Hi, I'm not sure what to do with this. Help would be appreciated.
It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option: https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay Issue: LDAP configuration option LDAPRetryDelay... The Documentation suggests that the unit is seconds: https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay The code suggests that the unit is microseconds (see code chase, below). Effect: Apache sometimes issues a burst of almost simultaneous LDAP search/bind requests. (In my organisation, this is "catastrophic" since, if the password is incorrect, it appears as N failed login attempts, and the account is instantly blocked (after just a single attempt). In practice, I've observed N in the region of 5 to 7.) Configuration option: LDAPRetryDelay 5 (for example) This sets the retry delay for LDAP connections. In the code, this ends up here... In util_ldap_set_retry_delay (util_ldap.c:2859): st->retry_delay = timeout; Note... no unit conversion takes place; the code just checks that it's a non-negative integer and notes the value for later. The delay is implemented in httpd/modules/ldap/util_ldap.c:668: apr_sleep(st->retry_delay); Note... we still appear to have the raw value from the configuration file (nominally in seconds). If you search the code, you will find that apr_sleep() is *almost always* called like this: apr_sleep(apr_time_from_sec(XXXX)) That is, the unit expected is whatever is returned by apr_time_from_sec(). In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h): /** number of microseconds per second */ #define APR_USEC_PER_SEC APR_TIME_C(1000000) . . . /** @return seconds as an apr_time_t */ #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC) So, the result of apr_time_from_sec is in microseconds. It looks like the documentation is in seconds, but the implementation is in microseconds. Is my analysis correct? What do I do next? Thanks for reading. Steve -- Stephen Blott Students... contact me on Slack: https://slack.computing.dcu.ie/ Staff... contact me on Slack: https://dcucommunity.slack.com/ Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott Rm: L1.02 School of Computing Dublin City University, Glasnevin, Dublin, Ireland -- * *Séanadh Ríomhphoist/Email Disclaimer* *Tá an ríomhphost seo agus aon chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is féidir tuilleadh a léamh anseo. <https://sites.google.com/view/seanadh-riomhphoist>* *This e-mail and any files transmitted with it are confidential and are intended solely for use by the addressee. Read more here. <https://sites.google.com/view/dcu-email-disclaimer>* * -- <https://www.facebook.com/DCU/> <https://twitter.com/DCU> <https://www.linkedin.com/company/dublin-city-university> <https://www.instagram.com/dublincityuniversity/?hl=en> <https://www.youtube.com/user/DublinCityUniversity>
