avarab@gmail.com wrote:

Full_Name: .var Arnfj.r. Bjarmason Version: 2.4.44-21 OS: CentOS 7.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (5.57.21.154)

On a setup where you have a blackholed DNS server:

$ grep ^name /etc/resolv.conf nameserver 1.2.3.4

Running e.g.:

$ time ldapsearch -l 2 -o nettimeout=1 [...]

Will (on my system) eventually return:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

real 0m24.039s user 0m0.004s sys 0m0.007s

It'll take around 48 seconds if I have two DNS servers. Running strace(1) on it reveals that it's sitting in a socket/connect/poll loop trying to lookup the hostname of the LDAP server I'm trying to talk to.

Instead one of these options should limit time spent on DNS lookups, or there should be another option, so that you can run ldapsearch with a combination of these options and be sure that it'll run in at most the <timeout> you give it.

The current code in libldap uses gethostbyname() and this API doesn't offer any parameters for setting a timeout. You can configure a timeout in your system's /etc/resolv.conf or using RES_OPTIONS environment variable. Read your system's resolver(5) manpage.

If you know of any widely available resolver API that allows specifying a timeout on individual queries, you're welcome to submit a patch supporting this feature. The standard -lresolv doesn't provide such an interface.

Closing this ITS.

As a workaround I'm using ldapsearch with /usr/bin/timeout, but since it kills it if it exceeds the timeout I don't get a meaningful error.