[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time
From: avarab@gmail.com
Date: Mon, 18 Feb 2019 16:32:04 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Mon, Feb 18, 2019 at 5:18 PM Howard Chu <hyc@symas.com> wrote:
>
> avarab@gmail.com wrote:
> > Full_Name: .var Arnfj.r. Bjarmason
> > Version: 2.4.44-21
> > OS: CentOS 7.6
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (5.57.21.154)
> >
> >
> > On a setup where you have a blackholed DNS server:
> >
> > $ grep ^name /etc/resolv.conf
> > nameserver 1.2.3.4
> >
> > Running e.g.:
> >
> > $ time ldapsearch -l 2 -o nettimeout=1 [...]
> >
> > Will (on my system) eventually return:
> >
> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> >
> > real    0m24.039s
> > user    0m0.004s
> > sys     0m0.007s
> >
> > It'll take around 48 seconds if I have two DNS servers. Running strace(1) on it
> > reveals that it's sitting in a socket/connect/poll loop trying to lookup the
> > hostname of the LDAP server I'm trying to talk to.
> >
> > Instead one of these options should limit time spent on DNS lookups, or there
> > should be another option, so that you can run ldapsearch with a combination of
> > these options and be sure that it'll run in at most the <timeout> you give it.
>
> The current code in libldap uses gethostbyname() and this API doesn't offer
> any parameters for setting a timeout. You can configure a timeout in your
> system's /etc/resolv.conf or using RES_OPTIONS environment variable. Read your
> system's resolver(5) manpage.
>
> If you know of any widely available resolver API that allows specifying a timeout
> on individual queries, you're welcome to submit a patch supporting this feature.
> The standard -lresolv doesn't provide such an interface.

That resolv.conf had "options timeout:2". That it didn't kick in is
probably a bug somewhere else, but it would still be handy if
ldapsearch had this itself, since the timeout you use for general
resolutions might not be what you want for ldapsearch.

But implementing that is a mess. This SO post has a summary:
https://stackoverflow.com/questions/24403435/socket-hostname-lookup-timeout-how-to-implement-it

So e.g. there could be a probe for getaddrinfo_a() on GNU systems.

> Closing this ITS.

Fair enough, but is that a "we don't want this ever" or "if someone
submitted a patch for (possibly OS-specific) DNS timeout we'd be
interested".

> > As a workaround I'm using ldapsearch with /usr/bin/timeout, but since it kills
> > it if it exceeds the timeout I don't get a meaningful error.
>
>
> --
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time
Next by Date: Re: (ITS#8979) The -l <timelimit> or -o nettimeout=<timelimit> don't limit DNS lookup time
Index(es):
- Chronological
- Thread