mavis_tacplus-ng_ldap.pl crashes when too many queries

[jk2lx]

We have two Tacacs servers (active/passive) with tacplusng (commit version: a64efee) and the mavis_tacplus-ng_ldap.pl Perl plugin running.

The active Tacacs server gets a few queries per second which seems to be too much since I can see in the logs that the LDAP plugin terminates before finishing the request and the spawning of the plugin also gets throttled:

Oct 3 12:51:08 tacacs1-u22 tacplus[2973023]: 192.168.61.33 looking for user gnmic in MAVIS backend
Oct 3 12:51:08 tacacs1-u22 tacplus[2973023]: 192.168.61.33 result for user gnmic is ACK
Oct 3 12:51:08 tacacs1-u22 tacplus[2973023]: 192.168.61.33 shell login for 'gnmic' (realm: port1610) on unknown succeeded (profile=admin-ro)
Oct 3 12:51:08 tacacs1-u22 tacplus[2973023]: authen|192.168.61.33|gnmic|unknown||shell login succeeded
Oct 3 12:51:08 tacacs1-u22 tacplus[2953118]: /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl: 3024541: terminated before finishing first request
Oct 3 12:51:08 tacacs1-u22 tac_plus-ng[3024543]: munmap_chunk(): invalid pointer
Oct 3 12:51:08 tacacs1-u22 tacplus[2953118]: /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl: 3024543: terminated before finishing first request
Oct 3 12:51:08 tacacs1-u22 tacplus[2953118]: external: /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl respawning too fast; throttling for 26 seconds.

Apart from running the Tacacs servers in active/active, what else could I do and what are the limitations of the LDAP plugin as in queries per second?

There also seems to be a new (undocumented) Python version of the LDAP plugin (https://github.com/MarcJHuber/event-driven-servers/tree/master/mavis/python) since last year. Does this provide any advantages performance-wise and does it support the same features and environment variables as the Perl version?

[MarcJHuber]

Hi,

thanks for reporting. Alas, the version you're using is close to 12 month old, please retry with the current code. The issue you're seeing might already be fixed there.

About the Python script: This is more of a proof-of-concept that backend modules can be written in Python, too. I believe it's feature compatible to the Perl script and uses the same environment variables (AFAIR). Also, there's a multi-threaded variant (ldapmavis-mt, same environment variables) for the external-mt module, written in C, that should cope better with multiple parallel authentications (e.g. caused by MFA).

Cheers,

Marc

[jk2lx]

Thanks Marc, I wish any paid support was as responsive and helpful as you are :)

I will first try loadbalancing over the servers and if that is not helping, I will try the MT plugin.