Bug#1021703: slapd crashes when too many clients connect in a short period of time.

Frank Menzel menzel at sipgate.de
Thu Oct 13 11:14:28 BST 2022 

Package: slapd
Version: 2.4.57+dfsg-3+deb11u1
Severity: important

Dear Maintainer,

When many clients connect to a slapd in a short period of time we
noticed to different versions of a crash:
   * slapd crashes with following error:
     slapd: ../../../../servers/slapd/daemon.c:1957: slap_listener: \
      Assertion `SLAP_SOCK_NOT_ACTIVE( tid, sfd )' failed.
   * sometimes slapd does not crash, but transforms into a zombie state:
     * New connections are not accepted
     * some established connections seem to work, some don't
     * when sending a SIGTERM the process prints:
       slapd shutdown: waiting for 129 operations/tasks to finish
     * ...but it never stops and has to be killed by SIGKILL

We first observed this within our production environment. We created a
python script to stress the slapd and could reproduce the behaviour in
our DEV environment as well.
The script can be found here: https://paste.debian.net/hidden/dbf61b60/
We were able to reliably crash the slapd by running the script from 3 machines at
the same time.

   * What led up to the situation?
   We installed slapd in the following environment:
     * We use cn=config approach
     * We are using GSSAPI/kerberos auth with startTLS
     * Problem appears both on a slapd master and on a syncrepl host
     * Appears both with included init script and custom unitfile
     * openfiles limit for slapd has been raised to 16k
     * Loaded Modules: syncprov and back_mdb
     * We only modified/set the following settings:
       * olcSaslHost
       * olcSaslRealm
       * olcSaslSecProps
       * olcTLS*
     * Current slapd commandline (through systemd unitfile):
       * /usr/sbin/slapd -d0 -h ldap:/// ldapi:/// -g openldap \
          -u openldap -F /etc/ldap/slapd.d
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
     * Update to bullseye backports version behaves the same

-- System Information:
Debian Release: 11.5
  APT prefers stable-security
  APT policy: (550, 'stable-security'), (550, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-18-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages slapd depends on:
ii  adduser                     3.118
ii  coreutils                   8.32-4+b1
ii  debconf [debconf-2.0]       1.5.77
ii  libc6                       2.31-13+deb11u4
ii  libcrypt1                   1:4.4.18-4
ii  libdb5.3                    5.3.28+dfsg1-0.8
ii  libldap-2.4-2               2.4.57+dfsg-3+deb11u1
ii  libltdl7                    2.4.6-15
ii  libodbc1                    2.3.6-0.1+b1
ii  libperl5.32                 5.32.1-4+deb11u2
ii  libsasl2-2                  2.1.27+dfsg-2.1+deb11u1
ii  libwrap0                    7.6.q-31
ii  lsb-base                    11.1.0
ii  perl [libmime-base64-perl]  5.32.1-4+deb11u2
ii  psmisc                      23.4-2

Versions of packages slapd recommends:
ii  ldap-utils  2.4.57+dfsg-3+deb11u1

Versions of packages slapd suggests:
ii  libsasl2-modules                 2.1.27+dfsg-2.1+deb11u1
ii  libsasl2-modules-gssapi-heimdal  2.1.27+dfsg-2.1+deb11u1

-- Configuration Files:
/etc/default/slapd changed [not included]
/etc/ldap/schema/nis.ldif changed [not included]
/etc/ldap/schema/nis.schema changed [not included]

-- debconf information excluded

More information about the Pkg-openldap-devel mailing list