[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time

Full_Name: .var Arnfj.r. Bjarmason
Version: 2.4.44-21
OS: CentOS 7.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

On a setup where you have a blackholed DNS server:

$ grep ^name /etc/resolv.conf

Running e.g.:

$ time ldapsearch -l 2 -o nettimeout=1 [...]

Will (on my system) eventually return:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

real    0m24.039s
user    0m0.004s
sys     0m0.007s

It'll take around 48 seconds if I have two DNS servers. Running strace(1) on it
reveals that it's sitting in a socket/connect/poll loop trying to lookup the
hostname of the LDAP server I'm trying to talk to.

Instead one of these options should limit time spent on DNS lookups, or there
should be another option, so that you can run ldapsearch with a combination of
these options and be sure that it'll run in at most the <timeout> you give it.

As a workaround I'm using ldapsearch with /usr/bin/timeout, but since it kills
it if it exceeds the timeout I don't get a meaningful error.