Mailing List Archive

Bug? LDAPRetryDelay from mod_ldap uses the wrong unit
Hi,

I'm not sure what to do with this. Help would be appreciated.

It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option:
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay

Issue:
LDAP configuration option LDAPRetryDelay...

The Documentation suggests that the unit is seconds:
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay

The code suggests that the unit is microseconds (see code chase, below).

Effect:
Apache sometimes issues a burst of almost simultaneous LDAP search/bind
requests.

(In my organisation, this is "catastrophic" since, if the password is
incorrect, it appears as N failed login attempts, and the account is
instantly blocked (after just a single attempt). In practice,
I've observed N in the region of 5 to 7.)

Configuration option:

LDAPRetryDelay 5 (for example)

This sets the retry delay for LDAP connections.

In the code, this ends up here...

In util_ldap_set_retry_delay (util_ldap.c:2859):

st->retry_delay = timeout;

Note... no unit conversion takes place; the code just checks that it's
a non-negative integer and notes the value for later.

The delay is implemented in httpd/modules/ldap/util_ldap.c:668:

apr_sleep(st->retry_delay);

Note... we still appear to have the raw value from the configuration
file (nominally in seconds).

If you search the code, you will find that apr_sleep() is *almost always*
called like this:

apr_sleep(apr_time_from_sec(XXXX))

That is, the unit expected is whatever is returned by apr_time_from_sec().

In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h):

/** number of microseconds per second */
#define APR_USEC_PER_SEC APR_TIME_C(1000000)

.
.
.

/** @return seconds as an apr_time_t */
#define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC)

So, the result of apr_time_from_sec is in microseconds.

It looks like the documentation is in seconds, but the implementation is in
microseconds.

Is my analysis correct?

What do I do next?

Thanks for reading.

Steve
--
Stephen Blott
Students... contact me on Slack: https://slack.computing.dcu.ie/
Staff... contact me on Slack: https://dcucommunity.slack.com/
Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott
Rm: L1.02
School of Computing
Dublin City University, Glasnevin, Dublin, Ireland

--
*

*Séanadh Ríomhphoist/Email Disclaimer*

*Tá an ríomhphost seo agus aon
chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin
amháin é. Is féidir tuilleadh a léamh anseo. 
<https://sites.google.com/view/seanadh-riomhphoist>*

*This e-mail and any
files transmitted with it are confidential and are intended solely for use
by the addressee. Read more here.
<https://sites.google.com/view/dcu-email-disclaimer>*



*

--

<https://www.facebook.com/DCU/> <https://twitter.com/DCU>
<https://www.linkedin.com/company/dublin-city-university>
<https://www.instagram.com/dublincityuniversity/?hl=en>
<https://www.youtube.com/user/DublinCityUniversity
Re: Bug? LDAPRetryDelay from mod_ldap uses the wrong unit [ In reply to ]
Hello,

Please bring this up in the dev mailing list.

El vie, 18 nov 2022 a las 11:06, Stephen Blott (<stephen.blott@dcu.ie>)
escribió:

> Hi,
>
> I'm not sure what to do with this. Help would be appreciated.
>
> It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option:
> https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
>
> Issue:
> LDAP configuration option LDAPRetryDelay...
>
> The Documentation suggests that the unit is seconds:
> https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
>
> The code suggests that the unit is microseconds (see code chase, below).
>
> Effect:
> Apache sometimes issues a burst of almost simultaneous LDAP search/bind
> requests.
>
> (In my organisation, this is "catastrophic" since, if the password is
> incorrect, it appears as N failed login attempts, and the account is
> instantly blocked (after just a single attempt). In practice,
> I've observed N in the region of 5 to 7.)
>
> Configuration option:
>
> LDAPRetryDelay 5 (for example)
>
> This sets the retry delay for LDAP connections.
>
> In the code, this ends up here...
>
> In util_ldap_set_retry_delay (util_ldap.c:2859):
>
> st->retry_delay = timeout;
>
> Note... no unit conversion takes place; the code just checks that it's
> a non-negative integer and notes the value for later.
>
> The delay is implemented in httpd/modules/ldap/util_ldap.c:668:
>
> apr_sleep(st->retry_delay);
>
> Note... we still appear to have the raw value from the configuration
> file (nominally in seconds).
>
> If you search the code, you will find that apr_sleep() is *almost always*
> called like this:
>
> apr_sleep(apr_time_from_sec(XXXX))
>
> That is, the unit expected is whatever is returned by
> apr_time_from_sec().
>
> In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h):
>
> /** number of microseconds per second */
> #define APR_USEC_PER_SEC APR_TIME_C(1000000)
>
> .
> .
> .
>
> /** @return seconds as an apr_time_t */
> #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC)
>
> So, the result of apr_time_from_sec is in microseconds.
>
> It looks like the documentation is in seconds, but the implementation is
> in microseconds.
>
> Is my analysis correct?
>
> What do I do next?
>
> Thanks for reading.
>
> Steve
> --
> Stephen Blott
> Students... contact me on Slack: https://slack.computing.dcu.ie/
> Staff... contact me on Slack: https://dcucommunity.slack.com/
> Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott
> Rm: L1.02
> School of Computing
> Dublin City University, Glasnevin, Dublin, Ireland
>
>
>
> *Séanadh Ríomhphoist/Email DisclaimerTá an ríomhphost seo agus aon chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is féidir tuilleadh a léamh anseo. <https://sites.google.com/view/seanadh-riomhphoist>This e-mail and any files transmitted with it are confidential and are intended solely for use by the addressee. Read more here. <https://sites.google.com/view/dcu-email-disclaimer>*
>
>
>
> <https://www.facebook.com/DCU/> <https://twitter.com/DCU>
> <https://www.linkedin.com/company/dublin-city-university>
> <https://www.instagram.com/dublincityuniversity/?hl=en>
> <https://www.youtube.com/user/DublinCityUniversity>
>


--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat