Skip to content

Commit 96752b0

Browse files
mhagandermhagander
committed
Fix timeout in LDAP lookup of libpq connection parameters
Bind attempts to an LDAP server should time out after two seconds, allowing additional lines in the service control file to be parsed (which provide a fall back to a secondary LDAP server or default options). The existing code failed to enforce that timeout during TCP connect, resulting in a hang far longer than two seconds if the LDAP server does not respond. Laurenz Albe
1 parent a86b2da commit 96752b0

File tree

1 file changed

+39
-7
lines changed

1 file changed

+39
-7
lines changed

src/interfaces/libpq/fe-connect.c

Lines changed: 39 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3282,12 +3282,37 @@ ldapServiceLookup(const char *purl, PQconninfoOption *options,
32823282
}
32833283

32843284
/*
3285-
* Initialize connection to the server. We do an explicit bind because we
3286-
* want to return 2 if the bind fails.
3285+
* Perform an explicit anonymous bind.
3286+
* LDAP does not require that an anonymous bind is preformed explicitly,
3287+
* but we want to distinguish between the case where LDAP bind does not
3288+
* succeed within PGLDAP_TIMEOUT seconds (return 2 to continue parsing
3289+
* the service control file) and the case where querying the LDAP server
3290+
* fails (return 1 to end parsing).
3291+
* Unfortunately there is no way of setting a timeout that works for
3292+
* both Windows and OpenLDAP.
32873293
*/
3294+
#ifdef WIN32
3295+
/* the nonstandard ldap_connect function performs an anonymous bind */
3296+
if (ldap_connect(ld, &time) != LDAP_SUCCESS)
3297+
{
3298+
/* error or timeout in ldap_connect */
3299+
free(url);
3300+
ldap_unbind(ld);
3301+
return 2;
3302+
}
3303+
#else /* WIN32 */
3304+
/* in OpenLDAP, use the LDAP_OPT_NETWORK_TIMEOUT option */
3305+
if (ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &time) != LDAP_SUCCESS)
3306+
{
3307+
free(url);
3308+
ldap_unbind(ld);
3309+
return 3;
3310+
}
3311+
3312+
/* anonymous bind */
32883313
if ((msgid = ldap_simple_bind(ld, NULL, NULL)) == -1)
32893314
{
3290-
/* error in ldap_simple_bind() */
3315+
/* error or network timeout */
32913316
free(url);
32923317
ldap_unbind(ld);
32933318
return 2;
@@ -3298,18 +3323,25 @@ ldapServiceLookup(const char *purl, PQconninfoOption *options,
32983323
if ((rc = ldap_result(ld, msgid, LDAP_MSG_ALL, &time, &res)) == -1 ||
32993324
res == NULL)
33003325
{
3326+
/* error or timeout */
33013327
if (res != NULL)
3302-
{
3303-
/* timeout */
33043328
ldap_msgfree(res);
3305-
}
3306-
/* error in ldap_result() */
33073329
free(url);
33083330
ldap_unbind(ld);
33093331
return 2;
33103332
}
33113333
ldap_msgfree(res);
33123334

3335+
/* reset timeout */
3336+
time.tv_sec = -1;
3337+
if (ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &time) != LDAP_SUCCESS)
3338+
{
3339+
free(url);
3340+
ldap_unbind(ld);
3341+
return 3;
3342+
}
3343+
#endif /* WIN32 */
3344+
33133345
/* search */
33143346
res = NULL;
33153347
if ((rc = ldap_search_st(ld, dn, scope, filter, attrs, 0, &time, &res))

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy