[Pki-users] Possible PKI LDAP connections leak?
Aleksey Chudov
aleksey.chudov at gmail.com
Thu Aug 27 15:15:28 UTC 2015
Hi,
I have found possible PKI LDAP connections leak on access to
/ca/rest/securityDomain/domainInfo url.
To reproduce
# ss -ant state established sport = :636
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 10.172.3.13:636 10.172.3.13:57696
0 0 10.172.3.13:636 10.172.3.13:57692
0 0 10.172.3.13:636 10.172.3.13:57695
0 0 10.172.3.13:636 10.172.3.13:57690
0 0 10.172.3.13:636 10.172.3.13:57689
0 0 10.172.3.13:636 10.172.3.13:57693
0 0 10.172.3.13:636 10.172.3.13:57688
0 0 10.172.3.13:636 10.172.3.13:57691
0 0 10.172.3.13:636 10.172.3.13:57687
# ss -ant state established sport = :636 | wc -l
10
# for ((i=0; i<256; i++)); do curl
http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done
# ss -ant state established sport = :636 | wc -l
266
Every request to /ca/rest/securityDomain/domainInfo url increases number on
LDAP connections and produces the same message in debug log
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SessionContextInterceptor: Not authenticated.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
AuthMethodInterceptor: mapping: default
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
AuthMethodInterceptor: required auth methods: [*]
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
AuthMethodInterceptor: anonymous access allowed
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor:
SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
ACLInterceptor.filter: no authorization required
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No
ACL mapping; authz not required.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization
success
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
MessageFormatInterceptor: content-type: null
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
MessageFormatInterceptor: accept: [*/*]
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
MessageFormatInterceptor: response format: application/xml
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to ccMode,
authorization for servlet: securitydomain is LDAP based, not XML {1}, use
default authz mgr: {2}.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating
LdapBoundConnFactor(SecurityDomainProcessor)
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
LdapBoundConnFactory: init
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
LdapBoundConnFactory:doCloning true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init
begins
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
prompt is internaldb
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
try getting from memory cache
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
got password from memory
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
password found for prompt.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
password ok: store in memory cache
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init
ends
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before
makeConnection errorIfDown is false
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection:
errorIfDown false
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake
happened
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP
connection using basic authentication to host srv334.example.com port 636
as cn=Directory Manager
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with
mininum 3 and maximum 15 connections to host srv334.example.com port 636,
secure connection, true, authentication type 1
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum
connections by 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available
connections 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of
connections 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In
LdapBoundConnFactory::getConn()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is
connected: true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is
connected true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns
now 2
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: name: Company LLC
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn=srv333.example.com:8443,cn=CAList,ou=Security
Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn: srv333.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SubsystemName: CA srv333.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - Clone: FALSE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - host: srv333.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn=srv334.example.com:8443,cn=CAList,ou=Security
Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn: srv334.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - host: srv334.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - Clone: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SubsystemName: CA srv334.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn=srv335.example.com:8443,cn=CAList,ou=Security
Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn: srv335.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - host: srv335.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - Clone: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SubsystemName: CA srv335.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: OCSP
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: KRA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: RA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: TKS
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: TPS
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap
connection
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn:
mNumConns now 3
At the same time requests to different urls does not increase the number of
established LDAP connections.
Is it a bug or expected behavior?
Aleksey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150827/1a0eb097/attachment.htm>
More information about the Pki-users
mailing list