2:49 p.m.
https://bugs.openldap.org/show_bug.cgi?id=9820
Issue ID: 9820
Summary: v2.5 and 2.6 closed (idletimeout) during ldapsearch
(work fine with v2.4)
Product: OpenLDAP
Version: 2.6.1
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: jlbs.gregoire(a)gmail.com
Target Milestone: ---
Hello,
Please excuse me for my bad English.
Is there a bug with openldap 2.5 and 2.6 ? When I launch a ldapsearch on the
whole directory, the connection is abruptly cut during the search (same problem
with syncrepl).
All work fine with openldap 2.4.48 and 2.4.59.
Tested on Debian 10 buster and openssl 1.1.1n (also tested with openssl 1.1.1d
and 1.1.1k).
The directory contains over one million entries.
OpenLDAP 2.6.1 compiled with the following options
./configure --prefix=/opt/openldap-2.6.1 --disable-ipv6 --enable-debug
--enable-syslog --enable-slapd --enable-cleartext --enable-crypt
--enable-wrappers --enable-backends=no --enable-mdb --enable-overlays
--with-tls
/opt/openldap-2.6.1/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w
'password'
...
# numResponses: 50146
# numEntries: 50146
ldap_result: Can't contact LDAP server (-1)
Apr 8 21:28:37 debian slapd[20880]: @(#) $OpenLDAP: slapd 2.6.1 (Apr 8 2022
20:34:26) $#012#011root@debian:/opt/src/openldap-2.6.1/servers/slapd
Apr 8 21:28:37 debian slapd[20881]: slapd starting
Apr 8 21:29:12 debian slapd[20881]: conn=1000 fd=11 ACCEPT from
PATH=/opt/openldap-2.6.1/var/run/ldapi (PATH=/opt/openldap-2.6.1/var/run/ldapi)
Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 BIND
dn="cn=manager,dc=societe,dc=com" method=128
Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 BIND
dn="cn=manager,dc=societe,dc=com" mech=SIMPLE bind_ssf=0 ssf=71
Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 RESULT tag=97 err=0
qtime=0.000005 etime=0.000041 text=
Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=1 SRCH
base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Apr 8 21:29:57 debian slapd[20881]: conn=1000 fd=11 closed (idletimeout)
OpenLDAP 2.5.11 compiled with the following options
./configure --prefix=/opt/openldap-2.5.11 --disable-ipv6 --enable-debug
--enable-syslog --enable-slapd --enable-cleartext --enable-crypt
--enable-wrappers --enable-backends=no --enable-mdb --enable-overlays
--with-tls
/opt/openldap-2.5.11/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w
'password'
...
# numResponses: 44638
# numEntries: 44638
ldap_result: Can't contact LDAP server (-1)
Apr 8 21:44:18 debian slapd[21063]: @(#) $OpenLDAP: slapd 2.5.11 (Apr 8 2022
20:55:50) $#012#011root@debian:/opt/src/openldap-2.5.11/servers/slapd
Apr 8 21:44:18 debian slapd[21064]: slapd starting
Apr 8 21:44:45 debian slapd[21064]: conn=1000 fd=11 ACCEPT from
PATH=/opt/openldap-2.5.11/var/run/ldapi
(PATH=/opt/openldap-2.5.11/var/run/ldapi)
Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 BIND
dn="cn=manager,dc=societe,dc=com" method=128
Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 BIND
dn="cn=manager,dc=societe,dc=com" mech=SIMPLE bind_ssf=0 ssf=71
Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 RESULT tag=97 err=0
qtime=0.000006 etime=0.000045 text=
Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=1 SRCH
base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Apr 8 21:45:30 debian slapd[21064]: conn=1000 fd=11 closed (idletimeout)
OpenLDAP 2.4.59 compiled with the following options
./configure --prefix=/opt/openldap-2.4.59 --disable-ipv6 --enable-debug
--enable-syslog --enable-slapd --enable-cleartext --enable-crypt
