[Date Prev][Date Next]
Re: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time
- From: firstname.lastname@example.org
- Date: Mon, 18 Feb 2019 16:19:03 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: .var Arnfj.r. Bjarmason
> Version: 2.4.44-21
> OS: CentOS 7.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (22.214.171.124)
> On a setup where you have a blackholed DNS server:
> $ grep ^name /etc/resolv.conf
> nameserver 126.96.36.199
> Running e.g.:
> $ time ldapsearch -l 2 -o nettimeout=1 [...]
> Will (on my system) eventually return:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> real 0m24.039s
> user 0m0.004s
> sys 0m0.007s
> It'll take around 48 seconds if I have two DNS servers. Running strace(1) on it
> reveals that it's sitting in a socket/connect/poll loop trying to lookup the
> hostname of the LDAP server I'm trying to talk to.
> Instead one of these options should limit time spent on DNS lookups, or there
> should be another option, so that you can run ldapsearch with a combination of
> these options and be sure that it'll run in at most the <timeout> you give it.
The current code in libldap uses gethostbyname() and this API doesn't offer
any parameters for setting a timeout. You can configure a timeout in your
system's /etc/resolv.conf or using RES_OPTIONS environment variable. Read your
system's resolver(5) manpage.
If you know of any widely available resolver API that allows specifying a timeout
on individual queries, you're welcome to submit a patch supporting this feature.
The standard -lresolv doesn't provide such an interface.
Closing this ITS.
> As a workaround I'm using ldapsearch with /usr/bin/timeout, but since it kills
> it if it exceeds the timeout I don't get a meaningful error.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/