ITS#9502 Implement tcp-user-timeout support for back-ldap/(async)meta

91dd4240 · Nadezhda Ivanova · Quanah Gibson-Mount · 32a278d0 · 91dd4240 · 91dd4240
Commit 91dd4240 authored Mar 15, 2021 by Nadezhda Ivanova Committed by Quanah Gibson-Mount Apr 30, 2021
--- a/doc/man/man5/slapd-asyncmeta.5
+++ b/doc/man/man5/slapd-asyncmeta.5
@@ -366,6 +366,14 @@ the
 .B keepalive
 parameter is ignored otherwise, and system-wide settings are used.

+.TP
+.B tcp\-user\-timeout  <milliseconds>
+If non-zero, corresponds to the
+.B TCP_USER_TIMEOUT
+set on the target connections, overriding the operating system setting.
+Only some systems support the customization of this parameter, it is
+ignored otherwise and system-wide settings are used.
+
 .TP
 .B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
 This maps object classes and attributes as in the LDAP backend.

--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -1866,6 +1866,7 @@ FALSE, meaning the contextCSN is stored in the context entry.
 .B [schemachecking=on|off]
 .B [network\-timeout=<seconds>]
 .B [timeout=<seconds>]
+.B [tcp\-user\-timeout=<milliseconds>]
 .B [bindmethod=simple|sasl]
 .B [binddn=<dn>]
 .B [saslmech=<mech>]
@@ -2003,6 +2004,13 @@ parameter determines how long the consumer will wait for the initial
 Bind request to complete. The defaults for these parameters come
 from 
 .BR ldap.conf (5).
+The
+.B tcp\-user\-timeout
+parameter, if non-zero, corresponds to the
+.B TCP_USER_TIMEOUT
+set on the target connections, overriding the operating system setting.
+Only some systems support the customization of this parameter, it is
+ignored otherwise and system-wide settings are used.

 A
 .B bindmethod

--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -442,6 +442,14 @@ the
 .B keepalive
 parameter is ignored otherwise, and system-wide settings are used.

+.TP
+.B tcp\-user\-timeout  <milliseconds>
+If non-zero, corresponds to the
+.B TCP_USER_TIMEOUT
+set on the target connections, overriding the operating system setting.
+Only some systems support the customization of this parameter, it is
+ignored otherwise and system-wide settings are used.
+
 .TP
 .B network\-timeout <time>
 Sets the network timeout value after which

--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -584,6 +584,14 @@ the
 .B keepalive
 parameter is ignored otherwise, and system-wide settings are used.

+.TP
+.B tcp\-user\-timeout  <milliseconds>
+If non-zero, corresponds to the
+.B TCP_USER_TIMEOUT
+set on the target connections, overriding the operating system setting.
+Only some systems support the customization of this parameter, it is
+ignored otherwise and system-wide settings are used.
+
 .TP
 .B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
 This maps object classes and attributes as in the LDAP backend.

--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1799,6 +1799,7 @@ the contextCSN is stored in the context entry.
 .B [schemachecking=on|off]
 .B [network\-timeout=<seconds>]
 .B [timeout=<seconds>]
+.B [tcp\-user\-timeout=<milliseconds>]
 .B [bindmethod=simple|sasl]
 .B [binddn=<dn>]
 .B [saslmech=<mech>]
@@ -1936,6 +1937,13 @@ parameter determines how long the consumer will wait for the initial
 Bind request to complete. The defaults for these parameters come
 from 
 .BR ldap.conf (5).
+The
+.B tcp\-user\-timeout
+parameter, if non-zero, corresponds to the
+.B TCP_USER_TIMEOUT
+set on the target connections, overriding the operating system setting.
+Only some systems support the customization of this parameter, it is
+ignored otherwise and system-wide settings are used.

 A
 .B bindmethod

--- a/servers/slapd/back-asyncmeta/config.c
+++ b/servers/slapd/back-asyncmeta/config.c
@@ -93,6 +93,7 @@ enum {
 	LDAP_BACK_CFG_SUBTREE_IN,
 	LDAP_BACK_CFG_KEEPALIVE,
 	LDAP_BACK_CFG_FILTER,
+	LDAP_BACK_CFG_TCP_USER_TIMEOUT,
 	LDAP_BACK_CFG_LAST
 };

@@ -341,6 +342,15 @@ static ConfigTable a_metacfg[] = {
 			"SINGLE-VALUE )",
 		NULL, NULL },

+	{ "tcp-user-timeout", "milliseconds", 2, 2, 0,
+		ARG_MAGIC|ARG_UINT|LDAP_BACK_CFG_TCP_USER_TIMEOUT,
+		asyncmeta_back_cf_gen, "( OLcfgDbAt:3.30 "
+			"NAME 'olcDbTcpUserTimeout' "
+			"DESC 'TCP User Timeout' "
+			"SYNTAX OMsInteger "
+			"SINGLE-VALUE )",
+		NULL, NULL },
+
 	{ "filter", "pattern", 2, 2, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_FILTER,
 		asyncmeta_back_cf_gen, "( OLcfgDbAt:3.112 "
@@ -434,6 +444,7 @@ static ConfigOCs a_metaocs[] = {
 			"$ olcDbTimeout "
 			"$ olcDbKeepalive "
 			"$ olcDbFilter "
+			"$ olcDbTcpUserTimeout "

 			/* defaults may be inherited */
 			COMMON_ATTRS
@@ -1500,6 +1511,10 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
 				break;
 			}

+		case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+			c->value_uint = mt->mt_tls.sb_tcp_user_timeout;
+			break;
+
 		default:
 			rc = 1;
 		}
@@ -1727,6 +1742,10 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
 			mt->mt_tls.sb_keepalive.sk_interval = 0;
 			break;

+		case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+			mt->mt_tls.sb_tcp_user_timeout = 0;
+			break;
+
 		default:
 			rc = 1;
 			break;
@@ -2391,6 +2410,10 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
 				 &mt->mt_tls.sb_keepalive, 0, 0, 0);
 		break;

+	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+		mt->mt_tls.sb_tcp_user_timeout = c->value_uint;
+		break;
+
 	/* anything else */
 	default:
 		return SLAP_CONF_UNKNOWN;

--- a/servers/slapd/back-asyncmeta/conn.c
+++ b/servers/slapd/back-asyncmeta/conn.c
@@ -214,6 +214,11 @@ asyncmeta_init_one_conn(

 	slap_client_keepalive(msc->msc_ld, &mt->mt_tls.sb_keepalive);

+	if ( mt->mt_tls.sb_tcp_user_timeout > 0 ) {
+		ldap_set_option( msc->msc_ld, LDAP_OPT_TCP_USER_TIMEOUT,
+				 &mt->mt_tls.sb_tcp_user_timeout );
+	}
+
 #ifdef HAVE_TLS
 	{
 		slap_bindconf *sb = NULL;

--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -703,6 +703,11 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
 	/* turn on network keepalive, if configured so */
 	slap_client_keepalive(ld, &li->li_tls.sb_keepalive);

+	if ( li->li_tls.sb_tcp_user_timeout > 0 ) {
+		ldap_set_option( ld, LDAP_OPT_TCP_USER_TIMEOUT,
+				&li->li_tls.sb_tcp_user_timeout );
+	}
+
 #ifdef HAVE_TLS
 	if ( LDAP_BACK_CONN_ISPRIV( lc ) ) {
 		/* See "rationale" comment in ldap_back_getconn() */

--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -67,6 +67,7 @@ enum {
 	LDAP_BACK_CFG_ONERR,

 	LDAP_BACK_CFG_KEEPALIVE,
+	LDAP_BACK_CFG_TCP_USER_TIMEOUT,

 	LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,

@@ -310,6 +311,14 @@ static ConfigTable ldapcfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
+	{ "tcp-user-timeout", "milliseconds", 2, 2, 0,
+		ARG_MAGIC|ARG_UINT|LDAP_BACK_CFG_TCP_USER_TIMEOUT,
+		ldap_back_cf_gen, "( OLcfgDbAt:3.30 "
+			"NAME 'olcDbTcpUserTimeout' "
+			"DESC 'TCP User Timeout' "
+			"SYNTAX OMsInteger "
+			"SINGLE-VALUE )",
+		NULL, NULL },
 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED,
 		NULL, NULL, NULL, NULL }
 };
@@ -1364,6 +1373,10 @@ ldap_back_cf_gen( ConfigArgs *c )
 			break;
 			}

+		case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+			c->value_uint = li->li_tls.sb_tcp_user_timeout;
+			break;
+
 		default:
 			/* FIXME: we need to handle all... */
 			assert( 0 );
@@ -1526,6 +1539,10 @@ ldap_back_cf_gen( ConfigArgs *c )
 			li->li_tls.sb_keepalive.sk_interval = 0;
 			break;

