Hello, Please bring this up in the dev mailing list.
El vie, 18 nov 2022 a las 11:06, Stephen Blott (<[email protected]>) escribió: > Hi, > > I'm not sure what to do with this. Help would be appreciated. > > It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option: > https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay > > Issue: > LDAP configuration option LDAPRetryDelay... > > The Documentation suggests that the unit is seconds: > https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay > > The code suggests that the unit is microseconds (see code chase, below). > > Effect: > Apache sometimes issues a burst of almost simultaneous LDAP search/bind > requests. > > (In my organisation, this is "catastrophic" since, if the password is > incorrect, it appears as N failed login attempts, and the account is > instantly blocked (after just a single attempt). In practice, > I've observed N in the region of 5 to 7.) > > Configuration option: > > LDAPRetryDelay 5 (for example) > > This sets the retry delay for LDAP connections. > > In the code, this ends up here... > > In util_ldap_set_retry_delay (util_ldap.c:2859): > > st->retry_delay = timeout; > > Note... no unit conversion takes place; the code just checks that it's > a non-negative integer and notes the value for later. > > The delay is implemented in httpd/modules/ldap/util_ldap.c:668: > > apr_sleep(st->retry_delay); > > Note... we still appear to have the raw value from the configuration > file (nominally in seconds). > > If you search the code, you will find that apr_sleep() is *almost always* > called like this: > > apr_sleep(apr_time_from_sec(XXXX)) > > That is, the unit expected is whatever is returned by > apr_time_from_sec(). > > In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h): > > /** number of microseconds per second */ > #define APR_USEC_PER_SEC APR_TIME_C(1000000) > > . > . > . > > /** @return seconds as an apr_time_t */ > #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC) > > So, the result of apr_time_from_sec is in microseconds. > > It looks like the documentation is in seconds, but the implementation is > in microseconds. > > Is my analysis correct? > > What do I do next? > > Thanks for reading. > > Steve > -- > Stephen Blott > Students... contact me on Slack: https://slack.computing.dcu.ie/ > Staff... contact me on Slack: https://dcucommunity.slack.com/ > Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott > Rm: L1.02 > School of Computing > Dublin City University, Glasnevin, Dublin, Ireland > > > > *Séanadh Ríomhphoist/Email DisclaimerTá an ríomhphost seo agus aon chomhad a > sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is > féidir tuilleadh a léamh anseo. > <https://sites.google.com/view/seanadh-riomhphoist>This e-mail and any files > transmitted with it are confidential and are intended solely for use by the > addressee. Read more here. > <https://sites.google.com/view/dcu-email-disclaimer>* > > > > <https://www.facebook.com/DCU/> <https://twitter.com/DCU> > <https://www.linkedin.com/company/dublin-city-university> > <https://www.instagram.com/dublincityuniversity/?hl=en> > <https://www.youtube.com/user/DublinCityUniversity> > -- Daniel Ferradal HTTPD Project #httpd help at Libera.Chat
