[rhelv6-list] Intermittent Mozilla NSS/LDAP client failures in PHP

Rich Graves rgraves at carleton.edu
Thu Sep 8 12:13:56 UTC 2011 

Server running Moodle 1.9 on fully patched RHEL 6.1.

>From time to time, a specific Apache child process loses the ability to connect to any LDAP server over SSL. It is not clear how processes get into this state (lsof, and adding %P %k %T %X to LogFormat, show no obvious differences), but once they do, all attempts to reach ldaps:// URLs via either ldap_connect/ldap_bind or curl_init/curl_exec from that specific httpd child process fail.

Reducing Apache MaxRequestsPerChild (currently at 200) appears to reduce the incidence of this problem, but it never goes away entirely. apachectl graceful appears to stop it for a while.

ldapserver1 and ldapserver2 are most certainly up, actively serving other clients with no resource constraints. Capturing network traffic, we see a completed 3-way handshake, then an immediate FIN from the client with no data pushed. If I run passthru("/usr/bin/ldapsearch -x -LLL -H ldaps://ldapserver1.com ou=People") in the same PHP script where ldap_bind and curl_init("ldaps://") fail, only the external ldapsearch binary succeeds.

In PHP, jacking up ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7) results in the PHP error log output below, suggesting that the problem is in moznss, or the OpenLDAP linkage thereto.

What else can I do here?

ldap_create
ldap_url_parse_ext(ldaps://ldapserver1.com/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver1.com:636
ldap_new_socket: 25
ldap_prepare_socket: 25
ldap_connect_to_host: Trying 172.20.9.5:636
ldap_pvt_connect: fd: 25 tm: 20 async: 0
ldap_ndelay_on: 25
ldap_int_poll: fd: 25 tm: 20
ldap_is_sock_ready: 25
ldap_ndelay_off: 25
ldap_pvt_connect: 0
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available
TLS: can't create ssl handle.
ldap_err2string
ldap_err2string
ldap_create
ldap_url_parse_ext(ldaps://ldapserver2.com/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver2.com:636
ldap_new_socket: 25
ldap_prepare_socket: 25
ldap_connect_to_host: Trying 172.20.9.6:636
ldap_pvt_connect: fd: 25 tm: 20 async: 0
ldap_ndelay_on: 25
ldap_int_poll: fd: 25 tm: 20
ldap_is_sock_ready: 25
ldap_ndelay_off: 25
ldap_pvt_connect: 0
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available
TLS: can't create ssl handle.
ldap_err2string


Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529

More information about the rhelv6-list mailing list