Bug 316 – sudo command hangs 225sec before response if main Directory server stopped

Bug 316 - sudo command hangs 225sec before response if main Directory server stopped


Summary:	sudo command hangs 225sec before response if main Directory server stopped

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.8
Hardware:	Sun All

Importance:	high high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-11-21 02:59 MST by myriam walter
Modified:	2008-11-25 12:51 MST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description myriam walter 2008-11-21 02:59:17 MST

We have sudo 1.6.8p12 configure with ldap and pam 
We have 4 directory servers replicated and about 500 clients Solaris 8 -Solaris 10-Redhat 4.5 

If the first Directory Server fails , authentification ssh is correct but the response of sudo command arrived after 225seconds 
(45 retries of 5 secondes) time to contact the second Directory server 

If the slapd of the first Directory server is stopped , ssh authentification and sudo response are fine .

We try to set  different time limit parameter in ldap.conf but same problem 
Have you a solution ?

Tks 
Myriam WALTER

Comment 1 Todd C. Miller 2008-11-21 09:36:08 MST

Please try the latest version of sudo, 1.6.9p18.  A number of LDAP fixes were made in the 1.6.9 releases.  You should also try setting the bind_timelimit and timelimit options in ldap.conf if you have not already done so.

Comment 2 myriam walter 2008-11-21 13:00:07 MST

Hello

We tried to change  bind_timelimit and timelimit options in ldap.conf without success

We opened bugs at SUN support and Redhat support 
SUN told us to use a "load balancer " but we need to review our architecture 

We found this incident  http://www.nabble.com/client-timeout-td17762669.html - Seems to be resolved  with OPENLDAP 2.4

We tried to configure the new version sudo1.6.9p18 with  OPENLDAP 2.4 without success
./configure --with-audit=bsm --with-pam --with-ldap=/usr --sysconfdir=/usr/local/etc --with-ldap-conf-file=/usr/local/etc/ldap.conf 
....
BIO_set_flags                       /usr/local/lib/libldap.so
BIO_clear_flags                     /usr/local/lib/libldap.so
ber_set_option                      ldap.o  (symbol belongs to implicit dependency /usr/local/lib/liblber-2.4.so.2)
SSL_CTX_set_info_callback           /usr/local/lib/libldap.so
ld: fatal: Symbol referencing errors. No output written to sudo
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `sudo'


We decide to contact you to know if you have an idea to resolve this problem 

We have  "OPENLDAP 2.3.21"  on our Solaris customer and "openldap-clients-2.2.13-7.4E" on Redhat 
Is sudo1.6.9p18 compatible with our LDAP versions ? 
Are our configure options Ok?
I have a look on ldap.c in new sudo version and I see you have a lot of update with ldap.conf but I need to know if we can compile with Openldap2.3


Tks for help 
Myriam WALTER

Comment 3 Todd C. Miller 2008-11-21 15:40:51 MST

You can try added -llber and -lssl to SUDO_LIBS in the Makefile and see if that resolves the issue.

Comment 4 myriam walter 2008-11-25 12:51:20 MST

hell

We tested the last version and modify the ldap.conf time limit parameters 
it works well

Tks for help 
Myriam