New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP closing/deleting connections #1969

Closed
alanbuxey opened this Issue Apr 22, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@alanbuxey
Member

alanbuxey commented Apr 22, 2017

Issue type

  • Questions about the server or its usage should be posted to the users mailing list.
  • Remote security exploits MUST be sent to security@freeradius.org.
  • Defect - Crash or memory corruption.
  • Defect - Non compliance with a standards document, or incorrect API usage.
  • [x ] Defect - Unexpected behaviour (obvious or verified by project member).
  • Feature request.

See here for debugging instructions and how to obtain backtraces.

NOTE: PATCHES GO IN PULL REQUESTS. IF YOU SUBMIT A DIFF HERE, THE DEVELOPMENT TEAM WILL HUNT YOU DOWN AND BEAT YOU OVER THE HEAD WITH YOUR OWN KEYBOARD.

Defect/Feature description

How to reproduce issue

authenticaiton requests with following config in ldap config

	options {
		chase_referrals = yes
		rebind = yes
		use_referral_credentials = no
		res_timeout = 5
		srv_timelimit = 3
		net_timeout = 5
		idle = 0
		probes = 3
		interval = 3
		ldap_debug = 0x0000
	}
	tls {
		start_tls = no
		ca_file	= /etc/raddb/ldap.pem
		require_cert	= 'allow'
	}
	pool {
		start = ${thread[pool].start_servers}
		min = ${thread[pool].min_spare_servers}
		max = ${thread[pool].max_servers}
		spare = ${thread[pool].max_spare_servers} 
		uses = 0
		retry_delay = 30
		lifetime = 0
		idle_timeout = 0
		connect_timeout = 3.0
		spread = yes
	 }

in radiusd.conf, the values are

	start_servers = 64
	max_servers = 64
	min_spare_servers = 0
	max_spare_servers = 64

Output of [radiusd|freeradius] -X showing issue occurring

(you may need to run [radiusd|freeradius] -fxx -l stdout if using eg RADIUS with TLS)
REMOVE SECTION IF FEATURE REQUEST

Sat Apr 22 17:29:05 2017 : Info: rlm_ldap (ldap1): Deleting connection (44)
Sat Apr 22 17:29:05 2017 : Info: rlm_ldap (ldap4): Deleting connection (41)
Sat Apr 22 17:29:05 2017 : Info: rlm_ldap (ldap2): Deleting connection (42)
Sat Apr 22 17:29:05 2017 : Info: rlm_ldap (ldap3): Deleting connection (43)
Sat Apr 22 17:29:05 2017 : Info: rlm_ldap (ldap4): Deleting connection (42)
Sat Apr 22 17:29:06 2017 : Info: rlm_ldap (ldap1): Deleting connection (45)
Sat Apr 22 17:29:06 2017 : Info: Need 35 more connections to reach 64 spares
Sat Apr 22 17:29:06 2017 : Info: rlm_ldap (ldap1): Opening additional connection (75), 1 of 35 pending slots used
Sat Apr 22 17:29:06 2017 : Info: rlm_ldap (ldap4): Deleting connection (43)
Sat Apr 22 17:29:06 2017 : Info: Need 33 more connections to reach 64 spares
Sat Apr 22 17:29:06 2017 : Info: rlm_ldap (ldap4): Opening additional connection (75), 1 of 33 pending slots used
Sat Apr 22 17:29:06 2017 : Info: rlm_ldap (ldap1): Deleting connection (46)
Sat Apr 22 17:29:06 2017 : Info: rlm_ldap (ldap2): Deleting connection (43)
Sat Apr 22 17:29:06 2017 : Info: Need 33 more connections to reach 64 spares
Sat Apr 22 17:29:06 2017 : Info: rlm_ldap (ldap2): Opening additional connection (75), 1 of 33 pending slots used
Sat Apr 22 17:29:06 2017 : Info: rlm_ldap (ldap3): Deleting connection (44)
Sat Apr 22 17:29:06 2017 : Info: Need 34 more connections to reach 64 spares

Full backtrace from LLDB or GDB

REMOVE SECTION IF FEATURE REQUEST OR NOT CRASH/MEMORY CORRUPTION

COPY/PASTE OUTPUT HERE (WITHIN BACKTICKS).  NO PASTEBIN (ET AL) LINKS!

alandekok added a commit that referenced this issue Nov 3, 2017

@alandekok

This comment has been minimized.

Show comment
Hide comment
@alandekok

alandekok Nov 3, 2017

Member

chase_referrals = yes

That's the problem.

The connections are being referred to a different LDAP server. Then, because they're connected to the wrong server, they're closed by the LDAP module.

I've updated the messages to explain why this is happening.

Member

alandekok commented Nov 3, 2017

chase_referrals = yes

That's the problem.

The connections are being referred to a different LDAP server. Then, because they're connected to the wrong server, they're closed by the LDAP module.

I've updated the messages to explain why this is happening.

@alandekok alandekok closed this Nov 3, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment