<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:\65B0\7D30\660E\9AD4;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:\65B0\7D30\660E\9AD4;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@\65B0\7D30\660E\9AD4";
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-TW link=blue vlink=purple style='text-justify-trim:punctuation'><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hi all,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>We’re using 2.2.0 on RHEL 6.2 using LDAPS as authentication backend. The servers are running well over 2 years until recently. The server fails with SIGSEGV or SIGABRT whenever there is ‘burst’ of authentication requests, say over 100 requests in the same second. In the SIGSEGV case, coredump shows:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>--------------------- cut here ----------------------------<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Core was generated by `/usr/local/sbin/radiusd -d /usr/local/etc/raddb'.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Program terminated with signal 11, Segmentation fault.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#0 0x00007f402afa9b89 in ldap_connect (instance=0xd24cf0,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> dn=0x7f3f98022818 "uid=1234576,dc=cuhk,dc=edu,dc=hk", password=0x….. "hideme", auth=1, result=0x7f401d780fac,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> err=0x0) at rlm_ldap.c:2410<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2410 if (strcmp(TLS_DEFAULT_VERIFY, inst->tls_require_cert ) != 0 ) {<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.23-13.el6.x86_64 glibc-2.12-1.107.el6_4.5.x86_64 keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-10.el6_4.3.x86_64 libcom_err-1.41.12-11.el6.x86_64 libgcc-4.4.6-3.el6.x86_64 libselinux-2.0.94-5.2.el6.x86_64 mysql-libs-5.1.69-1.el6_4.x86_64 nspr-4.9.5-2.el6_4.x86_64 nss-3.14.3-4.el6_4.x86_64 nss-softokn-3.14.3-3.el6_4.x86_64 nss-softokn-freebl-3.14.3-3.el6_4.x86_64 nss-util-3.14.3-3.el6_4.x86_64 openldap-2.4.23-32.el6_4.1.x86_64 openssl-1.0.0-27.el6_4.2.x86_64 sqlite-3.6.20-1.el6.x86_64 zlib-1.2.3-29.el6.x86_64<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(gdb) bt<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#0 0x00007f402afa9b89 in ldap_connect (instance=0xd24cf0,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> dn=0x7f3f98022818 " uid=1234576,dc=cuhk,dc=edu,dc=hk", password=0x….. "hideme", auth=1, result=0x7f401d780fac,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> err=0x0) at rlm_ldap.c:2410<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#1 0x00007f402afacecf in ldap_authenticate (instance=0xd24cf0,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> request=0xd8bfe0) at rlm_ldap.c:1938<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#2 0x000000000041c742 in call_modsingle (component=0,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> c=<value optimized out>, request=<value optimized out>) at modcall.c:304<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#3 modcall (component=0, c=<value optimized out>,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> request=<value optimized out>) at modcall.c:686<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#4 0x0000000000418c83 in indexed_modcall (comp=0, idx=7980103,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> request=0xd8bfe0) at modules.c:740<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#5 0x000000000040941c in rad_check_password (request=0xd8bfe0) at auth.c:382<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#6 rad_authenticate (request=0xd8bfe0) at auth.c:667<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#7 0x0000000000428365 in radius_handle_request (request=0xd8bfe0,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> fun=0x408ae0 <rad_authenticate>) at event.c:3784<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#8 0x00000000004204cb in request_handler_thread (arg=0xd8f700)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> at threads.c:537<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#9 0x0000003a12c07851 in start_thread () from /lib64/libpthread.so.0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#10 0x0000003a124e894d in clone () from /lib64/libc.so.6<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(gdb) frame 0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#0 0x00007f402afa9b89 in ldap_connect (instance=0xd24cf0,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> dn=0x7f3f98022818 " uid=1234576,dc=cuhk,dc=edu,dc=hk", password=0x….. "hideme", auth=1, result=0x7f401d780fac,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> err=0x0) at rlm_ldap.c:2410<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2410 if (strcmp(TLS_DEFAULT_VERIFY, inst->tls_require_cert ) != 0 ) {<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(gdb) info locals<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>inst = 0xd24cf0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>ld = 0x7f3f980238d0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>msgid = <value optimized out><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>rc = <value optimized out><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>ldap_version = 3<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>ldap_errno = 0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>res = <value optimized out><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>tv = {tv_sec = 1, tv_usec = 0}<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(gdb) info args<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>instance = 0xd24cf0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>dn = 0x7f3f98022818 "uid=1234567,dc=cuhk,dc=edu,dc=hk"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>password=0x….. "hideme"auth = 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>result = 0x7f401d780fac<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>err = 0x0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(gdb) print inst->tls_require_cert<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>$1 = 0x0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(gdb) print inst->xlat_name<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>$2 = 0xd1d110 "ldap" <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>--------------------- cut here ----------------------------<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>inst->tls_require_cert becomes null while we’ve ‘require_cert = "never"’ defined in modules/ldap. There is no problem when the loading is not high:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Mon Oct 28 09:10:48 2013 : Debug: [ldap] setting TLS mode to 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Mon Oct 28 09:10:48 2013 : Debug: [ldap] setting TLS CACert File to /usr/local/etc/raddb/certs/cacert.pem<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Mon Oct 28 09:10:48 2013 : Debug: [ldap] setting TLS Require Cert to never<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Would anyone please advise? Thanks a lot.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Besides, as we must use LDAP for authentication backend which maybe a bottleneck, is it feasible to have kind of QoS/rate control for incoming authentication requests, and/or some LDAP authentication result caching? Sorry for the naïve questions. Thanks again.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Best Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>/ST Wong<o:p></o:p></span></p></div></body></html>