From be3ee30c68dd9d2e5184da226dfbe66f516a4b92 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 16 Nov 2021 15:01:20 +0100 Subject: [PATCH 83/83] cldap: use dns_resolver_server_timeout timeout for cldap ping MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently the cldap ping is using the ldap_search_timeout since it is basically a LDAP search operation. However, the default of ldap_search_timeout is 6s which is quite a long time for the discovery of the AD DCs where the cldap ping is a part of. The default even collides which the default of dns_resolver_timeout which might easily lead to failures during the discovery phase. To avoid the addition of a new option this patch is using dns_resolver_server_timeout, which has a default of 1000ms (1s), as new timeout for the clapd ping. Since the original purpose of the timeout is the waiting time for a reply from a DNS server and both DNS and cldap by default use UDP I think reusing the option here is justified. Resolves: https://github.com/SSSD/sssd/issues/5875 Reviewed-by: Pavel Březina (cherry picked from commit c0941810fc3c3d74a00697349723f14e2f6bbdd2) Reviewed-by: Pavel Březina --- src/man/sssd.conf.5.xml | 4 ++++ src/providers/ad/ad_cldap_ping.c | 10 +++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index a597828ca..d81ec35a6 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -2817,6 +2817,10 @@ pam_p11_allowed_services = +my_pam_service, -login SSSD would try to talk to DNS server before trying next DNS server. + + The AD provider will use this option for the + CLDAP ping timeouts as well. + Please see the section FAILOVER for more information about the service diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c index 91db81bfc..8ae65e8c9 100644 --- a/src/providers/ad/ad_cldap_ping.c +++ b/src/providers/ad/ad_cldap_ping.c @@ -39,6 +39,7 @@ struct ad_cldap_ping_dc_state { struct tevent_context *ev; struct sdap_options *opts; + struct be_resolv_ctx *be_res; struct fo_server_info *dc; struct sdap_handle *sh; const char *ad_domain; @@ -72,6 +73,7 @@ static struct tevent_req *ad_cldap_ping_dc_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->opts = opts; + state->be_res = be_res; state->dc = dc; state->ad_domain = ad_domain; @@ -103,6 +105,7 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq) char *filter; int timeout; errno_t ret; + div_t timeout_int; req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct ad_cldap_ping_dc_state); @@ -127,7 +130,12 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq) goto done; } - timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); + /* DP_RES_OPT_RESOLVER_SERVER_TIMEOUT is in milli-seconds and + * sdap_get_generic_send() expects seconds */ + timeout_int = div(dp_opt_get_int(state->be_res->opts, + DP_RES_OPT_RESOLVER_SERVER_TIMEOUT), + 1000); + timeout = (timeout_int.quot > 0) ? timeout_int.quot : 1; subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, "", LDAP_SCOPE_BASE, filter, attrs, NULL, 0, timeout, false); -- 2.26.3