mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
add (and document) customizable bind-timeout
This commit is contained in:
parent
361a97108b
commit
bd975514de
@ -90,21 +90,15 @@ This directive can also be used when processing targets to mark a
|
||||
specific target as default.
|
||||
|
||||
.TP
|
||||
.B dncache-ttl {forever|disabled|<ttl>}
|
||||
.B dncache-ttl {DISABLED|forever|<ttl>}
|
||||
This directive sets the time-to-live of the DN cache.
|
||||
This caches the target that holds a given DN to speed up target
|
||||
selection in case multiple targets would result from an uncached
|
||||
search; forever means cache never expires; disabled means no DN
|
||||
caching; otherwise a valid ( > 0 ) ttl in seconds is required.
|
||||
|
||||
.TP
|
||||
.B nretries {forever|never|<nretries>}
|
||||
This directive defines how many times a bind should be retried
|
||||
in case of temporary failure in contacting a target. If defined
|
||||
before any target specification, it applies to all targets (by default,
|
||||
.BR never );
|
||||
the global value can be overridden by redefinitions inside each target
|
||||
specification.
|
||||
caching; otherwise a valid ( > 0 ) ttl is required, in the format
|
||||
illustrated for the
|
||||
.B idle-timeout
|
||||
directive.
|
||||
|
||||
.TP
|
||||
.B onerr {CONTINUE|stop}
|
||||
@ -116,6 +110,13 @@ If this statement is set to \fBstop\fP, the search is terminated as soon
|
||||
as an error is returned by one target, and the error is immediately
|
||||
propagated to the client.
|
||||
|
||||
.TP
|
||||
.B pseudoroot-bind-defer {NO|yes}
|
||||
This directive, when set to
|
||||
.BR yes ,
|
||||
causes the authentication to the remote servers with the pseudo-root
|
||||
identity to be deferred until actually needed by subsequent operations.
|
||||
|
||||
.TP
|
||||
.B rebind-as-user {NO|yes}
|
||||
If this option is given, the client's bind credentials are remembered
|
||||
@ -168,14 +169,6 @@ causes \fIl2.foo.com\fP to be contacted whenever \fIl1.foo.com\fP
|
||||
does not respond.
|
||||
.RE
|
||||
|
||||
.TP
|
||||
.B default-target [<target>]
|
||||
The "default-target" directive can also be used during target specification.
|
||||
With no arguments it marks the current target as the default.
|
||||
The optional number marks target <target> as the default one, starting
|
||||
from 1.
|
||||
Target <target> must be defined.
|
||||
|
||||
.TP
|
||||
.B acl-authcDN "<administrative DN for access control purposes>"
|
||||
DN which is used to query the target server for acl checking,
|
||||
@ -193,6 +186,20 @@ Password used with the
|
||||
acl-authcDN
|
||||
above.
|
||||
|
||||
.TP
|
||||
.B bind-timeout <microseconds>
|
||||
This directive defines the timeout, in microseconds, used when polling
|
||||
for response after an asynchronous bind connection. The initial call
|
||||
to ldap_result(3) is performed with a trade-off timeout of 100000 us;
|
||||
if that results in a timeout exceeded, subsequent calls use the value
|
||||
provided with
|
||||
.BR bind-timeout .
|
||||
The default value is used also for subsequent calls if
|
||||
.B bind-timeout
|
||||
is not specified.
|
||||
If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
|
||||
.TP
|
||||
.B chase-referrals {YES|no}
|
||||
enable/disable automatic referral chasing, which is delegated to the
|
||||
@ -202,48 +209,41 @@ If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
|
||||
.TP
|
||||
.B tls {[try-]start|[try-]propagate}
|
||||
execute the start TLS extended operation when the connection is initialized;
|
||||
only works if the URI directive protocol scheme is not \fBldaps://\fP.
|
||||
\fBpropagate\fP issues the Start TLS exop only if the original
|
||||
connection did.
|
||||
The \fBtry-\fP prefix instructs the proxy to continue operations
|
||||
if start TLS failed; its use is highly deprecated.
|
||||
If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
|
||||
.TP
|
||||
.B t-f-support {NO|yes|discover}
|
||||
enable if the remote server supports absolute filters
|
||||
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
|
||||
If set to
|
||||
.BR discover ,
|
||||
support is detected by reading the remote server's root DSE.
|
||||
If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
|
||||
.TP
|
||||
.B timeout [{add|delete|modify|modrdn}=]<val> [...]
|
||||
This directive allows to set per-database, per-target and per-operation
|
||||
timeouts.
|
||||
If no operation is specified, it affects all.
|
||||
Currently, only write operations are addressed, because searches
|
||||
can already be limited by means of the
|
||||
.B limits
|
||||
directive (see
|
||||
.BR slapd.conf (5)
|
||||
for details), and other operations are not supposed to incur into the
|
||||
need for timeouts.
|
||||
Note: if the timelimit is exceeded, the operation is abandoned;
|
||||
the protocol does not provide any means to rollback the operation,
|
||||
so the client will not know if the operation eventually succeeded or not.
|
||||
If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
.B default-target [<target>]
|
||||
The "default-target" directive can also be used during target specification.
|
||||
With no arguments it marks the current target as the default.
|
||||
The optional number marks target <target> as the default one, starting
|
||||
from 1.
|
||||
Target <target> must be defined.
|
||||
|
||||
.TP
|
||||
.B idle-timeout <time>
|
||||
This directive causes a cached connection to be dropped an recreated
|
||||
after it has been idle for the specified time.
|
||||
The value can be specified as
|
||||
|
||||
[<d>d][<h>h][<m>m][<s>[s]]
|
||||
|
||||
where <d>, <h>, <m> and <s> are respectively treated as days, hours,
|
||||
minutes and seconds.
|
||||
If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
|
||||
.TP
|
||||
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
|
||||
This maps object classes and attributes as in the LDAP backend.
|
||||
See
|
||||
.BR slapd-ldap (5).
|
||||
|
||||
.TP
|
||||
.B nretries {forever|never|<nretries>}
|
||||
This directive defines how many times a bind should be retried
|
||||
in case of temporary failure in contacting a target. If defined
|
||||
before any target specification, it applies to all targets (by default,
|
||||
.BR 3
|
||||
times);
|
||||
the global value can be overridden by redefinitions inside each target
|
||||
specification.
|
||||
|
||||
.TP
|
||||
.B pseudorootdn "<substitute DN in case of rootdn bind>"
|
||||
@ -261,13 +261,6 @@ the target using the "pseudorootdn" DN.
|
||||
Note: cleartext credentials must be supplied here; as a consequence,
|
||||
using the pseudorootdn/pseudorootpw directives is inherently unsafe.
|
||||
|
||||
.TP
|
||||
.B pseudoroot-bind-defer {NO|yes}
|
||||
This directive, when set to
|
||||
.BR yes ,
|
||||
causes the authentication to the remote servers with the pseudo-root
|
||||
identity to be deferred until actually needed by subsequent operations.
|
||||
|
||||
.TP
|
||||
.B rewrite* ...
|
||||
The rewrite options are described in the "REWRITING" section.
|
||||
@ -284,18 +277,46 @@ when simple suffix massage is required, it has been preserved.
|
||||
It wraps the basic rewriting instructions that perform suffix
|
||||
massaging. See the "REWRITING" section for a detailed list
|
||||
of the rewrite rules it implies.
|
||||
.LP
|
||||
Note: this also fixes a flaw in suffix massaging, which operated
|
||||
on (case insensitive) DNs instead of normalized DNs,
|
||||
so "dc=foo, dc=com" would not match "dc=foo,dc=com".
|
||||
.LP
|
||||
See the "REWRITING" section.
|
||||
|
||||
.TP
|
||||
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
|
||||
This maps object classes and attributes as in the LDAP backend.
|
||||
See
|
||||
.BR slapd-ldap (5).
|
||||
.B t-f-support {NO|yes|discover}
|
||||
enable if the remote server supports absolute filters
|
||||
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
|
||||
If set to
|
||||
.BR discover ,
|
||||
support is detected by reading the remote server's root DSE.
|
||||
If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
|
||||
.TP
|
||||
.B timeout [{add|delete|modify|modrdn}=]<seconds> [...]
|
||||
This directive allows to set per-database, per-target and per-operation
|
||||
timeouts.
|
||||
If no operation is specified, it affects all.
|
||||
Currently, only write operations are addressed, because searches
|
||||
can already be limited by means of the
|
||||
.B limits
|
||||
directive (see
|
||||
.BR slapd.conf (5)
|
||||
for details), and other operations are not supposed to incur into the
|
||||
need for timeouts.
|
||||
Note: if the timelimit is exceeded, the operation is abandoned;
|
||||
the protocol does not provide any means to rollback the operation,
|
||||
so the client will not know if the operation eventually succeeded or not.
|
||||
If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
|
||||
.TP
|
||||
.B tls {[try-]start|[try-]propagate}
|
||||
execute the start TLS extended operation when the connection is initialized;
|
||||
only works if the URI directive protocol scheme is not \fBldaps://\fP.
|
||||
\fBpropagate\fP issues the Start TLS exop only if the original
|
||||
connection did.
|
||||
The \fBtry-\fP prefix instructs the proxy to continue operations
|
||||
if start TLS failed; its use is highly deprecated.
|
||||
If set before any target specification, it affects all targets, unless
|
||||
overridden by any per-target directive.
|
||||
|
||||
.SH SCENARIOS
|
||||
A powerful (and in some sense dangerous) rewrite engine has been added
|
||||
to both the LDAP and Meta backends.
|
||||
|
@ -82,9 +82,6 @@ typedef struct dncookie {
|
||||
#endif
|
||||
} dncookie;
|
||||
|
||||
/* TODO: allow to define it on a per-target basis */
|
||||
#define META_BIND_TIMEOUT 10000
|
||||
|
||||
int ldap_back_dn_massage(dncookie *dc, struct berval *dn,
|
||||
struct berval *res);
|
||||
|
||||
@ -232,6 +229,8 @@ typedef struct metatarget_t {
|
||||
int mt_version;
|
||||
time_t mt_network_timeout;
|
||||
time_t mt_idle_timeout;
|
||||
struct timeval mt_bind_timeout;
|
||||
#define META_BIND_TIMEOUT 10000
|
||||
time_t mt_timeout[ LDAP_BACK_OP_LAST ];
|
||||
} metatarget_t;
|
||||
|
||||
@ -276,6 +275,7 @@ typedef struct metainfo_t {
|
||||
int mi_version;
|
||||
time_t mi_network_timeout;
|
||||
time_t mi_idle_timeout;
|
||||
struct timeval mi_bind_timeout;
|
||||
time_t mi_timeout[ LDAP_BACK_OP_LAST ];
|
||||
} metainfo_t;
|
||||
|
||||
|
@ -342,8 +342,7 @@ rebind:;
|
||||
* handle response!!!
|
||||
*/
|
||||
retry:;
|
||||
tv.tv_sec = 0;
|
||||
tv.tv_usec = META_BIND_TIMEOUT;
|
||||
tv = mt->mt_bind_timeout;
|
||||
switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) {
|
||||
case 0:
|
||||
snprintf( buf, sizeof( buf ),
|
||||
@ -499,8 +498,7 @@ rebind:;
|
||||
* handle response!!!
|
||||
*/
|
||||
retry:;
|
||||
tv.tv_sec = 0;
|
||||
tv.tv_usec = META_BIND_TIMEOUT;
|
||||
tv = mt->mt_bind_timeout;
|
||||
switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) {
|
||||
case 0:
|
||||
snprintf( buf, sizeof( buf ),
|
||||
|
@ -157,9 +157,9 @@ meta_back_db_config(
|
||||
mi->mi_targets[ i ].mt_nretries = mi->mi_nretries;
|
||||
mi->mi_targets[ i ].mt_flags = mi->mi_flags;
|
||||
mi->mi_targets[ i ].mt_version = mi->mi_version;
|
||||
mi->mi_targets[ i ].mt_idle_timeout = mi->mi_idle_timeout;
|
||||
mi->mi_targets[ i ].mt_network_timeout = mi->mi_network_timeout;
|
||||
|
||||
mi->mi_targets[ i ].mt_idle_timeout = mi->mi_idle_timeout;
|
||||
mi->mi_targets[ i ].mt_bind_timeout = mi->mi_bind_timeout;
|
||||
for ( c = 0; c < LDAP_BACK_OP_LAST; c++ ) {
|
||||
mi->mi_targets[ i ].mt_timeout[ c ] = mi->mi_timeout[ c ];
|
||||
}
|
||||
@ -402,6 +402,40 @@ meta_back_db_config(
|
||||
|
||||
*tp = (time_t)t;
|
||||
|
||||
/* bind timeout when connecting to ldap servers */
|
||||
} else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
|
||||
int i = mi->mi_ntargets - 1;
|
||||
unsigned long t;
|
||||
struct timeval *tp = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_bind_timeout
|
||||
: &mi->mi_bind_timeout;
|
||||
|
||||
switch ( argc ) {
|
||||
case 1:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: missing timeout value in \"bind-timeout <microseconds>\" line\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
case 2:
|
||||
break;
|
||||
default:
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: extra cruft after timeout value in \"bind-timeout <microseconds>\" line\n",
|
||||
fname, lineno, 0 );
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout <microseconds>\" line\n",
|
||||
fname, lineno, argv[ 1 ] );
|
||||
return 1;
|
||||
|
||||
}
|
||||
|
||||
tp->tv_sec = t/1000000;
|
||||
tp->tv_usec = t%1000000;
|
||||
|
||||
/* name to use for meta_back_group */
|
||||
} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
|
||||
|| strcasecmp( argv[ 0 ], "binddn" ) == 0 )
|
||||
|
@ -87,6 +87,8 @@ meta_back_db_init(
|
||||
* this may change
|
||||
*/
|
||||
mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
|
||||
mi->mi_bind_timeout.tv_sec = 0;
|
||||
mi->mi_bind_timeout.tv_usec = META_BIND_TIMEOUT;
|
||||
|
||||
ldap_pvt_thread_mutex_init( &mi->mi_conninfo.lai_mutex );
|
||||
ldap_pvt_thread_mutex_init( &mi->mi_cache.mutex );
|
||||
|
Loading…
Reference in New Issue
Block a user