Package: slapd
Version: 2.5.13+dfsg-5
Severity: normal
Dear Maintainer,
This happens on one physical machine using a Debian Bookworm and only dedicated
to NFS/LDAP
services.
I never faced this before for years with Bulleyes before upgrading to Bookworm.
Looking into log files there are the following messages:
[...]
2023-09-06T14:57:22.996591+02:00 <HOSTNAME> slapd[2200]: warning: cannot open
/etc/hosts.allow: Too many open files
2023-09-06T14:57:22.996861+02:00 <HOSTNAME> slapd[2200]: warning: cannot open
/etc/hosts.deny: Too many open files
2023-09-06T14:57:53.823167+02:00 <HOSTNAME> slapd[2200]: warning: cannot open
/etc/hosts.allow: Too many open files
2023-09-06T14:57:53.823810+02:00 <HOSTNAME> slapd[2200]: warning: cannot open
/etc/hosts.deny: Too many open files
2023-09-06T14:59:56.993514+02:00 <HOSTNAME> slapd[2200]: warning: cannot open
/etc/hosts.allow: Too many open files
2023-09-06T14:59:56.994249+02:00 <HOSTNAME> slapd[2200]: warning: cannot open
/etc/hosts.deny: Too many open files
2023-09-06T15:00:15.129483+02:00 <HOSTNAME> slapd[2200]: warning: cannot open
/etc/hosts.allow: Too many open files
2023-09-06T15:00:15.129643+02:00 <HOSTNAME> slapd[2200]: warning: cannot open
/etc/hosts.deny: Too many open files
2023-09-06T15:00:53.881436+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8)
failed errno=24 (Too many open files)
2023-09-06T15:01:16.878910+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8)
failed errno=24 (Too many open files)
2023-09-06T15:01:16.880305+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8)
failed errno=24 (Too many open files)
[...]
During the DoS, 'systemctl status slapd' did not shown me anything strange.
Restarting the service solved the trouble.
Are there some possible file closing leaks in slapd it-self?
ulimit is unlimited in the default any root/user env.
What about the slapd service that is launched by systemd?
# systemctl status slapd
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access
Protocol)
Loaded: loaded (/etc/init.d/slapd; generated)
Drop-In: /usr/lib/systemd/system/slapd.service.d
└─slapd-remain-after-exit.conf
Active: active (running) since Wed 2023-09-06 15:41:44 CEST; 51min ago
Docs: man:systemd-sysv-generator(8)
Process: 135002 ExecStart=/etc/init.d/slapd start (code=exited,
status=0/SUCCESS)
Tasks: 9 (limit: 38189)
Memory: 73.9M
CPU: 3.444s
CGroup: /system.slice/slapd.service
└─135008 /usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u
openldap -F /etc/ldap/slapd.d
Is the 'limit' value (38189) related to the ulimit of its process?
slapd does not have a .service file to change this, right?
Many thanks,
Patrice
# cat /etc/default/slapd
# Default location of the slapd.conf file or slapd.d cn=config directory. If
# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
# /etc/ldap/slapd.conf).
SLAPD_CONF=
# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="openldap"
# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="openldap"
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
# default)
SLAPD_PIDFILE=
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
SLAPD_SERVICES="ldap:/// ldapi:///"
# If SLAPD_NO_START is set, the init script will not start or restart
# slapd (but stop will still work). Uncomment this if you are
# starting slapd via some other means or if you don't want slapd normally
# started at boot.
#SLAPD_NO_START=1
# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
# the init script will not start or restart slapd (but stop will still
# work). Use this for temporarily disabling startup of slapd (when doing
# maintenance, for example, or through a configuration management system)
# when you don't want to edit a configuration file.
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
# For Kerberos authentication (via SASL), slapd by default uses the system
# keytab file (/etc/krb5.keytab). To use a different keytab file,
# uncomment this line and change the path.
#export KRB5_KTNAME=/etc/krb5.keytab
# Additional options to pass to slapd
SLAPD_OPTIONS=""
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.4.0-2-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
