#5862 ipaldap.py: do_simple_bind() ignores timeout
Opened 3 years ago by stlaz. Modified 6 months ago

When trying to bind to an offline IPA server, do_simple_bind() hangs the process for a lot longer than the given timeout.

Steps to reproduce (example):

ipa-csreplica-manage list --host=offline.replica.xy -p dirman_password

Current result:[[BR]]
Hangs for 5+ minutes

Expected result:[[BR]]
Fail with "Timeout exceeded" after "DEFAULT_TIMEOUT" (10) seconds.

Possible cause:[[BR]]
ipapython/ipaldap.py: the connection attribute (conn) of LDAPClient class never receives timeout information. This makes the ldap actions on this connection last the default time of python-ldap library, which is usually much more than the timeout passed to do_simple_bind().

The cause is not known.

This ticket is out of scope of 4.4.0 release. Moving to 4.4.1. Note that 4.4.1 needs to be triaged, therefore not everything will be implemented.

Moving to next major version. Fixing this bug is not critical in stabilization release.

Metadata Update from @stlaz:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

2 years ago

Metadata Update from @pvoborni:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

a year ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

FTR I can't reproduce this with an offline server. If I firewall port 636 I can reproduce it.

What is needed is a call like:

self.conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 10.0)

The trickier part will be whether we want this as a default, how configurable, etc.

Login to comment on this ticket.