Ubuntu
openldap package

Comment 12 for bug 2090806

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2025-01-26:

#12

Performing verification for noble.

I setup a fresh noble VM according to the testcase. The opendlap version
is:

$ sudo apt-cache policy slapd | grep Installed
Installed: 2.6.7+dfsg-1~exp1ubuntu8.1

from -updates.

Running the reproducer:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap 7851 0.0 0.1 1224136 7988 ? Ssl 03:06 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
$ sudo kill -STOP 7851
$ ldapsearch -x -H ldaps://example.com

top shows ldapsearch running at 100% CPU for over a minute now, so much for the
30 second timeout.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7869 ubuntu 20 0 20724 11084 6784 R 99.7 0.3 1:08.92 ldapsearch

If you leave ldapsearch running, it will never timeout, and stay constantly
at 100% CPU.

I then sent SIGCONT to the slapd process:

$ sudo kill -CONT 7851

and we are back to normal:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

I then enabled -proposed, and installed openldap 2.6.7+dfsg-1~exp1ubuntu8.2

Re-running the reproducer:

I added a time to the second ldapsearch, to show the timeout working effectively.

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap 8559 0.0 0.2 1224140 8344 ? Ssl 03:10 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
$ sudo kill -STOP 8559
$ time ldapsearch -x -H ldaps://example.com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

real 0m30.040s
user 0m0.012s
sys 0m0.007s

A perfect 30 second timeout, with appropriate error message. top shows 0% CPU
the whole time.

The package in -proposed fixes the issue. Happy to mark verified for noble.

Performing verification for noble.

I setup a fresh noble VM according to the testcase. The opendlap version
is:

$ sudo apt-cache policy slapd | grep Installed
  Installed: 2.6.7+dfsg-1~exp1ubuntu8.1
  
from -updates.

Running the reproducer:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap    7851  0.0  0.1 1224136 7988 ?        Ssl  03:06   0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
$ sudo kill -STOP 7851
$ ldapsearch -x -H ldaps://example.com

top shows ldapsearch running at 100% CPU for over a minute now, so much for the
30 second timeout.

PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                        
   7869 ubuntu    20   0   20724  11084   6784 R  99.7   0.3   1:08.92 ldapsearch

If you leave ldapsearch running, it will never timeout, and stay constantly
at 100% CPU.

I then sent SIGCONT to the slapd process:

$ sudo kill -CONT 7851

and we are back to normal:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

I then enabled -proposed, and installed openldap 2.6.7+dfsg-1~exp1ubuntu8.2

Re-running the reproducer:

I added a time to the second ldapsearch, to show the timeout working effectively.

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap    8559  0.0  0.2 1224140 8344 ?        Ssl  03:10   0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
$ sudo kill -STOP 8559
$ time ldapsearch -x -H ldaps://example.com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

real	0m30.040s
user	0m0.012s
sys	0m0.007s

A perfect 30 second timeout, with appropriate error message. top shows 0% CPU
the whole time.

The package in -proposed fixes the issue. Happy to mark verified for noble.

Ubuntuopenldap package

Comment 12 for bug 2090806

Ubuntu
openldap package