+		case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+			li->li_tls.sb_tcp_user_timeout = 0;
+			break;
+
 		default:
 			/* FIXME: we need to handle all... */
 			assert( 0 );
@@ -2038,7 +2055,11 @@ done_url:;
 		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
 				 &li->li_tls.sb_keepalive, 0, 0, 0);
 		break;
-		
+
+	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+		li->li_tls.sb_tcp_user_timeout = c->value_uint;
+		break;
+
 	default:
 		/* FIXME: try to catch inconsistencies */
 		assert( 0 );

--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -101,6 +101,7 @@ enum {
 	LDAP_BACK_CFG_PSEUDOROOTDN,
 	LDAP_BACK_CFG_PSEUDOROOTPW,
 	LDAP_BACK_CFG_KEEPALIVE,
+	LDAP_BACK_CFG_TCP_USER_TIMEOUT,
 	LDAP_BACK_CFG_FILTER,

 	LDAP_BACK_CFG_LAST
@@ -418,6 +419,15 @@ static ConfigTable metacfg[] = {
 			"SINGLE-VALUE )",
 		NULL, NULL },

+	{ "tcp-user-timeout", "milliseconds", 2, 2, 0,
+               ARG_MAGIC|ARG_UINT|LDAP_BACK_CFG_TCP_USER_TIMEOUT,
+               meta_back_cf_gen, "( OLcfgDbAt:3.30 "
+                       "NAME 'olcDbTcpUserTimeout' "
+                       "DESC 'TCP User Timeout' "
+                       "SYNTAX OMsInteger "
+                       "SINGLE-VALUE )",
+               NULL, NULL },
+
 	{ "filter", "pattern", 2, 2, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_FILTER,
 		meta_back_cf_gen, "( OLcfgDbAt:3.112 "
@@ -485,6 +495,7 @@ static ConfigOCs metaocs[] = {
 			"$ olcDbSubtreeInclude "
 			"$ olcDbTimeout "
 			"$ olcDbKeepalive "
+			"$ olcDbTcpUserTimeout "
 			"$ olcDbFilter "

 			/* defaults may be inherited */
@@ -1605,6 +1616,11 @@ meta_back_cf_gen( ConfigArgs *c )
 				break;
 			}

+		case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+			c->value_uint = mt->mt_tls.sb_tcp_user_timeout;
+			break;
+
+
 		default:
 			rc = 1;
 		}
@@ -1895,6 +1911,10 @@ meta_back_cf_gen( ConfigArgs *c )
 			mt->mt_tls.sb_keepalive.sk_interval = 0;
 			break;

+		case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+			mt->mt_tls.sb_tcp_user_timeout = 0;
+			break;
+
 		default:
 			rc = 1;
 			break;
@@ -2898,6 +2918,10 @@ map_fail:;
 				 &mt->mt_tls.sb_keepalive, 0, 0, 0);
 		break;

+	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+		mt->mt_tls.sb_tcp_user_timeout = c->value_uint;
+		break;
+
 	/* anything else */
 	default:
 		return SLAP_CONF_UNKNOWN;

--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@@ -418,6 +418,13 @@ retry_lock:;

 	slap_client_keepalive(msc->msc_ld, &mt->mt_tls.sb_keepalive);

+	if ( mt->mt_tls.sb_tcp_user_timeout > 0 ) {
+		ldap_set_option( msc->msc_ld, LDAP_OPT_TCP_USER_TIMEOUT,
+				&mt->mt_tls.sb_tcp_user_timeout );
+	}
+
+
+
 #ifdef HAVE_TLS
 	{
 		slap_bindconf *sb = NULL;

--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1530,10 +1530,11 @@ static slap_cf_aux_table bindkey[] = {
 	{ BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 1, NULL },
 	{ BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, (slap_verbmasks *)authzNormalize },
 	{ BER_BVC("keepalive="), offsetof(slap_bindconf, sb_keepalive), 'x', 0, (slap_verbmasks *)slap_keepalive_parse },
+	{ BER_BVC("tcp-user-timeout="), offsetof(slap_bindconf, sb_tcp_user_timeout), 'u', 0, NULL },
 #ifdef HAVE_TLS
-	/* NOTE: replace "13" with the actual index
+	/* NOTE: replace "14" with the actual index
 	 * of the first TLS-related line */
-#define aux_TLS (bindkey+13)	/* beginning of TLS keywords */
+#define aux_TLS (bindkey+14)	/* beginning of TLS keywords */

 	{ BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey },
 	{ BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL },

--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1649,6 +1649,7 @@ typedef struct slap_bindconf {
 	struct berval sb_authcId;
 	struct berval sb_authzId;
 	slap_keepalive sb_keepalive;
+	unsigned int sb_tcp_user_timeout;
 #ifdef HAVE_TLS
 	void *sb_tls_ctx;
 	char *sb_tls_cert;