Ldap searches don't seem to honour connect_timeout

[Matthew Newton]

On Wed, May 11, 2016 at 11:43:22AM -0400, Alan DeKok wrote:
> On May 11, 2016, at 11:31 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
> > 
> > Just for reference, it seems ubuntu have taken a decision to use GnuTLS for tls encryption over openSSL due to licensing worries - see the top paragraph of this:
> > https://help.ubuntu.com/community/GnuTLS
> 
>   Ugh.  The problem is that they're just not compatible.

I believe it's been Debian policy for years to use GnuTLS over
OpenSSL if the application has support for it.

The OpenSSL licence issue is so annoying.


> > so.. anyone seeking to compile Freeradius from scratch and using ldap will be using some bits compiled with GnuTLS intead of openSSL. For me this seems to be some lack of support for certain freeradius ldap options in the configuration, and lack of debugging options working.
> 
>   Ubuntu is welcome to submit patches which allow FreeRADIUS to build with GnuTLS.  Until then, FreeRADIUS will be broken on their platform, because they broke it.

Hmm, this got me digging... it didn't help that we hit an ldap
problem today (which is a weird one, caused by a group getting too
big - it may be related to this, I'm still digging).

It turns out Debian is also linked against gnutls.

However, having run with ldap code for ages, apart from today,
things have generally been solid.

Not saying libldap linked against gnutls is perfect, but given our
experience and the queries on this list, it seems to be more
stable than when linked against nss.

If I get time I'll compile libldap against openssl and see if that
fixes the issue we've seen today. In which case it'll be one case
against gnutls as well.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>