From be3ee30c68dd9d2e5184da226dfbe66f516a4b92 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Tue, 16 Nov 2021 15:01:20 +0100

Subject: [PATCH 83/83] cldap: use dns_resolver_server_timeout timeout for

 cldap ping

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Currently the cldap ping is using the ldap_search_timeout since it is

basically a LDAP search operation. However, the default of

ldap_search_timeout is 6s which is quite a long time for the discovery

of the AD DCs where the cldap ping is a part of. The default even

collides which the default of dns_resolver_timeout which might easily

lead to failures during the discovery phase.

To avoid the addition of a new option this patch is using

dns_resolver_server_timeout, which has a default of 1000ms (1s), as new

timeout for the clapd ping. Since the original purpose of the timeout is

the waiting time for a reply from a DNS server and both DNS and cldap by

default use UDP I think reusing the option here is justified.

Resolves: https://github.com/SSSD/sssd/issues/5875

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

(cherry picked from commit c0941810fc3c3d74a00697349723f14e2f6bbdd2)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/man/sssd.conf.5.xml          |  4 ++++

 src/providers/ad/ad_cldap_ping.c | 10 +++++++++-

 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml

index a597828ca..d81ec35a6 100644

--- a/src/man/sssd.conf.5.xml

+++ b/src/man/sssd.conf.5.xml

@@ -2817,6 +2817,10 @@ pam_p11_allowed_services = +my_pam_service, -login

                             SSSD would try to talk to DNS server before

                             trying next DNS server.

                         </para>

+                        <para>

+                                The AD provider will use this option for the

+                                CLDAP ping timeouts as well.

+                        </para>

                         <para>

                             Please see the section <quote>FAILOVER</quote>

                             for more information about the service

diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c

index 91db81bfc..8ae65e8c9 100644

--- a/src/providers/ad/ad_cldap_ping.c

+++ b/src/providers/ad/ad_cldap_ping.c

@@ -39,6 +39,7 @@

 struct ad_cldap_ping_dc_state {

     struct tevent_context *ev;

     struct sdap_options *opts;

+    struct be_resolv_ctx *be_res;

     struct fo_server_info *dc;

     struct sdap_handle *sh;

     const char *ad_domain;

@@ -72,6 +73,7 @@ static struct tevent_req *ad_cldap_ping_dc_send(TALLOC_CTX *mem_ctx,

     state->ev = ev;

     state->opts = opts;

+    state->be_res = be_res;

     state->dc = dc;

     state->ad_domain = ad_domain;

@@ -103,6 +105,7 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq)

     char *filter;

     int timeout;

     errno_t ret;

+    div_t timeout_int;

     req = tevent_req_callback_data(subreq, struct tevent_req);

     state = tevent_req_data(req, struct ad_cldap_ping_dc_state);

@@ -127,7 +130,12 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq)

         goto done;

     }

-    timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);

+    /* DP_RES_OPT_RESOLVER_SERVER_TIMEOUT is in milli-seconds and

+     * sdap_get_generic_send() expects seconds */

+    timeout_int = div(dp_opt_get_int(state->be_res->opts,

+                                     DP_RES_OPT_RESOLVER_SERVER_TIMEOUT),

+                      1000);

+    timeout = (timeout_int.quot > 0) ? timeout_int.quot : 1;

     subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, "",

                                    LDAP_SCOPE_BASE, filter, attrs, NULL,

                                    0, timeout, false);

-- 

2.26.3