[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: Re: [users@httpd] Bug? LDAPRetryDelay from mod_ldap uses the wrong unit
From: Daniel Ferradal <dferradal () apache ! org>
Date: 2022-12-02 17:35:59
Message-ID: CAHti5NEtbvTDJkiyfL4YoGSv7V7XUDBWvHGizh9zw2TtSUXA-Q () mail ! gmail ! com
[Download RAW message or body]
Hello,
Please bring this up in the dev mailing list.
El vie, 18 nov 2022 a las 11:06, Stephen Blott (<stephen.blott@dcu.ie>)
escribió:
> Hi,
>
> I'm not sure what to do with this. Help would be appreciated.
>
> It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option:
> https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
>
> Issue:
> LDAP configuration option LDAPRetryDelay...
>
> The Documentation suggests that the unit is seconds:
> https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
>
> The code suggests that the unit is microseconds (see code chase, below).
>
> Effect:
> Apache sometimes issues a burst of almost simultaneous LDAP search/bind
> requests.
>
> (In my organisation, this is "catastrophic" since, if the password is
> incorrect, it appears as N failed login attempts, and the account is
> instantly blocked (after just a single attempt). In practice,
> I've observed N in the region of 5 to 7.)
>
> Configuration option:
>
> LDAPRetryDelay 5 (for example)
>
> This sets the retry delay for LDAP connections.
>
> In the code, this ends up here...
>
> In util_ldap_set_retry_delay (util_ldap.c:2859):
>
> st->retry_delay = timeout;
>
> Note... no unit conversion takes place; the code just checks that it's
> a non-negative integer and notes the value for later.
>
> The delay is implemented in httpd/modules/ldap/util_ldap.c:668:
>
> apr_sleep(st->retry_delay);
>
> Note... we still appear to have the raw value from the configuration
> file (nominally in seconds).
>
> If you search the code, you will find that apr_sleep() is *almost always*
> called like this:
>
> apr_sleep(apr_time_from_sec(XXXX))
>
> That is, the unit expected is whatever is returned by
> apr_time_from_sec().
>
> In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h):
>
> /** number of microseconds per second */
> #define APR_USEC_PER_SEC APR_TIME_C(1000000)
>
> .
> .
> .
>
> /** @return seconds as an apr_time_t */
> #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC)
>
> So, the result of apr_time_from_sec is in microseconds.
>
> It looks like the documentation is in seconds, but the implementation is
> in microseconds.
>
> Is my analysis correct?
>
> What do I do next?
>
> Thanks for reading.
>
> Steve
> --
> Stephen Blott
> Students... contact me on Slack: https://slack.computing.dcu.ie/
> Staff... contact me on Slack: https://dcucommunity.slack.com/
> Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott
> Rm: L1.02
> School of Computing
> Dublin City University, Glasnevin, Dublin, Ireland
>
>
>
> *Séanadh Ríomhphoist/Email DisclaimerTá an ríomhphost seo agus aon chomhad a \
> sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is \
> féidir tuilleadh a léamh anseo. \
> <https://sites.google.com/view/seanadh-riomhphoist>This e-mail and any files \
> transmitted with it are confidential and are intended solely for use by the \
> addressee. Read more here. <https://sites.google.com/view/dcu-email-disclaimer>*
>
>
> <https://www.facebook.com/DCU/> <https://twitter.com/DCU>
> <https://www.linkedin.com/company/dublin-city-university>
> <https://www.instagram.com/dublincityuniversity/?hl=en>
> <https://www.youtube.com/user/DublinCityUniversity>
>
--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat
[Attachment #3 (text/html)]
<div dir="ltr">Hello,<div><br></div><div>Please bring this up in the dev mailing \
list.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El \
vie, 18 nov 2022 a las 11:06, Stephen Blott (<<a \
href="mailto:stephen.blott@dcu.ie">stephen.blott@dcu.ie</a>>) \
escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_default" style="font-family:verdana,sans-serif">Hi,</div><div \
class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div \
class="gmail_default" style="font-family:verdana,sans-serif">I'm not sure what to \
do with this. Help would be appreciated.</div><div class="gmail_default" \
style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" \
style="font-family:verdana,sans-serif">It's an apparent bug in mod_ldap relating \
to the LDAPRetryDelay option:</div><div class="gmail_default" \
style="font-family:verdana,sans-serif"> <a \
href="https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay" \
target="_blank">https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay</a><br></div><div><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div><br></div><div><div class="gmail_default" \
style="font-family:verdana,sans-serif"><span \
style="font-family:Arial,Helvetica,sans-serif">Issue:</span></div> LDAP \
configuration option LDAPRetryDelay...<br><br> The Documentation suggests that the \
unit is seconds:<br> <a \
href="https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay" \
target="_blank">https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay</a><br><br> \
The code suggests that the unit is microseconds (see code chase, \
below).<br><br>Effect:<br> Apache sometimes issues a burst of almost simultaneous \
LDAP <span class="gmail_default" \
style="font-family:verdana,sans-serif">search/bind</span></div><div><span \
class="gmail_default" style="font-family:verdana,sans-serif"> \
</span>requests.<br><br> (In my organisation, this is "catastrophic" \
since, if the password is<br> incorrect, it appears as N failed login attempts, \
and the account is<br> instantly blocked (after just a single attempt). In \
practice,<br> <span class="gmail_default" \
style="font-family:verdana,sans-serif">I</span>'ve observed N in the region of 5 \
to 7.)<br><br>Configuration option:<br><br> LDAPRetryDelay 5 (for \
example)<br><br> This sets the retry delay for LDAP connections.<br><br> In the \
code, this ends up here...<br><br>In util_ldap_set_retry_delay \
(util_ldap.c:2859):<br><br> st->retry_delay = timeout;<br><br> Note... no unit \
conversion takes place; the code just checks that it's<br> a non-negative \
integer and notes the value for later.<br><br>The delay is implemented in \
httpd/modules/ldap/util_ldap.c:668:<br><br> apr_sleep(st->retry_delay);<br><br> \
Note... we still appear to have the raw value from the configuration<br> file \
(nominally in seconds<span class="gmail_default" \
style="font-family:verdana,sans-serif">)</span>.<br><br>If you search the code, you \
will find that apr_sleep<span class="gmail_default" \
style="font-family:verdana,sans-serif">()</span> is <span class="gmail_default" \
style="font-family:verdana,sans-serif"><i>almost always</i></span><br>called like \
this:<br><br> apr_sleep(apr_time_from_sec(XXXX))<br><br> That is, the unit \
expected is whatever is returned by apr_time_from_sec().<br><br>In APR, \
apr_time_from_sec() is defined like this (apr/include/apr_time.h):<br><br> /** \
number of microseconds per second */<br> #define APR_USEC_PER_SEC \
APR_TIME_C(1000000)<br><br> .<br> .<br> .<br><br> /** @return seconds as an \
apr_time_t */<br> #define apr_time_from_sec(sec) ((apr_time_t)(sec) * \
APR_USEC_PER_SEC)<br><br><div class="gmail_default" \
style="font-family:verdana,sans-serif"><span \
style="font-family:Arial,Helvetica,sans-serif"> So, the result of apr_time_from_sec \
is in microseconds.</span></div><br></div><div><div class="gmail_default" \
style="font-family:verdana,sans-serif">It looks like the documentation is in seconds, \
but the implementation is in microseconds.</div><br></div><div><div \
class="gmail_default" style="font-family:verdana,sans-serif">Is my analysis \
correct?<br></div><div class="gmail_default" \
style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" \
