mod_auth leaks ldap connections
|Missing in 1.5.x:|
It seems lighttpd mod_auth leaks a ldap connection to the ldap server each time a request is made.
I had this problem loading a page with 600 images protected with ldap auth, lighttpd overloaded my ldap server with too many ldap connections.
I traced the problem and discovered that the ldap anonymous connection (used to find the dn) is opened on each connection in the http_auth_basic_password_compare function (http_auth.c) and is never closed.
It should be opened once and saved in p->conf.ldap but p->conf.ldap is reset to 0 before http_auth_basic_password_compare is called in the mod_auth_patch_connection function at the following line:
Looking at the code, from what I understand, p->conf.x is usually initialised when mod_auth is loaded, with a pointer to the structure or a string that will contains the data, and the plugin functions modify the data but not the pointer.
But for p->conf.ldap, the pointer is modified by http_auth_basic_password_compare and so it is lost between each call.
Shouldn't the type of p->conf.ldap be (LDAP**) rather that (LDAP*) and initalised when the plugin is loaded ?
Tell me if I am wrong, I didn't propose a patch because I am not sure I really understood the code yet.
#2 Updated by gbjk almost 6 years ago
I believe we have hit this problem too, but with symptoms.
Our ldap server started hitting a max files open error. This would happen every three days or so, apparently after a build up of leaked files.
We added an idletimeout to the ldap server and instead '_*lighttpd*_ started to crash every few hours.
The lighttpd version is 1.4.13.
The logs would show no signs of distress or errors.
It would just disappear, and monit would start it back up again.
This would happen after a bout of images, too.
I think the thing about images is the speed with which they are requested.
#3 Updated by dev-zero over 5 years ago
And version 1.5.x is also affected. Together with a security enabled linux kernel, this is really dangerous since the limits are enforced: Meaning that when lighttpd hits the number of 1024 or 2048 open file descriptors, further connections are being denied. And even more: It takes the LDAP-Server down as well since that one does a SIGINT when now new connections can be opened!
Also available in: Atom