#7217 Significantly reduce the KDC LDAP driver search timeout
Closed: fixed 2 years ago Opened 2 years ago by rcritten.

The KDB search timeout is currently hardcoded to 5 minutes which is way too long.

We discovered this when investigating some test failure related to kinit failures.

While this value has been 300 seconds since 2011 waiting 5 minutes on a search isn't all that helpful given other operations would have blow up a this point anyway. A 1 minute timeout is likely sufficient.


+1 from me.

It's worth noting for future debugging purposes that the lookup is blocking to the entire KDC - if we ever hit this timeout, it means that the KDC has been wholly unresponsive for the entire interval.

Simo pointed out that 1 min is the AS REQ timeout clients use so perhaps a 30s timeout may even be appropriate.

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7 backlog

2 years ago

Metadata Update from @rcritten:
- Issue priority set to: important

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.7 backlog)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @abbra:
- Issue assigned to abbra

2 years ago

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.6 (was: FreeIPA 4.7.1)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6)

2 years ago

master:

  • 122f968 ipa-kdb: reduce LDAP operations timeout to 30 seconds

ipa-4-6:

  • e0921b4 ipa-kdb: reduce LDAP operations timeout to 30 seconds

ipa-4-7:

  • 86d4b1c ipa-kdb: reduce LDAP operations timeout to 30 seconds

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata