Bug 66357 - Apache is issuing bursts of almost simultaneous LDAP search/bind requests
Summary: Apache is issuing bursts of almost simultaneous LDAP search/bind requests
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ldap (show other bugs)
Version: 2.4.54
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2022-11-19 12:33 UTC by Stephen Blott
Modified: 2022-11-19 12:33 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Stephen Blott 2022-11-19 12:33:31 UTC
  Apache is issuing bursts of almost simultaneous LDAP search/bind requests.

  In my organisation, this is causing a single incorrect password attempt
  to appear as many failed LDAP requests, immediately locking the user's

  I reported this but with an incorrect diagnosis yesterday:

  Sorry about that.  My diagnosis was incorrect, but there definitely is an
  issue here.

Version: 2.4.54 (Debian).
  Where I quote line numbers below, they are from the 2.4.x branch of the
  code from GitHub: https://github.com/apache/httpd

  Here's an extract from the Apache error log (slightly edited):

  698114627328] util_ldap.c(757): [client ZZ.ZZ.ZZ.ZZ:55832] Reuse unbound LDC 7f0e0d5d90a0, referer: XXXXX
  id 139698114627328] mod_authnz_ldap.c(548): [client ZZ.ZZ.ZZ.ZZ:55832] AH01691: auth_ldap authenticate: using URL ldap://YYYYY, referer: XXXXX
  tid 139698114627328] mod_authnz_ldap.c(554): [client ZZ.ZZ.ZZ.ZZ:55832] auth_ldap authenticate: final authn filter is (&(uid=*)(uid=UUUUU)), referer: XXXXX
  698114627328] util_ldap.c(343): [client ZZ.ZZ.ZZ.ZZ:55832] LDC 7f0e0d5d90a0 init, referer: XXXXX
  698114627328] util_ldap.c(393): AH01278: LDAP: Setting referrals to On.
  698064271104] util_ldap.c(757): [client ZZ.ZZ.ZZ.ZZ:55836] Reuse unbound LDC 7f0e0d5d90a0, referer: XXXXX

  I think the problem is the first and last lines.  This message occurs
  multiple times from Apache when I see multiple requests on the LDAP
  server (and only then).

  Here, I saw two simultaneous requests on the server; sometimes it's as
  many as 7-8.

  My previous diagnosis was incorrect:

  So my confidence in this is low, but...

  There's something odd about the mutex code in:

        (starts line 708 in github/2.4.x branch)

  Specifically, the for loop containing the "Reuse unbound LDC" message:
    starting line 736:

  More specifically, the "break" at line 761:

  This break jumps out of the loop, thereby skipping the call to:


  on line 767:

  (The mutex was acquired on line 738, inside and at the top of the for loop)

  So, it is possible that a mutex is being retained incorrectly?

  If my diagnosis is incorrect, then there nevertheless does remain an

Thank you for your time.