Re: Bug? LDAPRetryDelay from mod_ldap uses the wrong unit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Please bring this up in the dev mailing list.

El vie, 18 nov 2022 a las 11:06, Stephen Blott (<stephen.blott@xxxxxx>) escribió:
Hi,

I'm not sure what to do with this.  Help would be appreciated.

It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option:
   https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay

Issue:
  LDAP configuration option LDAPRetryDelay...

  The Documentation suggests that the unit is seconds:
    https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay

  The code suggests that the unit is microseconds (see code chase, below).

Effect:
  Apache sometimes issues a burst of almost simultaneous LDAP search/bind
  requests.

  (In my organisation, this is "catastrophic" since, if the password is
   incorrect, it appears as N failed login attempts, and the account is
   instantly blocked (after just a single attempt). In practice,
   I've observed N in the region of 5 to 7.)

Configuration option:

  LDAPRetryDelay 5   (for example)

  This sets the retry delay for LDAP connections.

  In the code, this ends up here...

In util_ldap_set_retry_delay (util_ldap.c:2859):

  st->retry_delay = timeout;

  Note... no unit conversion takes place; the code just checks that it's
  a non-negative integer and notes the value for later.

The delay is implemented in httpd/modules/ldap/util_ldap.c:668:

  apr_sleep(st->retry_delay);

  Note... we still appear to have the raw value from the configuration
  file (nominally in seconds).

If you search the code, you will find that apr_sleep() is almost always
called like this:

  apr_sleep(apr_time_from_sec(XXXX))

  That is, the unit expected is whatever is returned by apr_time_from_sec().

In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h):

  /** number of microseconds per second */
  #define APR_USEC_PER_SEC APR_TIME_C(1000000)

  .
  .
  .

  /** @return seconds as an apr_time_t */
  #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC)

  So, the result of apr_time_from_sec is in microseconds.

It looks like the documentation is in seconds, but the implementation is in microseconds.

Is my analysis correct?

What do I do next?

Thanks for reading.

Steve
--
  Stephen Blott
  Students... contact me on Slack: https://slack.computing.dcu.ie/
  Staff... contact me on Slack: https://dcucommunity.slack.com/
  Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott
  Rm: L1.02
  School of Computing
  Dublin City University, Glasnevin, Dublin, Ireland

Séanadh Ríomhphoist/Email Disclaimer
Tá an ríomhphost seo agus aon chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is féidir tuilleadh a léamh anseo. 
This e-mail and any files transmitted with it are confidential and are intended solely for use by the addressee. Read more here.




 


--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux