Commit bd975514 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

add (and document) customizable bind-timeout

parent 361a9710
......@@ -90,21 +90,15 @@ This directive can also be used when processing targets to mark a
specific target as default.
.TP
.B dncache-ttl {forever|disabled|<ttl>}
.B dncache-ttl {DISABLED|forever|<ttl>}
This directive sets the time-to-live of the DN cache.
This caches the target that holds a given DN to speed up target
selection in case multiple targets would result from an uncached
search; forever means cache never expires; disabled means no DN
caching; otherwise a valid ( > 0 ) ttl in seconds is required.
.TP
.B nretries {forever|never|<nretries>}
This directive defines how many times a bind should be retried
in case of temporary failure in contacting a target. If defined
before any target specification, it applies to all targets (by default,
.BR never );
the global value can be overridden by redefinitions inside each target
specification.
caching; otherwise a valid ( > 0 ) ttl is required, in the format
illustrated for the
.B idle-timeout
directive.
.TP
.B onerr {CONTINUE|stop}
......@@ -116,6 +110,13 @@ If this statement is set to \fBstop\fP, the search is terminated as soon
as an error is returned by one target, and the error is immediately
propagated to the client.
.TP
.B pseudoroot-bind-defer {NO|yes}
This directive, when set to
.BR yes ,
causes the authentication to the remote servers with the pseudo-root
identity to be deferred until actually needed by subsequent operations.
.TP
.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
......@@ -168,14 +169,6 @@ causes \fIl2.foo.com\fP to be contacted whenever \fIl1.foo.com\fP
does not respond.
.RE
.TP
.B default-target [<target>]
The "default-target" directive can also be used during target specification.
With no arguments it marks the current target as the default.
The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
......@@ -193,6 +186,20 @@ Password used with the
acl-authcDN
above.
.TP
.B bind-timeout <microseconds>
This directive defines the timeout, in microseconds, used when polling
for response after an asynchronous bind connection. The initial call
to ldap_result(3) is performed with a trade-off timeout of 100000 us;
if that results in a timeout exceeded, subsequent calls use the value
provided with
.BR bind-timeout .
The default value is used also for subsequent calls if
.B bind-timeout
is not specified.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B chase-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
......@@ -202,48 +209,41 @@ If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B tls {[try-]start|[try-]propagate}
execute the start TLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
\fBpropagate\fP issues the Start TLS exop only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if start TLS failed; its use is highly deprecated.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.B default-target [<target>]
The "default-target" directive can also be used during target specification.
With no arguments it marks the current target as the default.
The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
.B t-f-support {NO|yes|discover}
enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
.BR discover ,
support is detected by reading the remote server's root DSE.
.B idle-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
The value can be specified as
[<d>d][<h>h][<m>m][<s>[s]]
where <d>, <h>, <m> and <s> are respectively treated as days, hours,
minutes and seconds.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B timeout [{add|delete|modify|modrdn}=]<val> [...]
This directive allows to set per-database, per-target and per-operation
timeouts.
If no operation is specified, it affects all.
Currently, only write operations are addressed, because searches
can already be limited by means of the
.B limits
directive (see
.BR slapd.conf (5)
for details), and other operations are not supposed to incur into the
need for timeouts.
Note: if the timelimit is exceeded, the operation is abandoned;
the protocol does not provide any means to rollback the operation,
so the client will not know if the operation eventually succeeded or not.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
This maps object classes and attributes as in the LDAP backend.
See
.BR slapd-ldap (5).
.TP
.B idle-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
.B nretries {forever|never|<nretries>}
This directive defines how many times a bind should be retried
in case of temporary failure in contacting a target. If defined
before any target specification, it applies to all targets (by default,
.BR 3
times);
the global value can be overridden by redefinitions inside each target
specification.
.TP
.B pseudorootdn "<substitute DN in case of rootdn bind>"
......@@ -261,13 +261,6 @@ the target using the "pseudorootdn" DN.
Note: cleartext credentials must be supplied here; as a consequence,
using the pseudorootdn/pseudorootpw directives is inherently unsafe.
.TP
.B pseudoroot-bind-defer {NO|yes}
This directive, when set to
.BR yes ,
causes the authentication to the remote servers with the pseudo-root
identity to be deferred until actually needed by subsequent operations.
.TP
.B rewrite* ...
The rewrite options are described in the "REWRITING" section.
......@@ -284,18 +277,46 @@ when simple suffix massage is required, it has been preserved.
It wraps the basic rewriting instructions that perform suffix
massaging. See the "REWRITING" section for a detailed list
of the rewrite rules it implies.
.LP
Note: this also fixes a flaw in suffix massaging, which operated
on (case insensitive) DNs instead of normalized DNs,
so "dc=foo, dc=com" would not match "dc=foo,dc=com".
.LP
See the "REWRITING" section.
.TP
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
This maps object classes and attributes as in the LDAP backend.
