Bug #1066


mod_auth leaks ldap connections

Added by Anonymous over 17 years ago. Updated almost 16 years ago.

Target version:


It seems lighttpd mod_auth leaks a ldap connection to the ldap server each time a request is made.
I had this problem loading a page with 600 images protected with ldap auth, lighttpd overloaded my ldap server with too many ldap connections.

I traced the problem and discovered that the ldap anonymous connection (used to find the dn) is opened on each connection in the http_auth_basic_password_compare function (http_auth.c) and is never closed.

It should be opened once and saved in p->conf.ldap but p->conf.ldap is reset to 0 before http_auth_basic_password_compare is called in the mod_auth_patch_connection function at the following line:

Looking at the code, from what I understand, p->conf.x is usually initialised when mod_auth is loaded, with a pointer to the structure or a string that will contains the data, and the plugin functions modify the data but not the pointer.

But for p->conf.ldap, the pointer is modified by http_auth_basic_password_compare and so it is lost between each call.

Shouldn't the type of p->conf.ldap be (LDAP**) rather that (LDAP*) and initalised when the plugin is loaded ?

Tell me if I am wrong, I didn't propose a patch because I am not sure I really understood the code yet.

-- yann


ldap_leak_bugfix.patch (6.23 KB) ldap_leak_bugfix.patch Proposed patch to solve this bug -- yann Anonymous, 2007-03-03 12:50
Actions #1

Updated by Anonymous over 17 years ago

I attached a patch which solve the bug by making p->conf.ldap a pointer to a structure containing the ldap connection to the server and the pre and post filter.

The ldap connection is stored is p->conf.ldap->ldap and is not lost between each call.

-- yann

Actions #2

Updated by gbjk almost 17 years ago

I believe we have hit this problem too, but with symptoms.
Our ldap server started hitting a max files open error. This would happen every three days or so, apparently after a build up of leaked files.
We added an idletimeout to the ldap server and instead '_*lighttpd*_ started to crash every few hours.
The lighttpd version is 1.4.13.

The logs would show no signs of distress or errors.
It would just disappear, and monit would start it back up again.

This would happen after a bout of images, too.
I think the thing about images is the speed with which they are requested.

Actions #3

Updated by dev-zero over 16 years ago

And version 1.5.x is also affected. Together with a security enabled linux kernel, this is really dangerous since the limits are enforced: Meaning that when lighttpd hits the number of 1024 or 2048 open file descriptors, further connections are being denied. And even more: It takes the LDAP-Server down as well since that one does a SIGINT when now new connections can be opened!

Actions #4

Updated by stbuehler almost 16 years ago

I guess the ldap code needs some cleanup.

Actions #5

Updated by stbuehler almost 16 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Fixed in r2318


Also available in: Atom