[Date Prev][Date Next]
(ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time
- From: email@example.com
- Date: Mon, 18 Feb 2019 15:31:33 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: .var Arnfj.r. Bjarmason
OS: CentOS 7.6
Submission from: (NULL) (18.104.22.168)
On a setup where you have a blackholed DNS server:
$ grep ^name /etc/resolv.conf
$ time ldapsearch -l 2 -o nettimeout=1 [...]
Will (on my system) eventually return:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It'll take around 48 seconds if I have two DNS servers. Running strace(1) on it
reveals that it's sitting in a socket/connect/poll loop trying to lookup the
hostname of the LDAP server I'm trying to talk to.
Instead one of these options should limit time spent on DNS lookups, or there
should be another option, so that you can run ldapsearch with a combination of
these options and be sure that it'll run in at most the <timeout> you give it.
As a workaround I'm using ldapsearch with /usr/bin/timeout, but since it kills
it if it exceeds the timeout I don't get a meaningful error.