Frank Cusack wrote:
Oh, in that case I am definitely missing a lot. Since my understanding
of the timeout value passed to ldap_sasl_bind() is that it is a *bind*
timeout, which I assumed would be because some artibrary SASL mechanism
might take some arbitrarily long amount of time. If there is no bind
timeout, then why is LDAP_OPT_NETWORK_TIMEOUT implemented? The timeout
passed to ldap_sasl_bind() should just be the connect() timeout then.
ldap_sasl_bind() cannot be passed any timeout. What timeout are you
> ldap_initialize() doesn't actually establish any
> it just sets up the handler, and the connection is established by the
> first operation that requires it. the asynchronous bind, muck like any
> other asynchronous operation, simply returns after sending the packet(s)
> containing the request.
That much I do understand. (Although I thought the async bind()
weren't actually implemented async.)
> But, of course, the first of them requires the
> connection to be established, and that's where LDAP_OPT_NETWORK_TIMEOUT
> comes into play. Doing a really asynchronous connect() implies
> some sort of LDAP_X_INPROGRESS, keeping track of the status of the
> connection and polling it for response for each subsequent call until
> connection is established before actually sending any request. In this
> sense the change should be intrusive: in this design, client code should
> be able to handle the LDAP_X_INPROGRESS return code and resubmit the
> request until the connection is ready. A "smarter" design would cache
> the request, poll for connect() response during calls to ldap_result(),
> and submit the actual request when the connection is established.
Sure, I understand that also (now).
What I'm saying is that most folks probably don't really need an async
connect(), they just need a non-blocking one that returns in some known
amount of time. LDAP_OPT_NETWORK_TIMEOUT doesn't do that, since it
only controls the connect() part, and not the subsequent bind (important
since you can only get to connect() via the ldap_bind() or other
there is no ldap_connect() and ldap_open() is deprecated). But a new
LDAP_OPT_CONNECT_BIND_TIMEOUT option could do it.
I must disagree with the above.
As far as I understand.
LDAP_OPT_NETWORK_TIMEOUT does what you expect: it makes connect() time
out as required. ldap_sasl_bind() should return as soon as the packet
with the request has been sent, and the rest of the timeout policy for
the bind only part should be dealt with by the client using the
ldap_result() timeout arg as appropriate. I've recently tested that
behavior for customers who wanted some certain timelimit on all
operations, not just searches, and that required some extensive
modifications to the proxy backends, but the client library (libldap)
was not touched at all. In that case, the code basically uses
ldap_sasl_bind() to wrap simple binds (that's what the proxy backends
mostly do), and using LDAP_OPT_NETWORK_TIMEOUT makes it work as
expected. I can't speak for truly SASL bind as I didn't experiment
timeouts with that.
Ing. Pierangelo Masarati
OpenLDAP Core Team
Via Dossi, 8 - 27100 Pavia - ITALIA