See
.BR slapd-ldap (5).
.B t-f-support {NO|yes|discover}
enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
.BR discover ,
support is detected by reading the remote server's root DSE.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B timeout [{add|delete|modify|modrdn}=]<seconds> [...]
This directive allows to set per-database, per-target and per-operation
timeouts.
If no operation is specified, it affects all.
Currently, only write operations are addressed, because searches
can already be limited by means of the
.B limits
directive (see
.BR slapd.conf (5)
for details), and other operations are not supposed to incur into the
need for timeouts.
Note: if the timelimit is exceeded, the operation is abandoned;
the protocol does not provide any means to rollback the operation,
so the client will not know if the operation eventually succeeded or not.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B tls {[try-]start|[try-]propagate}
execute the start TLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
\fBpropagate\fP issues the Start TLS exop only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if start TLS failed; its use is highly deprecated.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.SH SCENARIOS
A powerful (and in some sense dangerous) rewrite engine has been added
to both the LDAP and Meta backends.
......
......@@ -82,9 +82,6 @@ typedef struct dncookie {
#endif
} dncookie;
/* TODO: allow to define it on a per-target basis */
#define META_BIND_TIMEOUT 10000
int ldap_back_dn_massage(dncookie *dc, struct berval *dn,
struct berval *res);
......@@ -232,6 +229,8 @@ typedef struct metatarget_t {
int mt_version;
time_t mt_network_timeout;
time_t mt_idle_timeout;
struct timeval mt_bind_timeout;
#define META_BIND_TIMEOUT 10000
time_t mt_timeout[ LDAP_BACK_OP_LAST ];
} metatarget_t;
......@@ -276,6 +275,7 @@ typedef struct metainfo_t {
int mi_version;
time_t mi_network_timeout;
time_t mi_idle_timeout;
struct timeval mi_bind_timeout;
time_t mi_timeout[ LDAP_BACK_OP_LAST ];
} metainfo_t;
......
......@@ -342,8 +342,7 @@ rebind:;
* handle response!!!
*/
retry:;
tv.tv_sec = 0;
tv.tv_usec = META_BIND_TIMEOUT;
tv = mt->mt_bind_timeout;
switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) {
case 0:
snprintf( buf, sizeof( buf ),
......@@ -499,8 +498,7 @@ rebind:;
* handle response!!!
*/
retry:;
tv.tv_sec = 0;
tv.tv_usec = META_BIND_TIMEOUT;
tv = mt->mt_bind_timeout;
switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) {
case 0:
snprintf( buf, sizeof( buf ),
......
......@@ -157,9 +157,9 @@ meta_back_db_config(
mi->mi_targets[ i ].mt_nretries = mi->mi_nretries;
mi->mi_targets[ i ].mt_flags = mi->mi_flags;
mi->mi_targets[ i ].mt_version = mi->mi_version;
mi->mi_targets[ i ].mt_idle_timeout = mi->mi_idle_timeout;
mi->mi_targets[ i ].mt_network_timeout = mi->mi_network_timeout;
mi->mi_targets[ i ].mt_idle_timeout = mi->mi_idle_timeout;
mi->mi_targets[ i ].mt_bind_timeout = mi->mi_bind_timeout;
for ( c = 0; c < LDAP_BACK_OP_LAST; c++ ) {
mi->mi_targets[ i ].mt_timeout[ c ] = mi->mi_timeout[ c ];
}
......@@ -402,6 +402,40 @@ meta_back_db_config(
*tp = (time_t)t;
/* bind timeout when connecting to ldap servers */
} else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
int i = mi->mi_ntargets - 1;
unsigned long t;
struct timeval *tp = mi->mi_ntargets ?
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_bind_timeout
: &mi->mi_bind_timeout;
switch ( argc ) {
case 1:
Debug( LDAP_DEBUG_ANY,
"%s: line %d: missing timeout value in \"bind-timeout <microseconds>\" line\n",
fname, lineno, 0 );
return 1;
case 2:
break;
default:
Debug( LDAP_DEBUG_ANY,
"%s: line %d: extra cruft after timeout value in \"bind-timeout <microseconds>\" line\n",
fname, lineno, 0 );
return 1;
}
if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout <microseconds>\" line\n",
fname, lineno, argv[ 1 ] );
return 1;
}
tp->tv_sec = t/1000000;
tp->tv_usec = t%1000000;
/* name to use for meta_back_group */
} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
|| strcasecmp( argv[ 0 ], "binddn" ) == 0 )
......
......@@ -87,6 +87,8 @@ meta_back_db_init(
* this may change
*/
mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
mi->mi_bind_timeout.tv_sec = 0;
mi->mi_bind_timeout.tv_usec = META_BIND_TIMEOUT;
ldap_pvt_thread_mutex_init( &mi->mi_conninfo.lai_mutex );
ldap_pvt_thread_mutex_init( &mi->mi_cache.mutex );
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment