From be3ee30c68dd9d2e5184da226dfbe66f516a4b92 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 16 Nov 2021 15:01:20 +0100
Subject: [PATCH 83/83] cldap: use dns_resolver_server_timeout timeout for
 cldap ping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently the cldap ping is using the ldap_search_timeout since it is
basically a LDAP search operation. However, the default of
ldap_search_timeout is 6s which is quite a long time for the discovery
of the AD DCs where the cldap ping is a part of. The default even
collides which the default of dns_resolver_timeout which might easily
lead to failures during the discovery phase.

To avoid the addition of a new option this patch is using
dns_resolver_server_timeout, which has a default of 1000ms (1s), as new
timeout for the clapd ping. Since the original purpose of the timeout is
the waiting time for a reply from a DNS server and both DNS and cldap by
default use UDP I think reusing the option here is justified.

Resolves: https://github.com/SSSD/sssd/issues/5875

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit c0941810fc3c3d74a00697349723f14e2f6bbdd2)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/man/sssd.conf.5.xml          |  4 ++++
 src/providers/ad/ad_cldap_ping.c | 10 +++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a597828ca..d81ec35a6 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2817,6 +2817,10 @@ pam_p11_allowed_services = +my_pam_service, -login
                             SSSD would try to talk to DNS server before
                             trying next DNS server.
                         </para>
+                        <para>
+                                The AD provider will use this option for the
+                                CLDAP ping timeouts as well.
+                        </para>
                         <para>
                             Please see the section <quote>FAILOVER</quote>
                             for more information about the service
diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c
index 91db81bfc..8ae65e8c9 100644
--- a/src/providers/ad/ad_cldap_ping.c
+++ b/src/providers/ad/ad_cldap_ping.c
@@ -39,6 +39,7 @@
 struct ad_cldap_ping_dc_state {
     struct tevent_context *ev;
     struct sdap_options *opts;
+    struct be_resolv_ctx *be_res;
     struct fo_server_info *dc;
     struct sdap_handle *sh;
     const char *ad_domain;
@@ -72,6 +73,7 @@ static struct tevent_req *ad_cldap_ping_dc_send(TALLOC_CTX *mem_ctx,
 
     state->ev = ev;
     state->opts = opts;
+    state->be_res = be_res;
     state->dc = dc;
     state->ad_domain = ad_domain;
 
@@ -103,6 +105,7 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq)
     char *filter;
     int timeout;
     errno_t ret;
+    div_t timeout_int;
 
     req = tevent_req_callback_data(subreq, struct tevent_req);
     state = tevent_req_data(req, struct ad_cldap_ping_dc_state);
@@ -127,7 +130,12 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq)
         goto done;
     }
 
-    timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
+    /* DP_RES_OPT_RESOLVER_SERVER_TIMEOUT is in milli-seconds and
+     * sdap_get_generic_send() expects seconds */
+    timeout_int = div(dp_opt_get_int(state->be_res->opts,
+                                     DP_RES_OPT_RESOLVER_SERVER_TIMEOUT),
+                      1000);
+    timeout = (timeout_int.quot > 0) ? timeout_int.quot : 1;
     subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, "",
                                    LDAP_SCOPE_BASE, filter, attrs, NULL,
                                    0, timeout, false);
-- 
2.26.3