Bug #1066

mod_auth leaks ldap connections

Added by Anonymous over 7 years ago. Updated almost 6 years ago.

Status:FixedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:mod_auth
Target version:1.4.21
Missing in 1.5.x:

Description

It seems lighttpd mod_auth leaks a ldap connection to the ldap server each time a request is made.
I had this problem loading a page with 600 images protected with ldap auth, lighttpd overloaded my ldap server with too many ldap connections.

I traced the problem and discovered that the ldap anonymous connection (used to find the dn) is opened on each connection in the http_auth_basic_password_compare function (http_auth.c) and is never closed.

It should be opened once and saved in p->conf.ldap but p->conf.ldap is reset to 0 before http_auth_basic_password_compare is called in the mod_auth_patch_connection function at the following line:
PATCH;

Looking at the code, from what I understand, p->conf.x is usually initialised when mod_auth is loaded, with a pointer to the structure or a string that will contains the data, and the plugin functions modify the data but not the pointer.

But for p->conf.ldap, the pointer is modified by http_auth_basic_password_compare and so it is lost between each call.

Shouldn't the type of p->conf.ldap be (LDAP**) rather that (LDAP*) and initalised when the plugin is loaded ?

Tell me if I am wrong, I didn't propose a patch because I am not sure I really understood the code yet.

-- yann

ldap_leak_bugfix.patch Magnifier - Proposed patch to solve this bug -- yann (6.23 KB) Anonymous, 2007-03-03 12:50

History

#1 Updated by Anonymous over 7 years ago

I attached a patch which solve the bug by making p->conf.ldap a pointer to a structure containing the ldap connection to the server and the pre and post filter.

The ldap connection is stored is p->conf.ldap->ldap and is not lost between each call.

-- yann

#2 Updated by gbjk about 7 years ago

I believe we have hit this problem too, but with symptoms.
Our ldap server started hitting a max files open error. This would happen every three days or so, apparently after a build up of leaked files.
We added an idletimeout to the ldap server and instead '_*lighttpd*_ started to crash every few hours.
The lighttpd version is 1.4.13.

The logs would show no signs of distress or errors.
It would just disappear, and monit would start it back up again.

This would happen after a bout of images, too.
I think the thing about images is the speed with which they are requested.

#3 Updated by dev-zero over 6 years ago

And version 1.5.x is also affected. Together with a security enabled linux kernel, this is really dangerous since the limits are enforced: Meaning that when lighttpd hits the number of 1024 or 2048 open file descriptors, further connections are being denied. And even more: It takes the LDAP-Server down as well since that one does a SIGINT when now new connections can be opened!

#4 Updated by stbuehler almost 6 years ago

I guess the ldap code needs some cleanup.

#5 Updated by stbuehler almost 6 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Fixed in r2318

Also available in: Atom