Bug#1021703: slapd crashes when too many clients connect in a short period of time.
Rudolph Bott
bott at sipgate.de
Mon Oct 24 17:47:48 BST 2022
Hi Harald,
thank you for looking into this.
On Mon, Oct 24, 2022 at 4:36 PM Harald Welte <laforge at gnumonks.org> wrote:
> some miscellaneous questions that come to my mind after reading the bug
> report
>
> * if the slapd is hanging, what does a 'strace' on the PID of the slapd
> process tell you?
>
Unfortunatly I was not able to reproduce the 'hanging slapd' today, it
always crashed directly with the aforementioned assertion error.
* what is the rate of new client connections the triggers the problem for
> you (you can for example check the number of TCP SYN per second to the LDAP
> port via pcap file)?
>
If I have interpreted the tcpdump data correctly, the issue seems to hit
at around 200 connections per second, maybe less.
* can you reproduce the problem irrespective of GSSAPI/kerberos?
>
I tried to do so by manipulating the reproducer python script to use
anonymous bind (e.g. use con.bind_s('', '') instead of SASL interactive
bind). While crashing slapd reliably with two or three machines running the
script at the same time using GSSAPI auth, I could not get it to crash
using simple/anyonmous bind. It very well may have something to do with the
delays introduced by the GSSAPI handshake (e.g. DNS lookups for service/TXT
records, Kerberos communication etc.).
--
Rudolph Bott - bott at sipgate.de
Telefon: +49 (0)211-63 55 55-55
Telefax: +49 (0)211-63 55 55-22
sipgate GmbH - Gladbacher Str. 74 - 40219 Düsseldorf
HRB Düsseldorf 39841 - Geschäftsführer: Thilo Salmon, Tim Mois
Steuernummer: 106/5724/7147, Umsatzsteuer-ID: DE219349391
www.sipgate.de - www.sipgate.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20221024/4e227e5c/attachment.htm>
More information about the Pkg-openldap-devel
mailing list