Bug#378261: [Pkg-openldap-devel] Bug#378261: slapd fails under heavy load due to descriptor limit

[Chris Adams]

On 2006-07-16, at 6:16 PM, Quanah Gibson-Mount wrote:
> If the debian build links against tcp wrappers, that may be the  
> actual problem.  This is rather well discussed on the OpenLDAP  
> archives.

I couldn't find much which seemed relevant in the archives but I've  
confirmed that this is not the problem by rebuilding slapd with -- 
disable-wrappers (verified with ldd) and confirming that the same  
trivial DoS exists:

#!/usr/bin/perl -w

use strict;
use Socket;

my $sockaddr = sockaddr_in(389, inet_aton("ldap"));
my $proto = getprotobyname('tcp');
my @Sockets;

for (my $n = 0; $n < 4096; $n++) {
         socket($Sockets[$n], PF_INET, SOCK_STREAM, $proto) or die 
("Couldn't create socket $n: $!");
         connect($Sockets[$n], $sockaddr) or die("Couldn't connect  
socket #$n: $!");
         print "$n\n";
}

Rebuilding slapd after making the following addition to debian/rules  
successfully raises the limit:
CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -DOPENLDAP_FD_SETSIZE=8192 - 
DFD_SETSIZE=8192

At this point the DoS script no longer works - suggesting that this  
should become part of the default build since the failure mode is  
severe with e.g. pam-ldap.

Chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2359 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060928/2d452783/smime.bin