--enable-wrappers --enable-backends=no --enable-mdb --enable-overlays
--with-tls
/opt/openldap-2.4.59/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w
'password'
Apr 8 21:53:22 debian slapd[17963]: @(#) $OpenLDAP: slapd 2.4.59 (Apr 8 2022
21:51:41) $#012#011root@debian:/opt/src/openldap-2.4.59/servers/slapd
Apr 8 21:53:22 debian slapd[17964]: slapd starting
Apr 8 21:53:54 debian slapd[17964]: conn=1000 fd=11 ACCEPT from
PATH=/opt/openldap-2.4.59/var/run/ldapi
(PATH=/opt/openldap-2.4.59/var/run/ldapi)
Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 BIND
dn="cn=manager,dc=societe,dc=com" method=128
Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 BIND
dn="cn=manager,dc=societe,dc=com" mech=SIMPLE ssf=0
Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 RESULT tag=97 err=0 text=
Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=1 SRCH
base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Apr 8 22:06:02 debian slapd[17964]: conn=1000 op=1 SEARCH RESULT tag=101 err=0
nentries=1021397 text=
Apr 8 22:06:02 debian slapd[17964]: conn=1000 op=2 UNBIND
Apr 8 22:06:02 debian slapd[17964]: conn=1000 fd=11 closed
OpenLDAP 2.4.48 compiled with the following options
./configure --prefix=/opt/openldap-2.4.48 --disable-ipv6 --enable-debug
--enable-syslog --enable-slapd --enable-cleartext --enable-crypt
--enable-wrappers --enable-backends=no --enable-mdb --enable-overlays
--with-tls
/opt/openldap-2.4.48/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w
'password'
Apr 8 21:30:44 debian slapd[20942]: @(#) $OpenLDAP: slapd 2.4.48 (Apr 8 2022
20:58:01) $#012#011root@debian:/opt/src/openldap-2.4.48/servers/slapd
Apr 8 21:30:44 debian slapd[20943]: slapd starting
Apr 8 21:31:05 debian slapd[20943]: conn=1000 fd=11 ACCEPT from
PATH=/opt/openldap-2.4.48/var/run/ldapi
(PATH=/opt/openldap-2.4.48/var/run/ldapi)
Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 BIND
dn="cn=manager,dc=societe,dc=com" method=128
Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 BIND
dn="cn=manager,dc=societe,dc=com" mech=SIMPLE ssf=0
Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 RESULT tag=97 err=0 text=
Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=1 SRCH
base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Apr 8 21:43:15 debian slapd[20943]: conn=1000 op=1 SEARCH RESULT tag=101 err=0
nentries=1021397 text=
Apr 8 21:43:15 debian slapd[20943]: conn=1000 op=2 UNBIND
Apr 8 21:43:15 debian slapd[20943]: conn=1000 fd=11 closed
Content of slapd.conf :
pidfile /opt/openldap/var/run/slapd.pid
argsfile /opt/openldap/var/run/slapd.args
tool-threads 2
require ldapv3 authc
disallow bind_anon
loglevel stats
modulepath /opt/openldap/libexec/openldap
moduleload back_mdb
moduleload syncprov
include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/etc/openldap/schema/dyngroup_cgi.schema
include /opt/openldap/etc/openldap/schema/qmail_cgi.schema
defaultsearchbase "dc=societe,dc=com"
backend mdb
database mdb
directory "/ldap/base-ldap"
suffix "dc=societe,dc=com"
rootdn "cn=manager,dc=societe,dc=com"
rootpw password
maxsize 12884901888
mode 600
checkpoint 10240 2
dbnosync
lastmod on
include /opt/openldap/etc/openldap/acl.conf
idletimeout 120
reverse-lookup off
sizelimit 100
timelimit unlimited
include /opt/openldap/etc/openldap/index.conf
index_substr_if_minlen 2
index_substr_if_maxlen 4
index_substr_any_len 4
index_substr_any_step 2
When I set loglevel -1 it works correctly (but generates a very huge log file).
