On 2006-07-16, at 6:16 PM, Quanah Gibson-Mount wrote:
If the debian build links against tcp wrappers, that may be the actual problem. This is rather well discussed on the OpenLDAP archives.
I couldn't find much which seemed relevant in the archives but I've confirmed that this is not the problem by rebuilding slapd with -- disable-wrappers (verified with ldd) and confirming that the same trivial DoS exists:
#!/usr/bin/perl -w
use strict;
use Socket;
my $sockaddr = sockaddr_in(389, inet_aton("ldap"));
my $proto = getprotobyname('tcp');
my @Sockets;
for (my $n = 0; $n < 4096; $n++) {
socket($Sockets[$n], PF_INET, SOCK_STREAM, $proto) or die
("Couldn't create socket $n: $!");
connect($Sockets[$n], $sockaddr) or die("Couldn't connect
socket #$n: $!");
print "$n\n";
}
Rebuilding slapd after making the following addition to debian/rules
successfully raises the limit:
CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -DOPENLDAP_FD_SETSIZE=8192 -
DFD_SETSIZE=8192
At this point the DoS script no longer works - suggesting that this should become part of the default build since the failure mode is severe with e.g. pam-ldap.
Chris
smime.p7s
Description: S/MIME cryptographic signature
