Re: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time

[hyc@symas.com]

avarab@gmail.com wrote:
> Full_Name: .var Arnfj.r. Bjarmason
> Version: 2.4.44-21
> OS: CentOS 7.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (5.57.21.154)
> 
> 
> On a setup where you have a blackholed DNS server:
> 
> $ grep ^name /etc/resolv.conf
> nameserver 1.2.3.4
> 
> Running e.g.:
> 
> $ time ldapsearch -l 2 -o nettimeout=1 [...]
> 
> Will (on my system) eventually return:
> 
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> real    0m24.039s
> user    0m0.004s
> sys     0m0.007s
> 
> It'll take around 48 seconds if I have two DNS servers. Running strace(1) on it
> reveals that it's sitting in a socket/connect/poll loop trying to lookup the
> hostname of the LDAP server I'm trying to talk to.
> 
> Instead one of these options should limit time spent on DNS lookups, or there
> should be another option, so that you can run ldapsearch with a combination of
> these options and be sure that it'll run in at most the <timeout> you give it.

The current code in libldap uses gethostbyname() and this API doesn't offer
any parameters for setting a timeout. You can configure a timeout in your
system's /etc/resolv.conf or using RES_OPTIONS environment variable. Read your
system's resolver(5) manpage.

If you know of any widely available resolver API that allows specifying a timeout
on individual queries, you're welcome to submit a patch supporting this feature.
The standard -lresolv doesn't provide such an interface.

Closing this ITS.

> As a workaround I'm using ldapsearch with /usr/bin/timeout, but since it kills
> it if it exceeds the timeout I don't get a meaningful error.


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/