From bd975514dee538bc1402a1f7c8bea9bc56e9241a Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Mon, 12 Dec 2005 15:57:58 +0000
Subject: [PATCH] add (and document) customizable bind-timeout

---
 doc/man/man5/slapd-meta.5           | 161 ++++++++++++++++------------
 servers/slapd/back-meta/back-meta.h |   6 +-
 servers/slapd/back-meta/bind.c      |   6 +-
 servers/slapd/back-meta/config.c    |  38 ++++++-
 servers/slapd/back-meta/init.c      |   2 +
 5 files changed, 134 insertions(+), 79 deletions(-)

diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
index e900ea8104..806f130f75 100644
--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -90,21 +90,15 @@ This directive can also be used when processing targets to mark a
 specific target as default.
 
 .TP
-.B dncache-ttl {forever|disabled|<ttl>}
+.B dncache-ttl {DISABLED|forever|<ttl>}
 This directive sets the time-to-live of the DN cache.
 This caches the target that holds a given DN to speed up target
 selection in case multiple targets would result from an uncached
 search; forever means cache never expires; disabled means no DN
-caching; otherwise a valid ( > 0 ) ttl in seconds is required.
-
-.TP
-.B nretries {forever|never|<nretries>}
-This directive defines how many times a bind should be retried
-in case of temporary failure in contacting a target.  If defined
-before any target specification, it applies to all targets (by default,
-.BR never );
-the global value can be overridden by redefinitions inside each target
-specification.
+caching; otherwise a valid ( > 0 ) ttl is required, in the format
+illustrated for the 
+.B idle-timeout
+directive.
 
 .TP
 .B onerr {CONTINUE|stop}
@@ -116,6 +110,13 @@ If this statement is set to \fBstop\fP, the search is terminated as soon
 as an error is returned by one target, and the error is immediately 
 propagated to the client.
 
+.TP
+.B pseudoroot-bind-defer {NO|yes}
+This directive, when set to 
+.BR yes ,
+causes the authentication to the remote servers with the pseudo-root
+identity to be deferred until actually needed by subsequent operations.
+
 .TP
 .B rebind-as-user {NO|yes}
 If this option is given, the client's bind credentials are remembered
@@ -168,14 +169,6 @@ causes \fIl2.foo.com\fP to be contacted whenever \fIl1.foo.com\fP
 does not respond.
 .RE
 
-.TP
-.B default-target [<target>]
-The "default-target" directive can also be used during target specification.
-With no arguments it marks the current target as the default.
-The optional number marks target <target> as the default one, starting
-from 1.
-Target <target> must be defined.
-
 .TP
 .B acl-authcDN "<administrative DN for access control purposes>"
 DN which is used to query the target server for acl checking,
@@ -193,6 +186,20 @@ Password used with the
 acl-authcDN
 above.
 
+.TP
+.B bind-timeout <microseconds>
+This directive defines the timeout, in microseconds, used when polling
+for response after an asynchronous bind connection.  The initial call
+to ldap_result(3) is performed with a trade-off timeout of 100000 us;
+if that results in a timeout exceeded, subsequent calls use the value
+provided with
+.BR bind-timeout .
+The default value is used also for subsequent calls if
+.B bind-timeout
+is not specified.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
+
 .TP
 .B chase-referrals {YES|no}
 enable/disable automatic referral chasing, which is delegated to the
@@ -202,48 +209,41 @@ If set before any target specification, it affects all targets, unless
 overridden by any per-target directive.
 
 .TP
-.B tls {[try-]start|[try-]propagate}
-execute the start TLS extended operation when the connection is initialized;
-only works if the URI directive protocol scheme is not \fBldaps://\fP.
-\fBpropagate\fP issues the Start TLS exop only if the original
-connection did.
-The \fBtry-\fP prefix instructs the proxy to continue operations
-if start TLS failed; its use is highly deprecated.
-If set before any target specification, it affects all targets, unless
-overridden by any per-target directive.
+.B default-target [<target>]
+The "default-target" directive can also be used during target specification.
+With no arguments it marks the current target as the default.
+The optional number marks target <target> as the default one, starting
+from 1.
+Target <target> must be defined.
 
