Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 449940 - sys-auth/nss_ldap misses entries with nss_connect_policy oneshot
Summary: sys-auth/nss_ldap misses entries with nss_connect_policy oneshot
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo LDAP project
Keywords: PATCH
Depends on:
Reported: 2013-01-03 08:10 UTC by Volkmar Glauche
Modified: 2014-02-17 05:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

emerge --info (,6.35 KB, text/plain)
2013-01-03 08:10 UTC, Volkmar Glauche

Note You need to log in before you can comment on or make changes to this bug.
Description Volkmar Glauche 2013-01-03 08:10:26 UTC
Created attachment 334144 [details]
emerge --info

There is a bug in sys-auth/nss_ldap that causes LDAP lookups to terminate before all entries are read. By default, nss_ldap uses the setting

nss_connect_policy persist

which means that clients keep their connections to the LDAP server open until they terminate. This causes a lot of open connections on the LDAP server which may exhaust resources on the server and lead to a denial of service.

According to the documentation in /etc/ldap.conf, this option can be changed to

nss_connect_policy oneshot

In this case, clients are supposed to close their connection to the LDAP server after each request. However, there is a bug in nss_ldap that causes the connection to be dropped prematurely. This bug has been reported upstream but is still open. has a review of the issues,, It seems that only has been fixed by upstream, while and propose concurrent solutions to the problem of premature closing of connections.

I can confirm that the patch from applies to sys-auth/nss_ldap-265-r1 (current stable) and seems to solve the problem.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-17 05:41:25 UTC
fixed in r3