https://bz.apache.org/bugzilla/show_bug.cgi?id=66357
Bug ID: 66357
Summary: Apache is issuing bursts of almost simultaneous LDAP
search/bind requests
Product: Apache httpd-2
Version: 2.4.54
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ldap
Assignee: bugs@httpd.apache.org
Reporter: smbl...@gmail.com
Target Milestone: ---
Issue:
Apache is issuing bursts of almost simultaneous LDAP search/bind requests.
In my organisation, this is causing a single incorrect password attempt
to appear as many failed LDAP requests, immediately locking the user's
account.
I reported this but with an incorrect diagnosis yesterday:
https://bz.apache.org/bugzilla/show_bug.cgi?id=66355
Sorry about that. My diagnosis was incorrect, but there definitely is an
issue here.
Version: 2.4.54 (Debian).
Where I quote line numbers below, they are from the 2.4.x branch of the
code from GitHub: https://github.com/apache/httpd
Log:
Here's an extract from the Apache error log (slightly edited):
698114627328] util_ldap.c(757): [client ZZ.ZZ.ZZ.ZZ:55832] Reuse unbound LDC
7f0e0d5d90a0, referer: XXXXX
id 139698114627328] mod_authnz_ldap.c(548): [client ZZ.ZZ.ZZ.ZZ:55832]
AH01691: auth_ldap authenticate: using URL ldap://YYYYY, referer: XXXXX
tid 139698114627328] mod_authnz_ldap.c(554): [client ZZ.ZZ.ZZ.ZZ:55832]
auth_ldap authenticate: final authn filter is (&(uid=*)(uid=UUUUU)), referer:
XXXXX
698114627328] util_ldap.c(343): [client ZZ.ZZ.ZZ.ZZ:55832] LDC 7f0e0d5d90a0
init, referer: XXXXX
698114627328] util_ldap.c(393): AH01278: LDAP: Setting referrals to On.
698064271104] util_ldap.c(757): [client ZZ.ZZ.ZZ.ZZ:55836] Reuse unbound LDC
7f0e0d5d90a0, referer: XXXXX
I think the problem is the first and last lines. This message occurs
multiple times from Apache when I see multiple requests on the LDAP
server (and only then).
Here, I saw two simultaneous requests on the server; sometimes it's as
many as 7-8.
Diagnoses:
My previous diagnosis was incorrect:
https://bz.apache.org/bugzilla/show_bug.cgi?id=66355
So my confidence in this is low, but...
There's something odd about the mutex code in:
httpd/modules/ldap/util_ldap.c
uldap_connection_find()
(starts line 708 in github/2.4.x branch)
http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l708
Specifically, the for loop containing the "Reuse unbound LDC" message:
starting line 736:
http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l736
More specifically, the "break" at line 761:
http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l761
This break jumps out of the loop, thereby skipping the call to:
apr_thread_mutex_unlock(l->lock);
on line 767:
http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l767
(The mutex was acquired on line 738, inside and at the top of the for loop)
So, it is possible that a mutex is being retained incorrectly?
If my diagnosis is incorrect, then there nevertheless does remain an
issue.
Thank you for your time.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
