[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_bind_st() call

Thomas Egerer wrote:
On 06/27/2011 11:58 AM, Howard Chu schrobtete:
Thomas Egerer wrote:
On 06/24/2011 09:15 PM, Howard Chu schrobtete:
You appear to be using a very old version of OpenLDAP then.
This is correct, I am currently using openldap 2.1.30, still...

You're supposed to provide your version info at the *beginning* of the
discussion. OpenLDAP 2.1 was obsoleted in 2004.
You're right, my bad. This mail refers to the current git-version of
openldap (052ac2f ITS#6828 silence warning in prev commit).

The LDAP_OPT_TIMEOUT setting will timeout any synchronous request, and
has done so since early 2007 at least.
... I cannot confirm this. Even when I use openldap 2.4.23 I can
reproduce my DoS-scenario by starting a 'nc -l localhost -p 389' and
performing an 'ldapsearch -l 5 -h localhost ...' which ends up in an
unresponsive ldapsearch.

The "-l" option to ldapsearch sets the Search Request time limit, which
is not the same as the API timeout that LDAP_OPT_TIMEOUT controls.
As far as I can read from the default value which is controlled by the
LDAP_OPT_TIMEOUT option is -1 which means an infinite waiting time.
Wouldn't it make sense then, to also uso the timeout value given by
the '-l' option to the LDAP_OPT_TIMEOUT,

No. The -l option tells the server how long to allow a search request to execute once it has started processing. It is specific to search requests only. LDAP_OPT_TIMEOUT affects all LDAP requests made by the client library. The two are completely unrelated. It may be appropriate to set a search time limit of 30 seconds, but on a long search that returns many entries, you would get the first responses much sooner than 30 seconds, so an API timeout of 30 seconds would be ineffective anyway.

 or introduce a seperate option
if you do not want to mix the different timeout values? I don't see any
chance of telling ldapsearch to how to use a timeout value for the

At this point we're no longer in the realm of -devel topics. This is a usage question that belongs on -technical. Read the ldap.conf(5) manpage.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/