Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 52914 - nss_ldap with nptl overloads ldap server
Summary: nss_ldap with nptl overloads ldap server
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Robin Johnson
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-03 14:16 UTC by Brad Schuetz
Modified: 2004-11-30 16:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brad Schuetz 2004-06-03 14:16:43 UTC
nss_ldap when compiled on a nptl enabled glibc has a problem with gethostbyname.  See this email from the kernel mailing list for more information:
http://www.uwsg.iu.edu/hypermail/linux/kernel/0308.0/1774.html

Setup and configure nss_ldap then after a while more and more unused connections will appear on the openldap server (can be seen with lsof) without connections listed on the client machine.

This finally results in the openldap server being so bogged down it slows to a crawl.

Adding an entry into /etc/hosts for the ip address of the machine that is the ldap server will correct the issue.

Reproducible: Always
Steps to Reproduce:




Portage 2.0.50-r7 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.5-gentoo-r1)
=================================================================
System uname: 2.6.5-gentoo-r1 i686 Pentium III (Coppermine)
Gentoo Base System version 1.4.10
Autoconf: sys-devel/autoconf-2.59-r3
Automake: sys-devel/automake-1.8.3
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=pentium3"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium3"
DISTDIR="/clfs/cluster/gentoo/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="ftp://gentoo.ccccom.com 
ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo  http://gentoo.mirrors.pair.com/
http://gentoo.ccccom.com"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://asgard.int.omnis.com/gentoo-portage"
USE="acl apache2 apm arts avi berkdb crypt cups curl encode fam flash foomaticdb
gd gdbm gif gpm hardenedphp imagemagick imap imlib jpeg ldap libg++ libwww mad
maildir mcal mikmod mmx motif mpeg mysql ncurses nls nptl oci8 oggvorbis opengl
oss pam pdflib perl pfpro png python quicktime readline samba sdl slang snmp
spell sse ssl svga tcpd truetype x86 xml2 xmms xv zlib"
Comment 1 Brad Schuetz 2004-06-03 19:49:00 UTC
More information on this issue.

Adding the hosts entry just delayed the problem for a while, it still happens after a few hours.

Furthermore, after recompiling glibc (and several applications) to remove nptl the issue still appears so now I'm not sure where the problem comes from.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-06-03 19:57:56 UTC
are you using nscd?
if not, turn it on.

i'll see if i can get a chance to put together an ebuild with the patches for testing only, although i'm wondering why upstream didn't merge them after they said they would.
Comment 3 Brad Schuetz 2004-06-03 21:17:46 UTC
Yes, running nscd.  It doesn't help the problem.

It is interesting that even when running nscd, other processes still show connections to ldap (seen via lsof).  I'm not sure if this is supposed to happen or not.  Programs like ssh, postfix, apache, etc, all show connections to port 389.  On this server the only thing LDAP is used for is for user lookups via nss_ldap and authentication via pam_ldap.

To keep things stable I've added the option "idletimeout 7200" to the slapd.conf on the server so that it kills off the extra connections.
Comment 4 Brad Schuetz 2004-06-03 21:20:39 UTC
Also, at this time I'm believing that nptl was not to blame for the problem and the problems I was seeing just happened to be the same as in that email on the kernel list.

Could be that the patch was applied to the main tree?  
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-11-30 16:11:48 UTC
upgrade to the latest nss_ldap-22[06].
if this is still a problem after that, re-open.