Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 449940

Summary: sys-auth/nss_ldap misses entries with nss_connect_policy oneshot
Product: Gentoo Linux Reporter: Volkmar Glauche <volkmar.glauche>
Component: [OLD] Core systemAssignee: Gentoo LDAP project <ldap-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: prometheanfire, robbat2
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: http://bugzilla.padl.com/show_bug.cgi?id=322
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: emerge --info

Description Volkmar Glauche 2013-01-03 08:10:26 UTC
Created attachment 334144 [details]
emerge --info

There is a bug in sys-auth/nss_ldap that causes LDAP lookups to terminate before all entries are read. By default, nss_ldap uses the setting

nss_connect_policy persist

which means that clients keep their connections to the LDAP server open until they terminate. This causes a lot of open connections on the LDAP server which may exhaust resources on the server and lead to a denial of service.

According to the documentation in /etc/ldap.conf, this option can be changed to

nss_connect_policy oneshot

In this case, clients are supposed to close their connection to the LDAP server after each request. However, there is a bug in nss_ldap that causes the connection to be dropped prematurely. This bug has been reported upstream but is still open.

https://bugzilla.redhat.com/show_bug.cgi?id=488857 has a review of the issues
http://bugzilla.padl.com/show_bug.cgi?id=322, http://bugzilla.padl.com/show_bug.cgi?id=350, http://bugzilla.padl.com/show_bug.cgi?id=375. It seems that only http://bugzilla.padl.com/show_bug.cgi?id=350 has been fixed by upstream, while http://bugzilla.padl.com/show_bug.cgi?id=322 and http://bugzilla.padl.com/show_bug.cgi?id=375 propose concurrent solutions to the problem of premature closing of connections.

I can confirm that the patch from http://bugzilla.padl.com/show_bug.cgi?id=322 applies to sys-auth/nss_ldap-265-r1 (current stable) and seems to solve the problem.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-17 05:41:25 UTC
fixed in r3