Bug 66357 - Apache is issuing bursts of almost simultaneous LDAP search/bind requests
Summary: Apache is issuing bursts of almost simultaneous LDAP search/bind requests
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ldap (show other bugs)
Version: 2.4.54
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-19 12:33 UTC by Stephen Blott
Modified: 2022-11-19 12:33 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephen Blott 2022-11-19 12:33:31 UTC 
Issue:
  Apache is issuing bursts of almost simultaneous LDAP search/bind requests.

  In my organisation, this is causing a single incorrect password attempt
  to appear as many failed LDAP requests, immediately locking the user's
  account.

  I reported this but with an incorrect diagnosis yesterday:
    https://bz.apache.org/bugzilla/show_bug.cgi?id=66355

  Sorry about that.  My diagnosis was incorrect, but there definitely is an
  issue here.

Version: 2.4.54 (Debian).
  Where I quote line numbers below, they are from the 2.4.x branch of the
  code from GitHub: https://github.com/apache/httpd

Log:
  Here's an extract from the Apache error log (slightly edited):

  698114627328] util_ldap.c(757): [client ZZ.ZZ.ZZ.ZZ:55832] Reuse unbound LDC 7f0e0d5d90a0, referer: XXXXX
  id 139698114627328] mod_authnz_ldap.c(548): [client ZZ.ZZ.ZZ.ZZ:55832] AH01691: auth_ldap authenticate: using URL ldap://YYYYY, referer: XXXXX
  tid 139698114627328] mod_authnz_ldap.c(554): [client ZZ.ZZ.ZZ.ZZ:55832] auth_ldap authenticate: final authn filter is (&(uid=*)(uid=UUUUU)), referer: XXXXX
  698114627328] util_ldap.c(343): [client ZZ.ZZ.ZZ.ZZ:55832] LDC 7f0e0d5d90a0 init, referer: XXXXX
  698114627328] util_ldap.c(393): AH01278: LDAP: Setting referrals to On.
  698064271104] util_ldap.c(757): [client ZZ.ZZ.ZZ.ZZ:55836] Reuse unbound LDC 7f0e0d5d90a0, referer: XXXXX

  I think the problem is the first and last lines.  This message occurs
  multiple times from Apache when I see multiple requests on the LDAP
  server (and only then).

  Here, I saw two simultaneous requests on the server; sometimes it's as
  many as 7-8.

Diagnoses:
  My previous diagnosis was incorrect:
    https://bz.apache.org/bugzilla/show_bug.cgi?id=66355

  So my confidence in this is low, but...

  There's something odd about the mutex code in:

    httpd/modules/ldap/util_ldap.c
      uldap_connection_find()
        (starts line 708 in github/2.4.x branch)
        http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l708

  Specifically, the for loop containing the "Reuse unbound LDC" message:
    starting line 736:
      http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l736

  More specifically, the "break" at line 761:
    http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l761

  This break jumps out of the loop, thereby skipping the call to:

    apr_thread_mutex_unlock(l->lock);

  on line 767:
    http://svn.apache.org/viewvc/httpd/httpd/tags/2.4.54/modules/ldap/util_ldap.c?revision=1901749&view=markup#l767

  (The mutex was acquired on line 738, inside and at the top of the for loop)

  So, it is possible that a mutex is being retained incorrectly?

  If my diagnosis is incorrect, then there nevertheless does remain an
  issue.

Thank you for your time.