From nobody@FreeBSD.org  Mon Oct 10 09:27:32 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 88F47106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Oct 2011 09:27:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 6E53E8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Oct 2011 09:27:32 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p9A9RVHN020098
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Oct 2011 09:27:31 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p9A9RVQE020090;
	Mon, 10 Oct 2011 09:27:31 GMT
	(envelope-from nobody)
Message-Id: <201110100927.p9A9RVQE020090@red.freebsd.org>
Date: Mon, 10 Oct 2011 09:27:31 GMT
From: Patrick Proniewski <patpro@patpro.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: on a system bound to an LDAP server, top tries to get the whole LDAP content to resolve uids
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         161456
>Category:       kern
>Synopsis:       [libpam] on a system bound to an LDAP server, top tries to get the whole LDAP content to resolve uids
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 10 09:30:10 UTC 2011
>Closed-Date:    
>Last-Modified:  Fri Mar  9 10:50:07 UTC 2012
>Originator:     Patrick Proniewski
>Release:        7.3-RELEASE-p7 and 8.2-RELEASE-p3
>Organization:
Universit Lyon2
>Environment:
FreeBSD foo.univ-lyon2.fr 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

and 

FreeBSD bar.univ-lyon2.fr 7.3-RELEASE-p7 FreeBSD 7.3-RELEASE-p7 #0: Tue Sep 27 13:10:21 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
According to its man page, top(1) will read the whole passwd database at launch time, to resolve numerical uids into user logins.
When the system is hooked to an LDAP server for user authentication, top(1) will try to download the whole content of the LDAP database.

If the LDAP shutdowns the connection (because of you reach a limit for example), top(1) dies and display nothing but the error message "Broken pipe". That's how it works when I bind the FreeBSD system to our Sun Directory Server: top(1) downloads about 3MB of LDAP data, the LDAP server kills the connection, top(1) dies.

If the LDAP sends immediately and error but doesn't kill the connection, top(1) will resolve each foreign uids thru the LDAP, one at a time, and will properly display its output. that's how it works when I bind the FreeBSD system to our LDAP proxy: top(1) tries to download LDAP content, the proxy replies "The server is not configured to pass through control 1.2.840.113556.1.4.319", top(1) send individual request to resolve discrete uids, top(1) displays its output.

My FreeBSD systems use nscd, but I made a full cache flush before each test. Note: even without flushing, the first behavior is always true.

>How-To-Repeat:
0 - PREREQUISITES: bind your FreeBSD system to an LDAP server
- install nss_ldap and pam_ldap
- edit /etc/pam.d/sshd to add this line:

#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+ auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail
auth            required        pam_unix.so             no_warn try_first_pass

and this line:

account		required	pam_login_access.so
+account		required	/usr/local/lib/pam_ldap.so	no_warn ignore_authinfo_unavail ignore_unknown_user
account		required	pam_unix.so

- edit /usr/local/etc/nss_ldap.conf and /usr/local/etc/ldap.conf to add proper LDAP binding (provide binddn and bindpw)
- edit /etc/nsswitch.conf to add "ldap" and/or "cache" on those lines (cache is for nscd):

group: cache files 
hosts: cache files dns
passwd: cache files ldap

- check the bind with `id $some-ldap-user" for example.
- launch nscd (/etc/rc.d/nscd forcestart, for example)

1 - TEST top(1):
If your LDAP database is very small, you can tcpdump on port 389 or 636 to monitor the connection. You can also use ktrace on the top process, to see what's going on.
If your LDAP database is big (ours is 140 K records long), the top process will just hung a long time before displaying anything.

2 - TEST top(1) with the -u flag:
top -u should display its output immediately.

>Fix:


>Release-Note:
>Audit-Trail:

From: Cyril Grosjean <cgrosjean@janua.fr>
To: bug-followup@FreeBSD.org, patpro@patpro.net
Cc:  
Subject: Re: kern/161456: [libpam] on a system bound to an LDAP server, top
 tries to get the whole LDAP content to resolve uids
Date: Fri, 09 Mar 2012 11:13:53 +0100

 Ceci est un message signé cryptographiquement au format MIME.
 
 --------------ms030003000106010003050509
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <html>
   <head>
 
     <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DISO=
 -8859-1">
   </head>
   <body bgcolor=3D"#FFFFFF" text=3D"#000000">
     <br>
     Actually,<br>
     <br>
     A fix would consist in having a parameter (or such like option) on
     the FreeBSD side to decide wether or not to send a LDAP paged result
     control.<br>
     This way, FreeBSD 'd be able to accomodate against any kind of LDAP
     (or LDAP proxy) server configuration.<br>
     <br>
     <div class=3D"moz-signature">-- <br>
       <meta http-equiv=3D"CONTENT-TYPE" content=3D"text/html;
         charset=3DISO-8859-1">
       <title>signature</title>
       <meta name=3D"GENERATOR" content=3D"OpenOffice.org 2.2 (Linux)">
       <meta name=3D"CREATED" content=3D"16010101;0">
       <meta name=3D"CHANGED" content=3D"16010101;0">
       <style type=3D"text/css">
 	<!--
 		TD P { color: #000000 }
 		P { color: #000000 }
 		A:link { color: #0000ff }
 		A:visited { color: #ff0000 }
 	--></style><br>
     </div>
   </body>
 </html>
 
