[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP 2.4.45 possible denial of service vulnerability?
--On Wednesday, January 30, 2019 9:43 AM +0000
Juergen.Sprenger@swisscom.com wrote:
Hi,
After upgrading to the latest Release (Solaris 11.3 SRU35, OpenLDAP
2.4.45) we are experiencing massive workloads caused by single clients
consuming all available threads and CPU-resources.
Solaris 11.4 is out (just to note). And the latest OpenLDAP release is
2.4.47 (just to note).
tool-threads 8
A tool-threads setting > 2 is ignored with back-mdb.
maxreaders 4096
This is an extremely large value (default is 126). Are you sure you need
this bumped so high?
searchstack 64
Similarly here.
So far we experienced this behavior with clients of Oracle Enterprise
Linux 6.x, Redhat Enterprise Linux 6.x and AIX. Service requests are
opened at vendors support, but I'd prefer to have an installation which
is less vulnerable and more resilient to issues of this kind.
I'd estimate that your ability to get a useful response from either is near
zero. If you have an enterprise operation that needs support for OpenLDAP
you may want to look at Symas' enterprise OpenLDAP builds (Symas Gold). We
provide builds and support for Solaris 11.
To avoid performance issues loglevel is now "none stats sync" but can be
changed for some time to track down the cause.
You could just do "stats sync", not really a reason to leave "none" in the
list.
Generally if you hit an issue such as this, you would want to provde a full
backtrace of the slapd process from a utility such as GDB.
Warm regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>