Issue 9320 - ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable
Summary: ldapsearch nettimeout doesn't work with startTLS when the server address is n...
Status: VERIFIED DUPLICATE of issue 8047
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: client tools (show other issues)
Version: 2.5.4
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
: 9321 (view as issue list)
Depends on:
Blocks:
 
Reported: 2020-08-21 03:12 UTC by Allen Zhang
Modified: 2020-09-03 15:12 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Allen Zhang 2020-08-21 03:12:45 UTC 
We found that ldapsearch doesn't return with failure according to the nettimeout when the server address is not valid. it fails only after TCP timeout (about 120 seconds in my environment).
we dug into in to the source code and found that :
in common.c, we set the nettimeout after ldap_start_tls_s is called.
We tried to call "ldap_set_option( ld, LDAP_OPT_NETWORK_TIMEOUT, (void *) &nettimeout )" before ldap_start_tls_s and it works well!
Comment 1 Quanah Gibson-Mount 2020-08-21 14:52:15 UTC 
*** Issue 9321 has been marked as a duplicate of this issue. ***
Comment 2 Quanah Gibson-Mount 2020-08-25 20:34:09 UTC 
In all likelihood, you simply lucked out here.  We generally can't set a timeout here because it would require the library functions to use async I/O and not all engines are async capable, you can see this from the OpenSSL documentation.


SSL_MODE_ASYNC
    Enable asynchronous processing. TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations.
Comment 3 Allen Zhang 2020-08-28 08:19:11 UTC 
Thanks for your reply!
We haven't digged into the SSL yet. (we will do)
It's really hard to explain it as luck...
Anyway, do you have any suggestion to make the network time out work properly?
Comment 4 Quanah Gibson-Mount 2020-08-28 15:03:46 UTC 
(In reply to Allen Zhang from comment #3)
> Thanks for your reply!
> We haven't digged into the SSL yet. (we will do)
> It's really hard to explain it as luck...
> Anyway, do you have any suggestion to make the network time out work
> properly?

All SSL engines would need to be async at the SSL library level.
Comment 5 Quanah Gibson-Mount 2020-08-31 23:36:57 UTC 

*** This issue has been marked as a duplicate of issue 8047 ***
Comment 6 Allen Zhang 2020-09-03 09:30:06 UTC 
We have some new findings:
 the setup is below:
Comment 7 Allen Zhang 2020-09-03 09:34:35 UTC 
We have some new findings:

the first test has a setup is below:
1. the server's IP is accessible.
2. server listens on the port.

test result:
ldapsearch will not timeout whatever we set.

the second test has a setup below:
1. the server's IP is NOT accessible.

test result:

ldapsearch will timeout only after TCP timeout (about 120 seconds) but not the timeout value we set.

With our "fix version", ldapsearch will timeout according to our timeout value.
Comment 8 Quanah Gibson-Mount 2020-09-03 15:12:22 UTC 
(In reply to Allen Zhang from comment #7)

Stop updating this ticket, if you want this looked at use the parent 8047.