Mailing List Archive

[Bug 66357] New: Apache is issuing bursts of almost simultaneous LDAP search/bind requests
https://bz.apache.org/bugzilla/show_bug.cgi?id=66357

Bug ID: 66357
Summary: Apache is issuing bursts of almost simultaneous LDAP
search/bind requests
Product: Apache httpd-2
Version: 2.4.54
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ldap
Assignee: bugs@httpd.apache.org
Reporter: smblott@gmail.com
Target Milestone: ---

Issue:
Apache is issuing bursts of almost simultaneous LDAP search/bind requests.

In my organisation, this is causing a single incorrect password attempt
to appear as many failed LDAP requests, immediately locking the user's
account.

I reported this but with an incorrect diagnosis yesterday:
https://bz.apache.org/bugzilla/show_bug.cgi?id=66355

Sorry about that. My diagnosis was incorrect, but there definitely is an
issue here.

Version: 2.4.54 (Debian).
Where I quote line numbers below, they are from the 2.4.x branch of the
code from GitHub: https://github.com/apache/httpd

Log:
Here's an extract from the Apache error log (slightly edited):

698114627328] util_ldap.c(757): [client ZZ.ZZ.ZZ.ZZ:55832] Reuse unbound LDC
7f0e0d5d90a0, referer: XXXXX
id 139698114627328] mod_authnz_ldap.c(548): [client ZZ.ZZ.ZZ.ZZ:55832]
AH01691: auth_ldap authenticate: using URL ldap://YYYYY, referer: XXXXX
tid 139698114627328] mod_authnz_ldap.c(554): [client ZZ.ZZ.ZZ.ZZ:55832]
auth_ldap authenticate: final authn filter is (&(uid=*)(uid=UUUUU)), referer:
XXXXX
698114627328] util_ldap.c(343): [client ZZ.ZZ.ZZ.ZZ:55832] LDC 7f0e0d5d90a0
init, referer: XXXXX
698114627328] util_ldap.c(393): AH01278: LDAP: Setting referrals to On.
698064271104] util_ldap.c(757): [client ZZ.ZZ.ZZ.ZZ:55836] Reuse unbound LDC
7f0e0d5d90a0, referer: XXXXX

I think the problem is the first and last lines. This message occurs
multiple times from Apache when I see multiple requests on the LDAP
server (and only then).

Here, I saw two simultaneous requests on the server; sometimes it's as
many as 7-8.

Diagnoses:
My previous diagnosis was incorrect:
https://bz.apache.org/bugzilla/show_bug.cgi?id=66355

So my confidence in this is low, but...

There's something odd about the mutex code in:

httpd/modules/ldap/util_ldap.c
uldap_connection_find()
(starts line 708 in github/2.4.x branch)

http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l708

Specifically, the for loop containing the "Reuse unbound LDC" message:
starting line 736:

http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l736

More specifically, the "break" at line 761:

http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l761

This break jumps out of the loop, thereby skipping the call to:

apr_thread_mutex_unlock(l->lock);

on line 767:

http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l767

(The mutex was acquired on line 738, inside and at the top of the for loop)

So, it is possible that a mutex is being retained incorrectly?

If my diagnosis is incorrect, then there nevertheless does remain an
issue.

Thank you for your time.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org