Ubuntu
openldap package

Comment 13 for bug 2090806

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2025-01-26:

#13

Performing verification for jammy.

I setup a fresh jammy VM according to the testcase. The opendlap version
is:

$ sudo apt-cache policy slapd | grep Installed
Installed: 2.5.18+dfsg-0ubuntu0.22.04.2

from -updates.

Running the reproducer:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap 2784 0.0 0.1 1223580 7688 ? Ssl 03:52 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
$ sudo kill -STOP 2784
$ ldapsearch -x -H ldaps://example.com

top shows ldapsearch running at 100% CPU for over a minute now, so much for the
30 second timeout.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2802 ubuntu 20 0 19428 10556 6312 R 100.0 0.3 1:04.33 ldapsearch

If you leave ldapsearch running, it will never timeout, and stay constantly
at 100% CPU.

I then sent SIGCONT to the slapd process:

$ sudo kill -CONT 2784

and we are back to normal:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

I then enabled -proposed, and installed openldap 2.5.18+dfsg-0ubuntu0.22.04.3

Re-running the reproducer:

I added a time to the second ldapsearch, to show the timeout working effectively.

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap 3532 0.0 0.1 1223580 7700 ? Ssl 03:56 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
$ sudo kill -STOP 3532
$ time ldapsearch -x -H ldaps://example.com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

real 0m30.043s
user 0m0.013s
sys 0m0.009s

A perfect 30 second timeout, with appropriate error message. top shows 0% CPU
the whole time.

The package in -proposed fixes the issue. Happy to mark verified for jammy.

Performing verification for jammy.

I setup a fresh jammy VM according to the testcase. The opendlap version
is:

$ sudo apt-cache policy slapd | grep Installed
 Installed: 2.5.18+dfsg-0ubuntu0.22.04.2
  
from -updates.

Running the reproducer:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap    2784  0.0  0.1 1223580 7688 ?        Ssl  03:52   0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
$ sudo kill -STOP 2784
$ ldapsearch -x -H ldaps://example.com

top shows ldapsearch running at 100% CPU for over a minute now, so much for the
30 second timeout.

PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                        
   2802 ubuntu    20   0   19428  10556   6312 R 100.0   0.3   1:04.33 ldapsearch                                                                     
   
If you leave ldapsearch running, it will never timeout, and stay constantly
at 100% CPU.

I then sent SIGCONT to the slapd process:

$ sudo kill -CONT 2784

and we are back to normal:

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

I then enabled -proposed, and installed openldap 2.5.18+dfsg-0ubuntu0.22.04.3

Re-running the reproducer:

I added a time to the second ldapsearch, to show the timeout working effectively.

$ ldapsearch -x -H ldaps://example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
$ ps aux | grep slapd
openldap    3532  0.0  0.1 1223580 7700 ?        Ssl  03:56   0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
$ sudo kill -STOP 3532
$ time ldapsearch -x -H ldaps://example.com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

real	0m30.043s
user	0m0.013s
sys	0m0.009s

A perfect 30 second timeout, with appropriate error message. top shows 0% CPU
the whole time.

The package in -proposed fixes the issue. Happy to mark verified for jammy.

Ubuntuopenldap package

Comment 13 for bug 2090806

Ubuntu
openldap package