slapd crashes when multiple simultaneous connections from same IP address
Previously in Snow Leopard, when linux and/or other systems authenticated against OpenDirectory's openldap slapd service... things behaved fine.
In Moutain Lion OSX Server ... slapd will crash if multiple authentication request connections are received from the same client IP at the same time.
Client:
# csshX is a cluster ssh... it's the equivalant of opening 5 terminal windows and then typing "ssh myserver"
# "myserver" will authenticate agains the opendirectory master (slapd)
csshX myserver myserver myserver myserver myserver
# enter your password ...
# at best 1 of 5 terminals connect ... the rest reprompt for the password as they were not able to complete the connection
Server slapd Crash:
Sep 5 12:36:52 server.company.com ReportCrash[73128]: LaunchServices/5123589: Unable to lookup coreservices session port for session 0x186a0 uid=0 euid=0
Sep 5 12:36:52 server.company.com ReportCrash[73128]: failed looking up LS service ( scCreateSystemService returned MACH_PORT_NULL, called from SetupCoreApplicationServicesCommunicationPort, so using client-side NULL calls.
Sep 5 14:22:49 server.company.com slapd[74709]: @(#) $OpenLDAP: slapd 2.4.28 (Jun 20 2012 15:31:09) $ root@b1032.apple.com:/private/var/tmp/OpenLDAP/OpenLDAP-208~28/servers/slapd Sep 5 14:22:49 server.company.com slapd[74709]: slap_add_listener: opened additional listener 'ldaps:///' Sep 5 14:22:49 server.company.com slapd[74709]: bdb_db_open: database "dc=server,dc=company,dc=com": unclean shutdown detected; attempting recovery. Sep 5 14:22:49 server.company.com slapd[74709]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable Sep 5 14:22:49 server.company.com slapd[74709]: bdb_db_open: database "cn=authdata": unclean shutdown detected; attempting recovery. Sep 5 14:22:50 server.company.com slapd[74709]: slapd starting Sep 5 14:22:50 server.company.com slapd[74709]: daemon: posting com.apple.slapd.startup notification
# the connections in lsof -i drop ... and the PID is cycled out as slapd is restarted
The same procedure authenticating against Snow Leopard Server was fine.
We believe there is a bug in this 2.4.28 slapd build shipped with mountain lion surrounding concurrency and mutex locks???
The problem does not appear to exist if you open connections to 5 different servers with 5 different IP addresses.
Performing multiple ldapsearch requests at the exact same time is fine so long as you do not bind / authenticate to the openldap server. It appears binding is related.
Additional Info:
-- Changelog for Apple openldap: http://www.opensource.apple.com/source/OpenLDAP/OpenLDAP-208/OpenLDAP/CHANGES
-- Suspiciously similar bug that RedHat openldap used to have (probably unrelated)
---- "Previously, multiple concurrent connections to an OpenLDAP server could cause the slapd service to terminate unexpectedly with an assertion error. This update adds mutexes to protect multiple threads from accessing a structure with a connection, and the slapd service no longer crashes. (BZ#677611)"
---- http://www.redhat.com/archives/enterprise-watch-list/2011-March/msg00022.html
---- this could be entirely unrelated
-- http://www.openldap.org/software/release/changes.htm
---- Fixed slapd crash when attrsOnly is true (ITS#7143) ???
---- the above bug was patched after the release that ships with mountain lion ... however... I have not been able to mess with this yet:
---- ./slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.11.5.1.23 NAME 'reqAttrsOnly' DESC '
---- ./slapd.d/cn=config/cn=schema.ldif: ses $ reqAttrsonly ) MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
---- the above may be a factor
-- We've adjusted the following slapd config variables in /etc/openldap/slapd_macosxserver.conf with no success
---- conn_max_pending 2048
---- conn_max_pending_auth 4096
---- concurrency 1000
---- threads 100