It's very strange.
If you need any further information, feel free to contact me.
Jean-Loup Gregoire
--
You are receiving this mail because:
You are on the CC list for the issue.
3:56 a.m.
New subject: [Issue 9820] v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4)
https://bugs.openldap.org/show_bug.cgi?id=9820
--- Comment #1 from Jean-Loup Gregoire <jlbs.gregoire(a)gmail.com> ---
Hello,
A few more elements,
When redirecting the search result to a file, the connexion is not broken
during the search (except if you activate the debug on ldapsearch)
ex:
/opt/openldap-2.6.1/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w
'password' > test.ldif => OK
/opt/openldap-2.6.1/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w
'password' > /dev/null => OK
/opt/openldap-2.6.1/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w
'password' => KO
/opt/openldap-2.6.1/bin/ldapsearch -x -d -1 -D cn=manager,dc=societe,dc=com -w
'password' => KO
Here is the result of a test with the debug activated on the client side :
/opt/openldap-2.6.1/bin/ldapsearch -x -d -1 -D cn=manager,dc=societe,dc=com -w
'password'
ldapsearch result :
...
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x556c377e8d20 msgid -1
wait4msg ld 0x556c377e8d20 msgid -1 (infinite timeout)
wait4msg continue ld 0x556c377e8d20 msgid -1 all 0
** ld 0x556c377e8d20 Connections:
* host: /opt/openldap/var/run/ldapi port: 0 (default)
* from: PATH=
refcnt: 2 status: Connected
last used: Mon Apr 11 12:33:57 2022
** ld 0x556c377e8d20 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x556c377e8d20 request count 1 (abandoned 0)
** ld 0x556c377e8d20 Response Queue:
Empty
ld 0x556c377e8d20 response count 0
ldap_chkResponseList ld 0x556c377e8d20 msgid -1 all 0
ldap_chkResponseList returns ld 0x556c377e8d20 NULL
ldap_int_select
read1msg: ld 0x556c377e8d20 msgid -1 all 0
ber_get_next
ldap_read: want=8, got=0
ber_get_next failed, errno=0.
ldap_msgfree
# numResponses: 1847
# numEntries: 1847
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
ldap_do_free_request: asked to free lr 0x556c377eb360 msgid 2 refcnt 0
ldap_free_connection 1 1
ldap_free_connection: actually freed
content of openldap.log :
Apr 11 12:33:57 debian slapd[29476]: conn=1687 fd=18 ACCEPT from
PATH=/opt/openldap-2.6.1/var/run/ldapi (PATH=/opt/openldap-2.6.1/var/run/ldapi)
Apr 11 12:33:57 debian slapd[29476]: conn=1687 op=0 BIND
dn="cn=manager,dc=societe,dc=com" method=128
Apr 11 12:33:57 debian slapd[29476]: conn=1687 op=0 BIND
dn="cn=manager,dc=societe,dc=com" mech=SIMPLE bind_ssf=0 ssf=71
Apr 11 12:33:57 debian slapd[29476]: conn=1687 op=0 RESULT tag=97 err=0
qtime=0.000013 etime=0.000270 text=
Apr 11 12:33:57 debian slapd[29476]: conn=1687 op=1 SRCH
base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Apr 11 12:34:35 debian slapd[29476]: conn=1687 fd=18 closed (idletimeout)
The problem occurs also for syncrepl, If we load a LDIF on the client before
startup, it manages to take the the updates from the master, but if we start
the client empty (to load from its master), connection failures occur.
Regards
Jean-Loup
--
You are receiving this mail because:
You are on the CC list for the issue.
9:48 a.m.
New subject: [Issue 9820] v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4)
https://bugs.openldap.org/show_bug.cgi?id=9820
--- Comment #2 from Howard Chu <hyc(a)openldap.org> ---
Created attachment 890
--> https://bugs.openldap.org/attachment.cgi?id=890&action=edit
possible fix
Please test this patch, thanks.
--
You are receiving this mail because:
You are on the CC list for the issue.