style="font-family:verdana,sans-serif">What do I do next?</div></div><div \
class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div \
class="gmail_default" style="font-family:verdana,sans-serif">Thanks for \
reading.</div><div class="gmail_default" style="font-family:verdana,sans-serif"><span \
style="color:rgb(0,0,0)"></span><br></div><div><font color="#000000" face="verdana, \
sans-serif">Steve</font></div><div><font color="#666666" face="verdana, \
sans-serif">--</font></div><div><font color="#666666" face="verdana, sans-serif"> \
Stephen Blott</font></div><div><font color="#666666" face="verdana, sans-serif"> \
Students... contact me on Slack: <a href="https://slack.computing.dcu.ie/" \
target="_blank">https://slack.computing.dcu.ie/</a></font></div><div><font \
color="#666666" face="verdana, sans-serif"> Staff... contact me on Slack: <a \
href="https://dcucommunity.slack.com/" \
target="_blank">https://dcucommunity.slack.com/</a></font></div><div><font \
color="#666666"><font face="verdana, sans-serif"> Vanity Zoom room: </font><a \
href="https://dcu-ie.zoom.us/my/smblott" target="_blank"><font face="monospace" \
color="#666666">https://dcu-ie.zoom.us/my/smblott</font></a></font></div><div><font \
color="#666666" face="verdana, sans-serif"> Rm: L1.02</font></div><div><font \
color="#666666" face="verdana, sans-serif"> School of \
Computing</font></div><div><font face="verdana, sans-serif"><font color="#666666"> \
Dublin City University, Glasnevin, </font><span \
style="color:rgb(102,102,102)">Dublin, \
Ireland</span></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br>
<pre style="background-color:rgb(255,255,255)"><i><p><font color="#929292" \
face="Verdana, sans-serif"><span \
style="font-size:10px;white-space:normal"><b>Séanadh Ríomhphoist/Email \
Disclaimer</b></span></font></p><p><font color="#929292" face="Verdana, \
sans-serif"><span style="font-size:10px;white-space:normal"><b>Tá an ríomhphost seo \
agus aon chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus \
sin amháin é. <a href="https://sites.google.com/view/seanadh-riomhphoist" \
target="_blank">Is féidir tuilleadh a léamh anseo. \
</a></b></span></font></p><p><font color="#929292" face="Verdana, sans-serif"><span \
style="font-size:10px;white-space:normal"><b>This e-mail and any files transmitted \
with it are confidential and are intended solely for use by the addressee. <a \
href="https://sites.google.com/view/dcu-email-disclaimer" target="_blank">Read more \
here.</a></b></span></font></p><div \
style="color:rgb(146,146,146);font-family:Verdana;font-size:10px;white-space:normal"><br></div><div \
style="color:rgb(146,146,146);font-family:Verdana;font-size:10px;white-space:normal"><br></div></i></pre>
<br>
<br><div><a href="https://www.facebook.com/DCU/" target="_blank"><img \
src="https://www.dcu.ie/sites/default/files/iss/images/dcuapps/socmedicons-06.png"></a><a \
href="https://twitter.com/DCU" target="_blank"><img \
src="https://www.dcu.ie/sites/default/files/iss/images/dcuapps/socmedicons-07.png" \
style="font-size: 1.3em;"></a><a \
href="https://www.linkedin.com/company/dublin-city-university" target="_blank"><img \
src="https://www.dcu.ie/sites/default/files/iss/images/dcuapps/socmedicons-08.png" \
style="font-size: 1.3em;"></a><a \
href="https://www.instagram.com/dublincityuniversity/?hl=en" target="_blank"><img \
src="https://www.dcu.ie/sites/default/files/iss/images/dcuapps/socmedicons-09.png" \
style="font-size: 1.3em;"></a><a \
href="https://www.youtube.com/user/DublinCityUniversity" target="_blank"><img \
src="https://www.dcu.ie/sites/default/files/iss/images/dcuapps/socmedicons-10.png" \
style="font-size: 1.3em;"></a> </div></blockquote></div><br \
clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div \
dir="ltr">Daniel Ferradal<br>HTTPD Project<br>#httpd help at Libera.Chat</div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic