ASF Bugzilla – Attachment 38436 Details for
Bug 66355
Wrong unit for LDAP/LDAPRetryDelay
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
Just the bug notes.
bug-notes.txt (text/plain), 1.67 KB, created by
Stephen Blott
on 2022-11-18 10:22:30 UTC
(
hide
)
Description:
Just the bug notes.
Filename:
MIME Type:
Creator:
Stephen Blott
Created:
2022-11-18 10:22:30 UTC
Size:
1.67 KB
patch
obsolete
>Issue: > LDAP configuration option LDAPRetryDelay... > > The Documentation suggests that the unit is seconds: > https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay > > The code suggests that the unit is microseconds (see code chase, below). > >Effect: > Apache sometimes issues a burst of almost simultaneous LDAP requests. > > (In my organisation, this is "catastrophic" since, if the password is > incorrect, it appears as N failed login attempts, and the account is > instantly blocked (after just a single attempt). In practice, > 've observed N in the region of 5 to 7.) > >Configuration option: > > LDAPRetryDelay 5 (for example) > > This sets the retry delay for LDAP connections. > > In the code, this ends up here... > >In util_ldap_set_retry_delay (util_ldap.c:2859): > > st->retry_delay = timeout; > > Note... no unit conversion takes place; the code just checks that it's > a non-negative integer and notes the value for later. > >The delay is implemented in httpd/modules/ldap/util_ldap.c:668: > > apr_sleep(st->retry_delay); > > Note... we still appear to have the raw value from the configuration > file (nominally in seconds. > >If you search the code, you will find that apr_sleep is ALMOST ALWAYS >called like this: > > apr_sleep(apr_time_from_sec(XXXX)) > > That is, the unit expected is whatever is returned by apr_time_from_sec(). > >In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h): > > /** number of microseconds per second */ > #define APR_USEC_PER_SEC APR_TIME_C(1000000) > > . > . > . > > /** @return seconds as an apr_time_t */ > #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC) > > So, the result of apr_time_from_sec is in microseconds.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=38436">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 66355
: 38436