From be3ee30c68dd9d2e5184da226dfbe66f516a4b92 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 16 Nov 2021 15:01:20 +0100
Subject: [PATCH 83/83] cldap: use dns_resolver_server_timeout timeout for
cldap ping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently the cldap ping is using the ldap_search_timeout since it is
basically a LDAP search operation. However, the default of
ldap_search_timeout is 6s which is quite a long time for the discovery
of the AD DCs where the cldap ping is a part of. The default even
collides which the default of dns_resolver_timeout which might easily
lead to failures during the discovery phase.
To avoid the addition of a new option this patch is using
dns_resolver_server_timeout, which has a default of 1000ms (1s), as new
timeout for the clapd ping. Since the original purpose of the timeout is
the waiting time for a reply from a DNS server and both DNS and cldap by
default use UDP I think reusing the option here is justified.
Resolves: https://github.com/SSSD/sssd/issues/5875
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit c0941810fc3c3d74a00697349723f14e2f6bbdd2)
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/man/sssd.conf.5.xml | 4 ++++
src/providers/ad/ad_cldap_ping.c | 10 +++++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a597828ca..d81ec35a6 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2817,6 +2817,10 @@ pam_p11_allowed_services = +my_pam_service, -login
SSSD would try to talk to DNS server before
trying next DNS server.
</para>
+ <para>
+ The AD provider will use this option for the
+ CLDAP ping timeouts as well.
+ </para>
<para>
Please see the section <quote>FAILOVER</quote>
for more information about the service
diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c
index 91db81bfc..8ae65e8c9 100644
--- a/src/providers/ad/ad_cldap_ping.c
+++ b/src/providers/ad/ad_cldap_ping.c
@@ -39,6 +39,7 @@
struct ad_cldap_ping_dc_state {
struct tevent_context *ev;
struct sdap_options *opts;
+ struct be_resolv_ctx *be_res;
struct fo_server_info *dc;
struct sdap_handle *sh;
const char *ad_domain;
@@ -72,6 +73,7 @@ static struct tevent_req *ad_cldap_ping_dc_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->opts = opts;
+ state->be_res = be_res;
state->dc = dc;
state->ad_domain = ad_domain;
@@ -103,6 +105,7 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq)
char *filter;
int timeout;
errno_t ret;
+ div_t timeout_int;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_cldap_ping_dc_state);
@@ -127,7 +130,12 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq)
goto done;
}
- timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
+ /* DP_RES_OPT_RESOLVER_SERVER_TIMEOUT is in milli-seconds and
+ * sdap_get_generic_send() expects seconds */
+ timeout_int = div(dp_opt_get_int(state->be_res->opts,
+ DP_RES_OPT_RESOLVER_SERVER_TIMEOUT),
+ 1000);
+ timeout = (timeout_int.quot > 0) ? timeout_int.quot : 1;
subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, "",
LDAP_SCOPE_BASE, filter, attrs, NULL,
0, timeout, false);
--
2.26.3