[Bug 18615] New: LDAP configuration error causes server resource depletion under Plack

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18615] New: LDAP configuration error causes server resource depletion under Plack

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18615

            Bug ID: 18615
           Summary: LDAP configuration error causes server resource
                    depletion under Plack
 Change sponsored?: ---
           Product: Koha
           Version: 16.11
          Hardware: HP
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Authentication
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

When running with Plack enabled, it is possible to get KOHA to keep spawning
processes until the hosts's resources are exhausted. The immediate upshot is
that KOHA hangs, the final result is that all other services on the host
eventually stop functioning as well.

Steps to reproduce:
Enable useldapserver and specify an empty search base in the ldapserver
element:
<useldapserver>1</useldapserver>
<ldapserver>
  ...
  <base></base>
  ...
</ldapserver>

Restart koha-plack for the instance.

The plack-error.log file starts filling up with "Compilation failed" errors on
all modules that somehow invoke Auth_with_ldap.pm. The "top" command shows two
active /etc/koha/plack processes owned by the koha-$instance user. Each process
uses ~50% of the available CPU cycles. These processes are replaced
continuously. ps aux | grep apache shows an every increasing number of Apache
instances owned by the same user.

Without Plack, the same configuration problem triggers an error page for KOHA,
but the rest of the services on the host are not affected.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18615] LDAP configuration error causes server resource depletion under Plack

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18615

Mason James <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18615] LDAP configuration error causes server resource depletion under Plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18615

--- Comment #1 from Mason James <[hidden email]> ---
(In reply to Sven Coenye from comment #0)

> When running with Plack enabled, it is possible to get KOHA to keep spawning
> processes until the hosts's resources are exhausted. The immediate upshot is
> that KOHA hangs, the final result is that all other services on the host
> eventually stop functioning as well.
>
> Steps to reproduce:
> Enable useldapserver and specify an empty search base in the ldapserver
> element:
> <useldapserver>1</useldapserver>
> <ldapserver>
>   ...
>   <base></base>
>   ...
> </ldapserver>
>

curious.. does the error only occur if the <base> element is empty?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18615] LDAP configuration error causes server resource depletion under Plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18615

--- Comment #2 from Sven Coenye <[hidden email]> ---
The condition can be reached by triggering any of the "or die" clauses at the
upper level of the Auth_with_ldap module. E.g. a blank hostname will also
trigger it.

More info:
Although we originally ran into this on our production server, we have been
able to reproduce this on a fresh KOHA install. Both hosts run Debian 8. The
production server is a SysV virtual machine, the test server is bare metal
using systemd. KOHA is the only application installed on the test machine.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18615] LDAP configuration error causes server resource depletion under Plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18615

--- Comment #3 from Sven Coenye <[hidden email]> ---
2017.05 has exposed a addition way to trigger this condition.

2016.11 and prior did not need defined values for <user> and <pass> in the
ldapserver configuration block in koha-conf.xml. A change in Auth_with_ldap.pm
(see bug 18947) causes KOHA to attempt an anonymous bind unless user and pass
are defined, regardless of whether these values will be used or not. This
causes Active Directory to reject the attempted login. This rejection is
unexpected and is trapped by a "die" clause, causing Plack to enter the death
spiral.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Loading...