IO17944: TDS ldap_result() API times out prematurely

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • TDS LDAP client times out before the actual timeout value
    specified in the search request. Specifically, the ldap_result()
    API with both a timeout value and LDAP_MSG_ALL option may
    timeout prematurely.
    
    The behavior has been observed using the AIX lsuser command when
    requesting group membership of users.
    
    Executing the following sequence may sometimes return incomplete
    results.
    
        flush-secldapclntd
        lsuser -a groups <username>
    
    For example:
    
        > flush-secldapclntd
        > lsuser -a groups nolmr
        nolmr groups=usr
        ( Above output shows incomplete group list for the user )
    
        > flush-secldapclntd
        > lsuser -a groups nolmr
        nolmr
        groups=usr,dgaakmo3,dgaakmo2,dgassig1,pgabbig3,pgabbg2...etc
        ( Above output show complete group list for the user )
    
    In above case, the default timeout value for LDAP client is set
    to 60 seconds but connection gets closed prematurely.
    

Local fix

  • Set LDAP client timeout value to unlimited (i.e.: 0)
    

Problem summary

  • The empty search result, and closing of the connection to the
    LDAP server, is due to a problem in the calculation of time-
    remaining, while waiting for all of the search entries to be
    returned. The time-remaining calculation is performed whenever
    there are delays between any of the search entries, which
    requires waiting for the next entry. Occasionally, the
    calculation of time-remaining will return a negative usec value,
    which will cause any wait-with-timeout routine, such as
    select(), to fail due to an invalid timeout value.
    

Problem conclusion

  • The fix for this APAR will be contained in the following
    maintenance packages:
    | interim fix | 6.1.0.57-ISS-ITDS-IF0057 |
    

Temporary fix

Comments

APAR Information

  • APAR number

    IO17944

  • Reported component name

    IBM TIV DIR SER

  • Reported component ID

    5724J3960

  • Reported release

    610

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-01-18

  • Closed date

    2013-06-29

  • Last modified date

    2013-06-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IO19089 IO19091

Fix information

  • Fixed component name

    IBM TIV DIR SER

  • Fixed component ID

    5724J3960

Applicable component levels

  • R610 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Directory Server
General

Software version:

610

Reference #:

IO17944

Modified date:

2013-06-29

Translate my page

Machine Translation

Content navigation