Bug 1157757 - When using slapi-nis to provide access to AD users to legacy clients, 389-ds threads lock on access to getgrgid_r()
Summary: When using slapi-nis to provide access to AD users to legacy clients, 389-ds ...
Keywords:
Status: CLOSED DUPLICATE of bug 1202996
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: slapi-nis
Version: 7.0
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Alexander Bokovoy
QA Contact: Namita Soman
Tomas Capek
URL:
Whiteboard:
Depends On:
Blocks: 1133060 1168850 1179458 1180596 1182933 1185286 1187501 1189279 1205796
TreeView+ depends on / blocked
 
Reported: 2014-10-27 15:50 UTC by Konstantin Lepikhov
Modified: 2019-05-20 11:19 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
When the Schema Compatibility plug-in is configured to provide Active Directory (AD) users access to legacy clients using the Identity Management (IdM) cross-forest trust to AD, the 389 Directory Server can under certain conditions increase CPU consumption upon receiving a request to resolve complex group membership of an AD user.
Clone Of:
Environment:
Last Closed: 2015-03-26 21:27:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Konstantin Lepikhov 2014-10-27 15:50:28 UTC 
Description of problem:

Originally spotted in #sfdc case 01190699

Attaching strace, pstack from ns-ldap server and logs from RHEL5.

Version-Release number of selected component (if applicable):
slapi-nis-0.52-6.el7_0

How reproducible:
In customer environment

Actual results:
ns-ldapd consume 100% CPU

Expected results:
we need a mechanism to filter/cache such requests in glibc and not abuse nss_file.
Comment 11 Alexander Bokovoy 2015-02-18 15:41:57 UTC 
Yes.
Comment 15 Alexander Bokovoy 2015-03-26 20:18:29 UTC 
This bug is fixed with bug 1202995 and https://rhn.redhat.com/errata/RHSA-2015-0728.html in RHEL 7.1.z
Comment 16 Dmitri Pal 2015-03-26 21:27:26 UTC 

*** This bug has been marked as a duplicate of bug 1202996 ***
Note You need to log in before you can comment on or make changes to this bug.