[SERVER-43763] Figure out if global LDAP synchronization can be disabled when libldap is built with OpenSSL. Created: 02/Oct/19  Updated: 29/Oct/23  Resolved: 19/Nov/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.2.4, 4.3.2, 4.0.18

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.2, v4.0
Sprint: Security 2019-11-04, Security 2019-11-18, Security 2019-12-02
Participants:
Case:

 Description   

RHEL7.5 ships a libldap backed by OpenSSL instead of NSS. This may mitigate the concurrency issues which drove us to libldap_r. This suggests that libldap.so may be viable again. However, it may not advertise the thread safety flags which we rely upon to enable or disable global synchronization around libldap calls.

We should investigate whether we can dynamically detect the underlying TLS implementation underneath libldap, and use that information to toggle synchronization.



 Comments   
Comment by Githook User [ 19/Mar/20 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-43763 Add a set parameter to force multi-thread mode

(cherry picked from commit 96c2a4f4b3be80146610a787ba4331e32042bf72)
(cherry picked from commit f7035629809bfe5511b5259b32efdc0fec520f33)
Branch: v4.0
https://github.com/10gen/mongo-enterprise-modules/commit/5e927782b9b6a0af533bc44bf492145673ebd693

Comment by Githook User [ 04/Mar/20 ]

Author:

{'name': 'Mark Benvenuto', 'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com'}

Message: SERVER-43763 Add a set parameter to force multi-thread mode

(cherry picked from commit 96c2a4f4b3be80146610a787ba4331e32042bf72)
Branch: v4.2
https://github.com/10gen/mongo-enterprise-modules/commit/47db7763c201e6bd4885677e31dff9c1cdc9ab61

Comment by Githook User [ 19/Nov/19 ]

Author:

{'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto'}

Message: SERVER-43763 Add a set parameter to force multi-thread mode
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/96c2a4f4b3be80146610a787ba4331e32042bf72

Comment by Mark Benvenuto [ 08/Nov/19 ]

Spencer and I discussed this change. We decided to go with a different approach and allow users to opt in to getting thread safety instead via a setParameter on non-thread safe versions of OpenLDAP.

The stability and performance of OpenLDAP is dependent on whether the _r.so version is used and what SSL provider is chosen (OpenSSL vs Mozilla NSS). Mozilla NSS is known to crash in the non-thread safe version.  OpenSSL in the thread safe version is known have performance issues (since it overrides OpenSSL's lock callbacks).

We are unsure of the stability of OpenSSL with OpenLDAP in the non-thread safe version. But we want to provide users with a flag to override our default behavior to experiment.

Overview of which distros use which SSL provider wtih OpenLDAP:

Distros SSL Provider Notes
Debian OpenSSL  
Ubuntu OpenSSL  
Suse OpenSSL  
Amazon 1 MozNSS see RHEL 6
Amazon 2 MozNSS/OpenSSL Compat see RHEL >= 7.5
RHEL 6 MozNSS  
RHEL < 7.5 MozNSS  
RHEL >= 7.5 MozNSS/OpenSSL Compat  
RHEL 8 OpenSSL  

 MozNSS/OpenSSL Compat - is a special mode Redhat added in RHEL 7.5 and only exists in the RHEL 7.5+ line.

 

Matrix of TLS Providers:

TLS Provider Category  Thread Safe Version (i.e. _r) Non-Thread Safe Version
MozNSS ASIO SSL Perf No Affect No Affect
  Known Crashes No Yes
       
OpenSSL ASIO SSL Perf Negative Performance Affect No Affect
  Known Crashes No Unknown
Comment by Mark Benvenuto [ 25/Oct/19 ]

As part of https://bugzilla.redhat.com/show_bug.cgi?id=1400570, OpenLDAP was switched from Mozilla NSS to OpenSSL+MozNSS compat. This change was consumed as part of RHEL 7.5. For RHEL 8.0, this change was removed and openldap switched completely to OpenSSL. Also, this change was not backported to RHEL 6.x.

 

This change was first made to Fedora 19 and as part of this change, they added new compile and runtime flags to support their MozNSS compat (i.e. --enable-moznss-compatibility). They also extended ldap_get_option with a new flag named LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY]. This flag only exists on RHEL 7.5 and later. It does not exist in RHEL 8.x.

 

We could change OpenLDAPConnection::isThreadSafe to return true if LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY exists at compile time and is enabled at runtime. This change would only have this affect on RHEL 7 and no other platform reducing the risk. 

 

spencer.jackson, do you want me to special case RHEL 7 with this information?

Generated at Thu Feb 08 05:04:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.