You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Stephen Blott <st...@dcu.ie> on 2022/11/18 10:04:34 UTC

[users@httpd] Bug? LDAPRetryDelay from mod_ldap uses the wrong unit

Hi,

I'm not sure what to do with this.  Help would be appreciated.

It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option:
   https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay

Issue:
  LDAP configuration option LDAPRetryDelay...

  The Documentation suggests that the unit is seconds:
    https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay

  The code suggests that the unit is microseconds (see code chase, below).

Effect:
  Apache sometimes issues a burst of almost simultaneous LDAP search/bind
  requests.

  (In my organisation, this is "catastrophic" since, if the password is
   incorrect, it appears as N failed login attempts, and the account is
   instantly blocked (after just a single attempt). In practice,
   I've observed N in the region of 5 to 7.)

Configuration option:

  LDAPRetryDelay 5   (for example)

  This sets the retry delay for LDAP connections.

  In the code, this ends up here...

In util_ldap_set_retry_delay (util_ldap.c:2859):

  st->retry_delay = timeout;

  Note... no unit conversion takes place; the code just checks that it's
  a non-negative integer and notes the value for later.

The delay is implemented in httpd/modules/ldap/util_ldap.c:668:

  apr_sleep(st->retry_delay);

  Note... we still appear to have the raw value from the configuration
  file (nominally in seconds).

If you search the code, you will find that apr_sleep() is *almost always*
called like this:

  apr_sleep(apr_time_from_sec(XXXX))

  That is, the unit expected is whatever is returned by apr_time_from_sec().

In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h):

  /** number of microseconds per second */
  #define APR_USEC_PER_SEC APR_TIME_C(1000000)

  .
  .
  .

  /** @return seconds as an apr_time_t */
  #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC)

  So, the result of apr_time_from_sec is in microseconds.

It looks like the documentation is in seconds, but the implementation is in
microseconds.

Is my analysis correct?

What do I do next?

Thanks for reading.

Steve
--
  Stephen Blott
  Students... contact me on Slack: https://slack.computing.dcu.ie/
  Staff... contact me on Slack: https://dcucommunity.slack.com/
  Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott
  Rm: L1.02
  School of Computing
  Dublin City University, Glasnevin, Dublin, Ireland

-- 
*

*Séanadh Ríomhphoist/Email Disclaimer*

*Tá an ríomhphost seo agus aon 
chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin 
amháin é. Is féidir tuilleadh a léamh anseo.  
<https://sites.google.com/view/seanadh-riomhphoist>*

*This e-mail and any 
files transmitted with it are confidential and are intended solely for use 
by the addressee. Read more here. 
<https://sites.google.com/view/dcu-email-disclaimer>*



*

-- 

 <https://www.facebook.com/DCU/> <https://twitter.com/DCU> 
<https://www.linkedin.com/company/dublin-city-university> 
<https://www.instagram.com/dublincityuniversity/?hl=en> 
<https://www.youtube.com/user/DublinCityUniversity>

Re: [users@httpd] Bug? LDAPRetryDelay from mod_ldap uses the wrong unit

Posted by Daniel Ferradal <df...@apache.org>.

Hello,

Please bring this up in the dev mailing list.

El vie, 18 nov 2022 a las 11:06, Stephen Blott (<st...@dcu.ie>)
escribió:

> Hi,
>
> I'm not sure what to do with this.  Help would be appreciated.
>
> It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option:
>    https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
>
> Issue:
>   LDAP configuration option LDAPRetryDelay...
>
>   The Documentation suggests that the unit is seconds:
>     https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
>
>   The code suggests that the unit is microseconds (see code chase, below).
>
> Effect:
>   Apache sometimes issues a burst of almost simultaneous LDAP search/bind
>   requests.
>
>   (In my organisation, this is "catastrophic" since, if the password is
>    incorrect, it appears as N failed login attempts, and the account is
>    instantly blocked (after just a single attempt). In practice,
>    I've observed N in the region of 5 to 7.)
>
> Configuration option:
>
>   LDAPRetryDelay 5   (for example)
>
>   This sets the retry delay for LDAP connections.
>
>   In the code, this ends up here...
>
> In util_ldap_set_retry_delay (util_ldap.c:2859):
>
>   st->retry_delay = timeout;
>
>   Note... no unit conversion takes place; the code just checks that it's
>   a non-negative integer and notes the value for later.
>
> The delay is implemented in httpd/modules/ldap/util_ldap.c:668:
>
>   apr_sleep(st->retry_delay);
>
>   Note... we still appear to have the raw value from the configuration
>   file (nominally in seconds).
>
> If you search the code, you will find that apr_sleep() is *almost always*
> called like this:
>
>   apr_sleep(apr_time_from_sec(XXXX))
>
>   That is, the unit expected is whatever is returned by
> apr_time_from_sec().
>
> In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h):
>
>   /** number of microseconds per second */
>   #define APR_USEC_PER_SEC APR_TIME_C(1000000)
>
>   .
>   .
>   .
>
>   /** @return seconds as an apr_time_t */
>   #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC)
>
>   So, the result of apr_time_from_sec is in microseconds.
>
> It looks like the documentation is in seconds, but the implementation is
> in microseconds.
>
> Is my analysis correct?
>
> What do I do next?
>
> Thanks for reading.
>
> Steve
> --
>   Stephen Blott
>   Students... contact me on Slack: https://slack.computing.dcu.ie/
>   Staff... contact me on Slack: https://dcucommunity.slack.com/
>   Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott
>   Rm: L1.02
>   School of Computing
>   Dublin City University, Glasnevin, Dublin, Ireland
>
>
>
> *Séanadh Ríomhphoist/Email DisclaimerTá an ríomhphost seo agus aon chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is féidir tuilleadh a léamh anseo.  <https://sites.google.com/view/seanadh-riomhphoist>This e-mail and any files transmitted with it are confidential and are intended solely for use by the addressee. Read more here. <https://sites.google.com/view/dcu-email-disclaimer>*
>
>
>
> <https://www.facebook.com/DCU/> <https://twitter.com/DCU>
> <https://www.linkedin.com/company/dublin-city-university>
> <https://www.instagram.com/dublincityuniversity/?hl=en>
> <https://www.youtube.com/user/DublinCityUniversity>
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat