Skip to content

Commit c4bf15b

Browse files
committed
Fix timeout in LDAP lookup of libpq connection parameters
Bind attempts to an LDAP server should time out after two seconds, allowing additional lines in the service control file to be parsed (which provide a fall back to a secondary LDAP server or default options). The existing code failed to enforce that timeout during TCP connect, resulting in a hang far longer than two seconds if the LDAP server does not respond. Laurenz Albe
1 parent bed499e commit c4bf15b

File tree

1 file changed

+39
-7
lines changed

1 file changed

+39
-7
lines changed

src/interfaces/libpq/fe-connect.c

Lines changed: 39 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3513,12 +3513,37 @@ ldapServiceLookup(const char *purl, PQconninfoOption *options,
35133513
}
35143514

35153515
/*
3516-
* Initialize connection to the server. We do an explicit bind because we
3517-
* want to return 2 if the bind fails.
3516+
* Perform an explicit anonymous bind.
3517+
* LDAP does not require that an anonymous bind is preformed explicitly,
3518+
* but we want to distinguish between the case where LDAP bind does not
3519+
* succeed within PGLDAP_TIMEOUT seconds (return 2 to continue parsing
3520+
* the service control file) and the case where querying the LDAP server
3521+
* fails (return 1 to end parsing).
3522+
* Unfortunately there is no way of setting a timeout that works for
3523+
* both Windows and OpenLDAP.
35183524
*/
3525+
#ifdef WIN32
3526+
/* the nonstandard ldap_connect function performs an anonymous bind */
3527+
if (ldap_connect(ld, &time) != LDAP_SUCCESS)
3528+
{
3529+
/* error or timeout in ldap_connect */
3530+
free(url);
3531+
ldap_unbind(ld);
3532+
return 2;
3533+
}
3534+
#else /* WIN32 */
3535+
/* in OpenLDAP, use the LDAP_OPT_NETWORK_TIMEOUT option */
3536+
if (ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &time) != LDAP_SUCCESS)
3537+
{
3538+
free(url);
3539+
ldap_unbind(ld);
3540+
return 3;
3541+
}
3542+
3543+
/* anonymous bind */
35193544
if ((msgid = ldap_simple_bind(ld, NULL, NULL)) == -1)
35203545
{
3521-
/* error in ldap_simple_bind() */
3546+
/* error or network timeout */
35223547
free(url);
35233548
ldap_unbind(ld);
35243549
return 2;
@@ -3529,18 +3554,25 @@ ldapServiceLookup(const char *purl, PQconninfoOption *options,
35293554
if ((rc = ldap_result(ld, msgid, LDAP_MSG_ALL, &time, &res)) == -1 ||
35303555
res == NULL)
35313556
{
3557+
/* error or timeout */
35323558
if (res != NULL)
3533-
{
3534-
/* timeout */
35353559
ldap_msgfree(res);
3536-
}
3537-
/* error in ldap_result() */
35383560
free(url);
35393561
ldap_unbind(ld);
35403562
return 2;
35413563
}
35423564
ldap_msgfree(res);
35433565

3566+
/* reset timeout */
3567+
time.tv_sec = -1;
3568+
if (ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &time) != LDAP_SUCCESS)
3569+
{
3570+
free(url);
3571+
ldap_unbind(ld);
3572+
return 3;
3573+
}
3574+
#endif /* WIN32 */
3575+
35443576
/* search */
35453577
res = NULL;
35463578
if ((rc = ldap_search_st(ld, dn, scope, filter, attrs, 0, &time, &res))

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy