Bug#1051349: slapd: DoS after some 'Too many open files'?

Patrice Duroux patrice.duroux at gmail.com
Wed Sep 6 15:43:16 BST 2023 

Package: slapd
Version: 2.5.13+dfsg-5
Severity: normal

Dear Maintainer,

This happens on one physical machine using a Debian Bookworm and only dedicated to NFS/LDAP
services.
I never faced this before for years with Bulleyes before upgrading to Bookworm.

Looking into log files there are the following messages:

[...]
2023-09-06T14:57:22.996591+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
2023-09-06T14:57:22.996861+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.deny: Too many open files
2023-09-06T14:57:53.823167+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
2023-09-06T14:57:53.823810+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.deny: Too many open files
2023-09-06T14:59:56.993514+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
2023-09-06T14:59:56.994249+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.deny: Too many open files
2023-09-06T15:00:15.129483+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
2023-09-06T15:00:15.129643+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.deny: Too many open files
2023-09-06T15:00:53.881436+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) failed errno=24 (Too many open files)
2023-09-06T15:01:16.878910+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) failed errno=24 (Too many open files)
2023-09-06T15:01:16.880305+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) failed errno=24 (Too many open files)
[...]

During the DoS, 'systemctl status slapd' did not shown me anything strange.
Restarting the service solved the trouble.

Are there some possible file closing leaks in slapd it-self?

ulimit is unlimited in the default any root/user env.
What about the slapd service that is launched by systemd?

# systemctl status slapd
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
     Loaded: loaded (/etc/init.d/slapd; generated)
    Drop-In: /usr/lib/systemd/system/slapd.service.d
             └─slapd-remain-after-exit.conf
     Active: active (running) since Wed 2023-09-06 15:41:44 CEST; 51min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 135002 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS)
      Tasks: 9 (limit: 38189)
     Memory: 73.9M
        CPU: 3.444s
     CGroup: /system.slice/slapd.service
             └─135008 /usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d

Is the 'limit' value (38189) related to the ulimit of its process?

slapd does not have a .service file to change this, right?

Many thanks,
Patrice

# cat /etc/default/slapd 
# Default location of the slapd.conf file or slapd.d cn=config directory. If
# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
# /etc/ldap/slapd.conf).
SLAPD_CONF=

# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="openldap"

# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="openldap"

# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
# default)
SLAPD_PIDFILE=

# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
SLAPD_SERVICES="ldap:/// ldapi:///"

# If SLAPD_NO_START is set, the init script will not start or restart
# slapd (but stop will still work).  Uncomment this if you are
# starting slapd via some other means or if you don't want slapd normally
# started at boot.
#SLAPD_NO_START=1

# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
# the init script will not start or restart slapd (but stop will still
# work).  Use this for temporarily disabling startup of slapd (when doing
# maintenance, for example, or through a configuration management system)
# when you don't want to edit a configuration file.
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd

# For Kerberos authentication (via SASL), slapd by default uses the system
# keytab file (/etc/krb5.keytab).  To use a different keytab file,
# uncomment this line and change the path.
#export KRB5_KTNAME=/etc/krb5.keytab

# Additional options to pass to slapd
SLAPD_OPTIONS=""



-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.4.0-2-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-openldap-devel mailing list