Hi,I'm not sure what to do with this. Help would be appreciated.It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option:Issue:LDAP configuration option LDAPRetryDelay...
The Documentation suggests that the unit is seconds:
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
The code suggests that the unit is microseconds (see code chase, below).
Effect:
Apache sometimes issues a burst of almost simultaneous LDAP search/bindrequests.
(In my organisation, this is "catastrophic" since, if the password is
incorrect, it appears as N failed login attempts, and the account is
instantly blocked (after just a single attempt). In practice,
I've observed N in the region of 5 to 7.)
Configuration option:
LDAPRetryDelay 5 (for example)
This sets the retry delay for LDAP connections.
In the code, this ends up here...
In util_ldap_set_retry_delay (util_ldap.c:2859):
st->retry_delay = timeout;
Note... no unit conversion takes place; the code just checks that it's
a non-negative integer and notes the value for later.
The delay is implemented in httpd/modules/ldap/util_ldap.c:668:
apr_sleep(st->retry_delay);
Note... we still appear to have the raw value from the configuration
file (nominally in seconds).
If you search the code, you will find that apr_sleep() is almost always
called like this:
apr_sleep(apr_time_from_sec(XXXX))
That is, the unit expected is whatever is returned by apr_time_from_sec().
In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h):
/** number of microseconds per second */
#define APR_USEC_PER_SEC APR_TIME_C(1000000)
.
.
.
/** @return seconds as an apr_time_t */
#define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC)So, the result of apr_time_from_sec is in microseconds.It looks like the documentation is in seconds, but the implementation is in microseconds.Is my analysis correct?What do I do next?Thanks for reading.Steve--Stephen BlottStudents... contact me on Slack: https://slack.computing.dcu.ie/Staff... contact me on Slack: https://dcucommunity.slack.com/Vanity Zoom room: https://dcu-ie.zoom.us/my/smblottRm: L1.02School of ComputingDublin City University, Glasnevin, Dublin, Ireland
Séanadh Ríomhphoist/Email Disclaimer
Tá an ríomhphost seo agus aon chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is féidir tuilleadh a léamh anseo.
This e-mail and any files transmitted with it are confidential and are intended solely for use by the addressee. Read more here.