Bug#378261: [Pkg-openldap-devel] Bug#378261: slapd fails under heavy
load due to descriptor limit
Quanah Gibson-Mount
quanah at stanford.edu
Thu Sep 28 20:11:17 UTC 2006
--On Thursday, September 28, 2006 11:49 AM -0700 Chris Adams
<cadams at salk.edu> wrote:
> Rebuilding slapd after making the following addition to
> debian/rulessuccessfully raises the limit:
> CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -DOPENLDAP_FD_SETSIZE=8192
> DFD_SETSIZE=8192
>
> At this point the DoS script no longer works - suggesting that thisshould
> become part of the default build since the failure mode issevere with
> e.g. pam-ldap.
Hi Chris,
I found that it was unnecessary to build OpenLDAP with the
OPENLDAP_FD_SETSIZE parameter set at all to get around this issue. In my
slapd startup script, I have:
# Bump up file descriptors to 4096
ulimit -n 4096
which is all that is necessary to allow slapd to use more file descriptors.
With this in place:
Sep 28 13:07:31 ldap-test2 slapd[3473]: fd=4095 DENIED from 171.64.11.148
(171.64.11.148)
Sep 28 13:07:31 ldap-test2 slapd[3473]: warning: cannot open
/etc/hosts.allow: Too many open files
is where it fails.
If I change the ulimit to 1024, then it fails at:
Sep 28 13:09:59 ldap-test2 slapd[29388]: warning: cannot open
/etc/hosts.allow: Too many open files
Sep 28 13:09:59 ldap-test2 slapd[29388]: error: bad option name:
"171.64.11.148"
Sep 28 13:09:59 ldap-test2 slapd[29388]: fd=1023 DENIED from 171.64.11.148
(171.64.11.148)
So basically, this is something that can easily be overcome by the user if
they need to, and doesn't require any particular compile options on the
servers side. I don't really see this as any sort of DoS issue, but a user
configuration issue. But that's my 2c.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
More information about the Pkg-openldap-devel
mailing list