Bug ID: 18615
Summary: LDAP configuration error causes server resource
depletion under Plack
Change sponsored?: ---
Priority: P5 - low
Assignee: [hidden email] Reporter: [hidden email] QA Contact: [hidden email] CC: [hidden email]
When running with Plack enabled, it is possible to get KOHA to keep spawning
processes until the hosts's resources are exhausted. The immediate upshot is
that KOHA hangs, the final result is that all other services on the host
eventually stop functioning as well.
Steps to reproduce:
Enable useldapserver and specify an empty search base in the ldapserver
Restart koha-plack for the instance.
The plack-error.log file starts filling up with "Compilation failed" errors on
all modules that somehow invoke Auth_with_ldap.pm. The "top" command shows two
active /etc/koha/plack processes owned by the koha-$instance user. Each process
uses ~50% of the available CPU cycles. These processes are replaced
continuously. ps aux | grep apache shows an every increasing number of Apache
instances owned by the same user.
Without Plack, the same configuration problem triggers an error page for KOHA,
but the rest of the services on the host are not affected.
--- Comment #1 from Mason James <[hidden email]> ---
(In reply to Sven Coenye from comment #0)
> When running with Plack enabled, it is possible to get KOHA to keep spawning
> processes until the hosts's resources are exhausted. The immediate upshot is
> that KOHA hangs, the final result is that all other services on the host
> eventually stop functioning as well.
> Steps to reproduce:
> Enable useldapserver and specify an empty search base in the ldapserver
curious.. does the error only occur if the <base> element is empty?
--- Comment #2 from Sven Coenye <[hidden email]> ---
The condition can be reached by triggering any of the "or die" clauses at the
upper level of the Auth_with_ldap module. E.g. a blank hostname will also
Although we originally ran into this on our production server, we have been
able to reproduce this on a fresh KOHA install. Both hosts run Debian 8. The
production server is a SysV virtual machine, the test server is bare metal
using systemd. KOHA is the only application installed on the test machine.
--- Comment #3 from Sven Coenye <[hidden email]> ---
2017.05 has exposed a addition way to trigger this condition.
2016.11 and prior did not need defined values for <user> and <pass> in the
ldapserver configuration block in koha-conf.xml. A change in Auth_with_ldap.pm
(see bug 18947) causes KOHA to attempt an anonymous bind unless user and pass
are defined, regardless of whether these values will be used or not. This
causes Active Directory to reject the attempted login. This rejection is
unexpected and is trapped by a "die" clause, causing Plack to enter the death
--- Comment #4 from Sven Coenye <[hidden email]> ---
On second look, the consequences here are not quite as severe. As the "die"
clause is only triggered when the login fails, Plack does not enter the
It does, however, leave a handful of defunct Apache instances behind for each
such failed login and those will eventually cause the same resource depletion
as the loop case.