We found that ldapsearch doesn't return with failure according to the nettimeout when the server address is not valid. it fails only after TCP timeout (about 120 seconds in my environment). we dug into in to the source code and found that : in common.c, we set the nettimeout after ldap_start_tls_s is called. We tried to call "ldap_set_option( ld, LDAP_OPT_NETWORK_TIMEOUT, (void *) &nettimeout )" before ldap_start_tls_s and it works well!
*** Issue 9321 has been marked as a duplicate of this issue. ***
In all likelihood, you simply lucked out here. We generally can't set a timeout here because it would require the library functions to use async I/O and not all engines are async capable, you can see this from the OpenSSL documentation. SSL_MODE_ASYNC Enable asynchronous processing. TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations.
Thanks for your reply! We haven't digged into the SSL yet. (we will do) It's really hard to explain it as luck... Anyway, do you have any suggestion to make the network time out work properly?
(In reply to Allen Zhang from comment #3) > Thanks for your reply! > We haven't digged into the SSL yet. (we will do) > It's really hard to explain it as luck... > Anyway, do you have any suggestion to make the network time out work > properly? All SSL engines would need to be async at the SSL library level.
*** This issue has been marked as a duplicate of issue 8047 ***
We have some new findings: the setup is below:
We have some new findings: the first test has a setup is below: 1. the server's IP is accessible. 2. server listens on the port. test result: ldapsearch will not timeout whatever we set. the second test has a setup below: 1. the server's IP is NOT accessible. test result: ldapsearch will timeout only after TCP timeout (about 120 seconds) but not the timeout value we set. With our "fix version", ldapsearch will timeout according to our timeout value.
(In reply to Allen Zhang from comment #7) Stop updating this ticket, if you want this looked at use the parent 8047.