 
 --------------ms030003000106010003050509
 Content-Type: application/pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: Signature cryptographique S/MIME
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO6TCC
 BJ0wggOFoAMCAQICEDQ96SusJzT/j8s0lPvMcFQwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UE
 BhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
 bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0w
 NTA2MDcwODA5MTBaFw0yMDA1MzAxMDQ4MzhaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
 VVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5l
 dHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVRO
 LVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG
 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVN
 NRm5pELlzkniii8efNIxB8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQy
 lbsMTzC9mKALi+VuG6JG+ni8om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXq
 vgvOdjp6Dpvq/NonWz1zHyLmSGHGTPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6
 hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7NlyP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu
 9mIwFIws6wIDAQABo4H0MIHxMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0G
 A1UdDgQWBBSJgmd9xJ0mcABLtFBIfN49rgRufTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
 BAUwAwEB/zARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2Ny
 bC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEB
 BCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0B
 AQUFAAOCAQEAAbyc42MosPMxAcLfe91ioAGdIzEPnJJzU1HqH0z61p/Eyi9nfngzD3QWuZGH
 kfWKJvpkcADYHvkLBGJQh5OB1Nr1I9s0u4VWtHA0bniDNx6FHMURFZJfhxe9rGr98cLRzIlf
 sXzwPlHyNfN87GCYazor4O/fs32G67Ub9VvsonyYE9cAULnRLXPeA3h04QWFMV7LmrmdlMa5
 lDd1ctxE+2fo8PolHlKn2iXpR+CgxzygTrEKNvt3SJ/vl4r7tP7jlBSog7xcLT/SYHFg7sJx
 ggzpiDbj2iC0o6BsqpZLuICOdcpJB/Y7FLrf3AXZn9vgsuZNoHgm5+ctbn9fxh6IFTCCBRow
 ggQCoAMCAQICEG0Z6qcZT2ozIuYiMnqqcd4wDQYJKoZIhvcNAQEFBQAwga4xCzAJBgNVBAYT
 AlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoTFVRo
 ZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3QuY29t
 MTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgRW1h
 aWwwHhcNMTEwNDI4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjCBkzELMAkGA1UEBhMCR0IxGzAZ
 BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
 Q09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRp
 b24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 AJKEhFtLV5jUXi+LpOFAyKNTWF9mZfEyTvefMn1V0HhMVbdClOD5J3EHxcZppLkyxPFAGpDM
 J1Zifxe1cWmu5SAb5MtjXmDKokH2auGj/7jfH0htZUOMKi4rYzh337EXrMLaggLW1DJq1Gdv
 IBOPXDX65VSAr9hxCh03CgJQU2yVHakQFLSZlVkSMf8JotJM3FLb3uJAAVtIaN3FSrTg7SQf
 Oq9xXwfjrL8UO7AlcWg99A/WF1hGFYE8aIuLgw9teiFX5jSw2zJ+40rhpVJyZCaRTqWSD//g
 sWD9Gm9oUZljjRqLpcxCm5t9ImPTqaD8zp6Q30QZ9FxbNboW86eb/8ECAwEAAaOCAUswggFH
 MB8GA1UdIwQYMBaAFImCZ33EnSZwAEu0UEh83j2uBG59MB0GA1UdDgQWBBR6E04AdFvGeGNk
 J8Ev4qBbvHnFezAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADARBgNVHSAE
 CjAIMAYGBFUdIAAwWAYDVR0fBFEwTzBNoEugSYZHaHR0cDovL2NybC51c2VydHJ1c3QuY29t
 L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFpbC5jcmwwdAYIKwYB
 BQUHAQEEaDBmMD0GCCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVROQWRk
 VHJ1c3RDbGllbnRfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3Qu
 Y29tMA0GCSqGSIb3DQEBBQUAA4IBAQCF1r54V1VtM39EUv5C1QaoAQOAivsNsv1Kv/avQUn1
 G1rF0q0bc24+6SZ85kyYwTAo38v7QjyhJT4KddbQPTmGZtGhm7VNm2+vKGwdr+XqdFqo2rHA
 8XV6L566k3nK/uKRHlZ0sviN0+BDchvtj/1gOSBH+4uvOmVIPJg9pSW/ve9g4EnlFsjrP0OD
