Full_Name: Andrew Findlay Version: 2.4.40 OS: Linux: OpenSuSE 13.2 URL: ftp://ftp.openldap.org/incoming/openldap-mdb-spin-bug.tgz Submission from: (NULL) (2001:8b0:8d0:f7e1:61a6:169e:b4ba:9954) Some client programs (such as Apache Directory Studio) request alias dereferencing by default. This puts slapd with mdb into a spin where it consumes 100% of a CPU. Other threads continue to work and new connections are accepted. Timeouts do not terminate the spin. Disconnecting the client does not terminate the spin. To reproduce: start slapd and issue a search of the form: ldapsearch -a search -x -b dc=example,dc=org objectclass=person I have placed a tarball on the FTP server containing: slapd.conf sample data in LDIF gdb output showing thread trace after breaking in script of client commands The build options were: CFLAGS=-g export CFLAGS ./configure --prefix=/meme/andrew/test/openldap-2.4.40 \ --enable-spasswd \ --enable-crypt \ --enable-slapi \ --enable-overlays \ --enable-hdb=no \ --enable-bdb=no \ --enable-ldap \ --enable-rewrite \ --enable-meta \ --enable-null \ --enable-monitor \ --enable-relay \ --enable-sock \ --with-cyrus-sasl \ --with-tls For those that need it, the workaround with Apache Directory Studio is to disable alias dereferencing in the Browser Options tab for the connection. Andrew
andrew.findlay@skills-1st.co.uk wrote: > Full_Name: Andrew Findlay > Version: 2.4.40 > OS: Linux: OpenSuSE 13.2 > URL: ftp://ftp.openldap.org/incoming/openldap-mdb-spin-bug.tgz > Submission from: (NULL) (2001:8b0:8d0:f7e1:61a6:169e:b4ba:9954) > > > Some client programs (such as Apache Directory Studio) request alias > dereferencing by default. This puts slapd with mdb into a spin where it consumes > 100% of a CPU. Other threads continue to work and new connections are accepted. > Timeouts do not terminate the spin. Disconnecting the client does not terminate > the spin. Already fixed in RE24. > To reproduce: start slapd and issue a search of the form: > > ldapsearch -a search -x -b dc=example,dc=org objectclass=person > > I have placed a tarball on the FTP server containing: > > slapd.conf > sample data in LDIF > gdb output showing thread trace after breaking in > script of client commands > > The build options were: > > CFLAGS=-g > export CFLAGS > > ./configure --prefix=/meme/andrew/test/openldap-2.4.40 \ > --enable-spasswd \ > --enable-crypt \ > --enable-slapi \ > --enable-overlays \ > --enable-hdb=no \ > --enable-bdb=no \ > --enable-ldap \ > --enable-rewrite \ > --enable-meta \ > --enable-null \ > --enable-monitor \ > --enable-relay \ > --enable-sock \ > --with-cyrus-sasl \ > --with-tls > > > For those that need it, the workaround with Apache Directory Studio is to > disable alias dereferencing in the Browser Options tab for the connection. > > Andrew > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Mon, May 18, 2015 at 12:39:17PM +0100, Howard Chu wrote: > Already fixed in RE24. Not in the version that I pulled 10 minutes ago... openldap-OPENLDAP_REL_ENG_2_4-e445af3 Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
Andrew Findlay wrote: > On Mon, May 18, 2015 at 12:39:17PM +0100, Howard Chu wrote: > >> Already fixed in RE24. > > Not in the version that I pulled 10 minutes ago... > > openldap-OPENLDAP_REL_ENG_2_4-e445af3 Hmm. violino:~/OD/gr24/servers/slapd> git log -1 back-mdb commit e1fdac9db59e4677b9a2403a072558bd89e44321 Author: Howard Chu <hyc@openldap.org> Date: Mon Apr 13 13:11:29 2015 -0700 ITS#8103 fix crash with more than 65535 aliases in a scope I'll look at your test case shortly, thanks. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Mon, May 18, 2015 at 04:48:13PM +0100, Howard Chu wrote: > ITS#8103 fix crash with more than 65535 aliases in a scope Ah - my test case does not have any aliases at all so it may be an unrelated issue. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
Andrew Findlay wrote: > On Mon, May 18, 2015 at 04:48:13PM +0100, Howard Chu wrote: > >> ITS#8103 fix crash with more than 65535 aliases in a scope > > Ah - my test case does not have any aliases at all so it may be an > unrelated issue. I see, your issue is caused by the fact you haven't indexed the objectClass attribute. When back-mdb does a search to find all the alias objects in the DB, instead of returning zero, it returns unknown which causes it to loop through all possible entryIDs looking for alias entries. (On my laptop, "all possible" is 2^64 - 1 so yes, this will spin for .. a while.) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
hyc@symas.com wrote: > Andrew Findlay wrote: >> On Mon, May 18, 2015 at 04:48:13PM +0100, Howard Chu wrote: >> >>> ITS#8103 fix crash with more than 65535 aliases in a scope >> >> Ah - my test case does not have any aliases at all so it may be an >> unrelated issue. > > I see, your issue is caused by the fact you haven't indexed the objectClass > attribute. When back-mdb does a search to find all the alias objects in the > DB, instead of returning zero, it returns unknown which causes it to loop > through all possible entryIDs looking for alias entries. > > (On my laptop, "all possible" is 2^64 - 1 so yes, this will spin for .. a while.) > Fixed now in git master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
On Mon, May 18, 2015 at 04:58:29PM +0000, Howard Chu wrote: > > (On my laptop, "all possible" is 2^64 - 1 so yes, this will spin for .. a while.) 584942 years at 1M tests/sec - I am not waiting around for the timeout :-) (or the electricity bill: over £10M at todays prices) > Fixed now in git master. Thanks Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
changed notes changed state Test to Release
fixed in master fixed in RE25 fixed in RE24 (2.4.41)
changed notes changed state Release to Closed