[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8997) openldap-nssov/back ldap segfault

Full_Name: Matthew Pallissard
Version: 2.4.47
OS: Archlinux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


We're seeng a lot of segfaults on some of our busier HPC machines. These
typically have hundreds of jobs landing on them at a given time.

We use back-ldap with an nssov-overlay and pcache in front of Active Directory. 
 This is Authorization only, authentication is handled via krb5.  The relevant
bits of slightly scrubbed config are at the bottom of this message.

We notice two things;

1. this can be replicated semi-consistently;
  1. stop slapd, ensure cache is empty
  2. do something dumb like this
    > for i in {1..100}; do ./dumb.sh &; done

    > #!/bin/bash
    > # dumb.sh
    > while [[ 1 -ne 2 ]]; do
    >   for i in $(getent passwd  | cut -f 1 -d ':'); do
    >     time id ${i}
    >   done
    > done
  3. start slapd

2. Turning the log level to 0 /seems/ to make the issue go away. I'll report
back once I can confirm that.
  A note on this; We do have a good handful of 'service accounts' that don't
have all of the posix attributes in active directory.  As such those entries do
spam the logs a bit.

# config 2.4.47
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/openldap
olcModuleLoad: pcache
olcModuleLoad: nssov
olcModuleLoad: back_ldap
olcModuleLoad: back_mdb
dn: olcDatabase={1}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {1}ldap
olcSuffix: dc=ad,dc=domain,dc=edu
olcAddContentAcl: FALSE
olcLastMod: FALSE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcRootDN: cn=ldap_rootdn,cn=config
olcDbURI: "ldap://ad.domain.edu";
olcDbStartTLS: none  starttls=no
olcDbACLBind: bindmethod=simple timeout=0 network-timeout=0 binddn="" crede
 ntials="" keepalive=0:0:0
olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bin
 dmethod=simple timeout=0 network-timeout=0 binddn="" credentials=""
olcDbIDAssertAuthzFrom: *
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: FALSE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
structuralObjectClass: olcLDAPConfig

dn: olcOverlay={0}nssov,olcDatabase={1}ldap,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: {0}nssov
olcNssSsd: group ldap:///dc=ad,dc=domain,dc=edu??sub?(objectClass=posi
olcNssSsd: passwd ldap:///dc=ad,dc=domain,dc=edu??sub?(objectClass=pos
olcNssSsd: shadow ldap:///dc=ad,dc=domain,dc=edu??sub?(objectClass=sha
olcNssMap: group uniqueMember member
olcNssMap: passwd gecos title
olcNssMap: passwd homeDirectory unixHomeDirectory
olcNssPam: uid2dn
olcNssPamMinUid: 0
olcNssPamMaxUid: 0
structuralObjectClass: olcNssOvConfig

dn: olcOverlay={1}pcache,olcDatabase={1}ldap,cn=config
objectClass: olcOverlayConfig
objectClass: olcPcacheConfig
olcOverlay: {1}pcache
olcPcache: mdb 1000000 30 1000000 3600
olcPcacheAttrset: 0 uid userPassword uidNumber gidNumber gecos cn homeDirectory
loginShell objectClass
olcPcacheAttrset: 1 cn userPassword gidNumber memberUid objectClass member
olcPcacheTemplate: "(&(objectclass=)(|(memberuid=)(member=)))" 1 3600
olcPcacheTemplate: "(&(objectclass=)(|(memberuid=)(uniquemember=)))" 1 3600
olcPcacheTemplate: "(&(objectclass=)(gidnumber=))" 1 3600
olcPcacheTemplate: "(&(objectclass=)(uidnumber=))" 0 3600
olcPcacheTemplate: "(&(objectclass=)(uid=))" 0 3600
olcPcacheTemplate: "(objectclass=)" 0 3600
olcPcacheTemplate: "(objectclass=)" 1 3600
olcPcachePosition: head
olcPcacheMaxQueries: 10000000
olcPcachePersist: FALSE
olcPcacheValidate: FALSE
olcPcacheOffline: TRUE

dn: olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}ldap,cn=config
objectClass: olcMdbConfig
objectClass: olcPcacheDatabase
olcDatabase: {0}mdb
olcDbDirectory: /var/lib/openldap/openldap-data
olcDbNoSync: FALSE
olcDbIndex: objectClass eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: uniqueMember eq