11:30 a.m.
New subject: [Issue 9820] v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4)
https://bugs.openldap.org/show_bug.cgi?id=9820
Jean-Loup Gregoire <jlbs.gregoire(a)gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Jean-Loup Gregoire <jlbs.gregoire(a)gmail.com> ---
Thanks howard, it works perfectly!
(tested in v2.5.11 and v2.6.1)
--
You are receiving this mail because:
You are on the CC list for the issue.
11:37 a.m.
New subject: [Issue 9820] v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4)
https://bugs.openldap.org/show_bug.cgi?id=9820
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |UNCONFIRMED
Resolution|FIXED |---
--- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
(In reply to Jean-Loup Gregoire from comment #3)
Thanks howard, it works perfectly!
(tested in v2.5.11 and v2.6.1)
Thanks for the confirmation. Is there any credit you want for the CVE
information?
--
You are receiving this mail because:
You are on the CC list for the issue.
11:37 a.m.
New subject: [Issue 9820] v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4)
https://bugs.openldap.org/show_bug.cgi?id=9820
--- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
(In reply to Quanah Gibson-Mount from comment #4)
(In reply to Jean-Loup Gregoire from comment #3)
> Thanks howard, it works perfectly!
> (tested in v2.5.11 and v2.6.1)
Never mind, wrong ticket.
--
You are receiving this mail because:
You are on the CC list for the issue.
11:38 a.m.
New subject: [Issue 9820] ldapsearch closes with idletimeout during active search
https://bugs.openldap.org/show_bug.cgi?id=9820
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|v2.5 and 2.6 closed |ldapsearch closes with
|(idletimeout) during |idletimeout during active
|ldapsearch (work fine with |search
|v2.4) |
--
You are receiving this mail because:
You are on the CC list for the issue.
11:38 a.m.
New subject: [Issue 9820] ldapsearch closes with idletimeout during active search
https://bugs.openldap.org/show_bug.cgi?id=9820
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|bugs(a)openldap.org |hyc(a)openldap.org
--
You are receiving this mail because:
You are on the CC list for the issue.
9:12 a.m.
New subject: [Issue 9820] ldapsearch closes with idletimeout during active search
https://bugs.openldap.org/show_bug.cgi?id=9820
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|needs_review |
Target Milestone|--- |2.5.12
--
You are receiving this mail because:
You are on the CC list for the issue.
9:18 a.m.
New subject: [Issue 9820] ldapsearch closes with idletimeout during active search
https://bugs.openldap.org/show_bug.cgi?id=9820
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Status|UNCONFIRMED |IN_PROGRESS
--
You are receiving this mail because:
You are on the CC list for the issue.
10:03 a.m.
New subject: [Issue 9820] ldapsearch closes with idletimeout during active search
https://bugs.openldap.org/show_bug.cgi?id=9820
--- Comment #6 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
Merge Request: https://git.openldap.org/openldap/openldap/-/merge_requests/514
--
You are receiving this mail because:
You are on the CC list for the issue.
9:09 a.m.
New subject: [Issue 9820] ldapsearch closes with idletimeout during active search
https://bugs.openldap.org/show_bug.cgi?id=9820
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|IN_PROGRESS |RESOLVED
--- Comment #7 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
RE26:
• 2dea513c
by Howard Chu at 2022-04-27T15:47:49+00:00
ITS#9820 fix writewait/idletimeout interaction
RE25:
• 48039c00
by Howard Chu at 2022-04-27T15:48:37+00:00
ITS#9820 fix writewait/idletimeout interaction
--
You are receiving this mail because:
You are on the CC list for the issue.
9:25 a.m.
New subject: [Issue 9820] ldapsearch closes with idletimeout during active search
https://bugs.openldap.org/show_bug.cgi?id=9820
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
--
You are receiving this mail because:
You are on the CC list for the issue.
518
days inactive
544
days old
12 comments
1 participants
participants (1)
-
openldap-its@openldap.org