn=accounts,dc=example,dc=com" [10/Nov/2023:11:36:29.967481904 +0100] conn=81714 op=4 SRCH base="cn=accounts,dc=example,dc=com" scope=2 filter="(&(objectClass=ipaHost)(fqdn=<HOSTNAME>))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [10/Nov/2023:11:36:29.969232470 +0100] conn=81714 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.002685963 optime=0.001752500 etime=0.004436367 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [10/Nov/2023:11:36:29.975709236 +0100] conn=81714 op=5 SRCH base="fqdn=<HOSTNAME>,cn=computers,cn=accounts,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [10/Nov/2023:11:36:29.984908676 +0100] conn=81714 op=-1 fd=1207 closed IO timeout (nsslapd-ioblocktimeout) - T2 $ $ grep ioblocktimeout <SOS_REPORT>/etc/dirsrv/slapd-<INSTANCE>/dse.ldif nsslapd-ioblocktimeout: 10000 $
Please provide the package NVR for which bug is seen:
$ cat <SOS_REPORT>/etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) $ $ egrep "^ipa|389-ds" <SOS_REPORT>/installed-rpms 389-ds-base-1.4.3.35-2.module+el8.8.0+19693+b24f535c.x86_64 Sun Oct 22 18:08:45 2023 389-ds-base-legacy-tools-1.4.3.35-2.module+el8.8.0+19693+b24f535c.x86_64 Sun Oct 22 18:09:53 2023 389-ds-base-libs-1.4.3.35-2.module+el8.8.0+19693+b24f535c.x86_64 Sun Oct 22 18:08:43 2023 ipa-client-4.9.11-7.module+el8.8.0+19639+24a8b95c.x86_64 Sun Oct 22 18:08:48 2023 ipa-client-common-4.9.11-7.module+el8.8.0+19639+24a8b95c.noarch Sun Oct 22 18:06:57 2023 ipa-common-4.9.11-7.module+el8.8.0+19639+24a8b95c.noarch Sun Oct 22 18:07:34 2023 ipa-healthcheck-0.12-1.module+el8.8.0+17582+6bf5bf91.noarch Sun Jun 11 13:40:11 2023 ipa-healthcheck-core-0.12-1.module+el8.8.0+17582+6bf5bf91.noarch Sun Jun 11 13:36:58 2023 ipa-selinux-4.9.11-7.module+el8.8.0+19639+24a8b95c.noarch Sun Oct 22 18:06:59 2023 ipa-server-4.9.11-7.module+el8.8.0+19639+24a8b95c.x86_64 Sun Oct 22 18:09:41 2023 ipa-server-common-4.9.11-7.module+el8.8.0+19639+24a8b95c.noarch Sun Oct 22 18:09:40 2023 ipa-server-dns-4.9.11-7.module+el8.8.0+19639+24a8b95c.noarch Sun Oct 22 18:09:51 2023 $
How reproducible:
At customer site.
Steps to reproduce
Issue was seen under normal operations with a large IPA deployment.
Expected results
Connections should not get closed by the server before the timeout has elapsed.
Actual results
Connections are getting closed before the IOblock timeout is over.
- links to
-
RHSA-2024:132654 389-ds-base security, bug fix
- mentioned on