Participants
Roman Khapov
Roman Khapov
Zsolt Parragi
Zsolt Parragi
Attachments
Download Latest Patchset
+165-7
Show all attachments
Show all patchsets
Thread Outline
#1Roman KhapovRoman Khapov
Jun 12, 07:08
#2Zsolt ParragiZsolt Parragito Roman Khapov (#1)
5 days ago

LDAP timeout options

Started by Roman Khapov7 days ago2 messageshackers
Jump to latest
#1Roman Khapov
Roman Khapov
rkhapov@yandex-team.ru

Hi hackers!

While working on connections stall problems with external LDAP authentication for [0]https://github.com/yandex/odyssey I made a notice,
that the problem can be relevant for Postgres too: when LDAP timeout options was not set and auth operations is taking
long time, the connection (or backend slot) can be hold for a undefined amount of time, causing various problems on server-side.

Seems like for some installation this times should be configurable, so I made a POC patch (attached), that adds new
LDAP hba options: ldapnetworktimeout and ldaptimeout, which allows to configure LDAP_OPT_SEND_TIMEOUT/LDAP_OPT_NETWORK_TIMEOUT and LDAP_OPT_TIMELIMIT/LDAP_OPT_TIMEOUT for LDAP* objects.

Any thoughts on this?

[0]: https://github.com/yandex/odyssey

Attachments:

0001-Add-timeout-options-for-LDAP-authentication-connecti.patchapplication/octet-stream; name=0001-Add-timeout-options-for-LDAP-authentication-connecti.patch; x-unix-mode=0644Download+165-7
#2Zsolt Parragi
Zsolt Parragi
zsolt.parragi@percona.com
In reply to: Roman Khapov (#1)
Re: LDAP timeout options

Hello

+#ifdef WIN32
+	option = (ULONG) port->hba->ldaptimeout;
+	if (port->hba->ldaptimeout != LDAP_NO_LIMIT
+		&& (r = ldap_set_option(*ldap, LDAP_OPT_TIMELIMIT, &option)) != LDAP_SUCCESS)
+#else

According to [1]https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/session-options LDAP_OPT_TIMELIMIT "A limit on the number of seconds the server will wait to complete a bind. This also specifies the limit on the number of seconds the server spends on a search." The patch documentation states:

+       Maximum time in seconds to wait for the completion of a
+       synchronous LDAP operation, such as a search or bind request.
+       A value of 0 disables the timeout.  If not specified, the
+       behavior depends on the LDAP client library configuration
+       (typically no timeout).

To me this reads that if I specify this setting alone (without the other), this timeout value should save me from timeouts from synchronous operations. But based on the Microsoft documentation, it doesn't: it still requires a reachable LDAP server, and it only limits how much time the server spends on the operation.

+	if (port->hba->ldapnetworktimeout != -1
+		&& (r = ldap_set_option(*ldap, LDAP_OPT_NETWORK_TIMEOUT, &tv)) != LDAP_SUCCESS)

and

+        Maximum time in seconds to wait for a response from the LDAP
+        server when establishing a connection or waiting for data on an
+        existing connection.  A value of 0 disables the timeout.

On non-windows the disabling value is -1, which can't be specified because the validator rejects it:

+		REQUIRE_AUTH_OPTION(uaLDAP, "ldaptimeout", "ldap");
+		long_val = strtol(val, &endp, 10);
+		if (endp == val || long_val > INT_MAX || long_val < 0)
+		{
+			ereport(elevel,

Is a step mapping 0 to -1 missing from the non win32 branch?

[1]: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/session-options

← Back to Topics