Created attachment 491310 [details] valgrind output provided by the customer Description of problem: Investigated this bug opened for 389/Redhat Directory Server and narrowed down the cause: Bug 694195 - GSSAPI/SASL request memory leak Steps to Reproduce: 1. Standalone 1.2.8 rc2 setup on RHEL 5.6. MIT Kerberos already setup in department. 2. Keytab installed per http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/SASL.html#Configuring_Kerberos-Configuring_the_KDC_Server 3. `kinit` used to acquire principal; simple `ldapsearch` run repeatedly in five different terminals. This was a slow test to see whether the rate of requests influenced the leak: while sleep 5; do ldapsearch -Y GSSAPI -h server.example.edu 'uid=myuid' uid; done Actual results: steady growth (*never* a drop) in ns-slapd memory RSS and VSZ, collected by `ps axo pid,rss,vsz` every 60 seconds. Over 14 hours, RSS grew by 9356 Kilobytes, and VSZ by 10060 Kilobytes in response to 139270 connection attempts (2.76 requests/s), or a leak of ~70 bytes per request. Expected results: no memory leak. Under non-GSSAPI traffic, the memory usage of ns-slapd swings up and down, and remains roughly level over time. Additional info: large amounts of GSSAPI traffic used to segfault ns-slapd (see bug 683250), so I am not sure whether this memory leak is new to 1.2.8.rc2 or exists in older versions. # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.6 (Tikanga) # getenforce Permissive # rpm -qa | grep 389 389-ds-base-1.2.8-0.8.rc4.el5 389-dsgw-1.1.6-1.el5 389-adminutil-1.1.13-1.el5 389-console-1.1.4-1.el5 389-admin-1.1.16-1.el5 389-ds-console-1.2.5-1.el5 389-ds-console-doc-1.2.5-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.8-0.8.rc4.el5 389-admin-console-1.1.7-1.el5 389-admin-console-doc-1.1.7-1.el5 Related bug: Bug 658571 - libselinux memory leak caused by improper use of __thread
Nalin can you also confirm that you are freeing memory returned by libselinux.
We can't safely clean up memory allocated when matchpathcon() is used, and we don't have selabel_open() in 1.x. If the GSSAPI plugin is loaded and unloaded by libsasl2 in the server, then it'll leak on unload.
*** Bug 694195 has been marked as a duplicate of this bug. ***
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).