 8ODuDcHTzTNfm9C9YGqzO/761Mk6PB/tm/+bSTO+Qik5g+4zaS6CnUVNqGnagBsePdIaXXxH
 maWbCG0SmYbWXVcHG6cwvktJRLiQfsrReTjrtDP6oDpdJlieYVUYtCHVmdXgQ0BCML7qpeeU
 0rD+83X5f27nMIIFJjCCBA6gAwIBAgIRANmfhOeUWH4Xqte02TXe32wwDQYJKoZIhvcNAQEF
 BQAwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
 BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBDT01P
 RE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTExMTE1
 MDAwMDAwWhcNMTIxMTE0MjM1OTU5WjAjMSEwHwYJKoZIhvcNAQkBFhJjZ3Jvc2plYW5AamFu
 dWEuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcrGOLS3Jrrj/0epn+1Q3A
 xAN+yqsjDg3XvSVS5vISD4AeZPUe/7B6F5nMa7xh8rcY39/WLmJygay0L71BIJuZe8fFR975
 08/hf48Px/6gfMnE41ODrhVxnEWWbGqGHfFsU2sZGVy7vtxN83C7hSnnAxFJ+mFddYomcCUB
 sZiDHxWd/tOs3ibdbzlRg/vUxYG2zKyomhsxrt4SrWgoNcG2tOIKddBt4M3zZ3pAKHqyB1eZ
 2UWMXZN++5DZzbVnYxMgKmO5DnuAFGp9W60rPnWlE5am0SfWp38s4K1saUNxt+t9vXsDfdES
 Xpjg+V4XFZNSltZXEWhBqAM3QHCfu2B3AgMBAAGjggHiMIIB3jAfBgNVHSMEGDAWgBR6E04A
 dFvGeGNkJ8Ev4qBbvHnFezAdBgNVHQ4EFgQUQjeRf7TKHmmPplPzRFxbRmRry2QwDgYDVR0P
 AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0lBBkwFwYIKwYBBQUHAwQGCysGAQQBsjEB
 AwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkG
 CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBXBgNVHR8EUDBOMEyg
 SqBIhkZodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DbGllbnRBdXRoZW50aWNhdGlv
 bmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGIBggrBgEFBQcBAQR8MHowUgYIKwYBBQUHMAKGRmh0
 dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0NsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2Vj
 dXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAd
 BgNVHREEFjAUgRJjZ3Jvc2plYW5AamFudWEuZnIwDQYJKoZIhvcNAQEFBQADggEBAGYQc0vn
 qDwG4hUVJ1ijxG+ABcG75ueNeru6p8eNoB7xAmO3pWeUpJfaC6D0lknzCSONp39rsqWvcMk9
 B2YI8t45whM5drirHiv3FA0ZajFBr2+ZzOlTMPKhMsNIJsPmGu6Vx1ZrW6Zj3QrIekyCY+Od
 6uGnz6yoO3VgsEYxCyt1JTQje8Bi6qsntkuj5wY14uJrRCu7Bbz1KLCSgiMCokGA+KAMKXXV
 AeuHu0m2tfWLL+PoeI/BRXOKOokCVczQHwc97lyqsnQDc9wx+qv7EWB9W5O61C+YHVluD8kV
 KDKu6F+U0tPWcR1laBxpGaBK64r/hQ5VIEVkb++23NE9Ad8xggQPMIIECwIBATCBqTCBkzEL
 MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
 Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGll
 bnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANmfhOeUWH4Xqte02TXe
 32wwCQYFKw4DAhoFAKCCAjowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
 CQUxDxcNMTIwMzA5MTAxMzUzWjAjBgkqhkiG9w0BCQQxFgQUBnle0tGEIn//39vuNXOdBBJ9
 hdAwXwYJKoZIhvcNAQkPMVIwUDALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
 AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG6BgkrBgEE
 AYI3EAQxgawwgakwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0
 ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYD
 VQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EC
 EQDZn4TnlFh+F6rXtNk13t9sMIG8BgsqhkiG9w0BCRACCzGBrKCBqTCBkzELMAkGA1UEBhMC
 R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
 A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVu
 dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANmfhOeUWH4Xqte02TXe32wwDQYJKoZI
 hvcNAQEBBQAEggEABU97IM6PNw8m7mTVZiRP3NxW2hrcz1qpSexna1LdF3xOV8kXZzOr8yU7
 yQ87JfbUEVarIhkxt8R4Dkne3vug87VimgFsGZDSV8krADLuFVUJkmW9lXzg3dkYExWUtksR
 DHmaSkS/xX8F87LPQTQ7yuWyQt+5yCb+phj04Zc5jmWYG9Td/p0Mq8Jc8NdWiWAp4fjpeXuc
 XVLMDxn7xHT1UiXTyG+A28S565xIEf5WgG7xxXvSgzoqLjrLjE7wUINr9teZ51XLVGIG3W2X
 O7fFZx+cuUTUBTka+TZb0fL1WZjzw6UIYOiKPqsKfGEgMHR+7vvkun+NQwhtJ5NqttoGYQAA
 AAAAAA==
 --------------ms030003000106010003050509--
>Unformatted:
