On Mon, Feb 18, 2019 at 5:18 PM Howard Chu <hyc(a)symas.com> wrote:
> Full_Name: .var Arnfj.r. Bjarmason
> Version: 2.4.44-21
> OS: CentOS 7.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (188.8.131.52)
> On a setup where you have a blackholed DNS server:
> $ grep ^name /etc/resolv.conf
> nameserver 184.108.40.206
> Running e.g.:
> $ time ldapsearch -l 2 -o nettimeout=1 [...]
> Will (on my system) eventually return:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> real 0m24.039s
> user 0m0.004s
> sys 0m0.007s
> It'll take around 48 seconds if I have two DNS servers. Running strace(1) on it
> reveals that it's sitting in a socket/connect/poll loop trying to lookup the
> hostname of the LDAP server I'm trying to talk to.
> Instead one of these options should limit time spent on DNS lookups, or there
> should be another option, so that you can run ldapsearch with a combination of
> these options and be sure that it'll run in at most the <timeout> you give
The current code in libldap uses gethostbyname() and this API doesn't offer
any parameters for setting a timeout. You can configure a timeout in your
system's /etc/resolv.conf or using RES_OPTIONS environment variable. Read your
system's resolver(5) manpage.
If you know of any widely available resolver API that allows specifying a timeout
on individual queries, you're welcome to submit a patch supporting this feature.
The standard -lresolv doesn't provide such an interface.
That resolv.conf had "options timeout:2". That it didn't kick in is
probably a bug somewhere else, but it would still be handy if
ldapsearch had this itself, since the timeout you use for general
resolutions might not be what you want for ldapsearch.
But implementing that is a mess. This SO post has a summary:
So e.g. there could be a probe for getaddrinfo_a() on GNU systems.
Closing this ITS.
Fair enough, but is that a "we don't want this ever" or "if someone
submitted a patch for (possibly OS-specific) DNS timeout we'd be
> As a workaround I'm using ldapsearch with /usr/bin/timeout,
but since it kills
> it if it exceeds the timeout I don't get a meaningful error.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/