 .TP
-.B t-f-support {NO|yes|discover}
-enable if the remote server supports absolute filters
-(see \fIdraft-zeilenga-ldap-t-f\fP for details).
-If set to
-.BR discover ,
-support is detected by reading the remote server's root DSE.
+.B idle-timeout <time>
+This directive causes a cached connection to be dropped an recreated
+after it has been idle for the specified time.
+The value can be specified as
+
+[<d>d][<h>h][<m>m][<s>[s]]
+
+where <d>, <h>, <m> and <s> are respectively treated as days, hours, 
+minutes and seconds.
 If set before any target specification, it affects all targets, unless
 overridden by any per-target directive.
 
 .TP
-.B timeout [{add|delete|modify|modrdn}=]<val> [...]
-This directive allows to set per-database, per-target and per-operation
-timeouts.
-If no operation is specified, it affects all.
-Currently, only write operations are addressed, because searches
-can already be limited by means of the
-.B limits
-directive (see 
-.BR slapd.conf (5)
-for details), and other operations are not supposed to incur into the
-need for timeouts.
-Note: if the timelimit is exceeded, the operation is abandoned;
-the protocol does not provide any means to rollback the operation,
-so the client will not know if the operation eventually succeeded or not.
-If set before any target specification, it affects all targets, unless
-overridden by any per-target directive.
+.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
+This maps object classes and attributes as in the LDAP backend.
+See
+.BR slapd-ldap (5).
 
 .TP
-.B idle-timeout <time>
-This directive causes a cached connection to be dropped an recreated
-after it has been idle for the specified time.
+.B nretries {forever|never|<nretries>}
+This directive defines how many times a bind should be retried
+in case of temporary failure in contacting a target.  If defined
+before any target specification, it applies to all targets (by default,
+.BR 3
+times);
+the global value can be overridden by redefinitions inside each target
+specification.
 
 .TP
 .B pseudorootdn "<substitute DN in case of rootdn bind>"
@@ -261,13 +261,6 @@ the target using the "pseudorootdn" DN.
 Note: cleartext credentials must be supplied here; as a consequence,
 using the pseudorootdn/pseudorootpw directives is inherently unsafe.
 
-.TP
-.B pseudoroot-bind-defer {NO|yes}
-This directive, when set to 
-.BR yes ,
-causes the authentication to the remote servers with the pseudo-root
-identity to be deferred until actually needed by subsequent operations.
-
 .TP
 .B rewrite* ...
 The rewrite options are described in the "REWRITING" section.
@@ -284,18 +277,46 @@ when simple suffix massage is required, it has been preserved.
 It wraps the basic rewriting instructions that perform suffix
 massaging.  See the "REWRITING" section for a detailed list 
 of the rewrite rules it implies.
-.LP
-Note: this also fixes a flaw in suffix massaging, which operated
-on (case insensitive) DNs instead of normalized DNs,
-so "dc=foo, dc=com" would not match "dc=foo,dc=com".
-.LP
-See the "REWRITING" section.
 
 .TP
-.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
-This maps object classes and attributes as in the LDAP backend.
-See
-.BR slapd-ldap (5).
+.B t-f-support {NO|yes|discover}
+enable if the remote server supports absolute filters
+(see \fIdraft-zeilenga-ldap-t-f\fP for details).
+If set to
+.BR discover ,
+support is detected by reading the remote server's root DSE.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
+
+.TP
+.B timeout [{add|delete|modify|modrdn}=]<seconds> [...]
+This directive allows to set per-database, per-target and per-operation
+timeouts.
+If no operation is specified, it affects all.
+Currently, only write operations are addressed, because searches
+can already be limited by means of the
+.B limits
+directive (see 
+.BR slapd.conf (5)
+for details), and other operations are not supposed to incur into the
+need for timeouts.
+Note: if the timelimit is exceeded, the operation is abandoned;
+the protocol does not provide any means to rollback the operation,
+so the client will not know if the operation eventually succeeded or not.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
+
+.TP
+.B tls {[try-]start|[try-]propagate}
+execute the start TLS extended operation when the connection is initialized;
+only works if the URI directive protocol scheme is not \fBldaps://\fP.
+\fBpropagate\fP issues the Start TLS exop only if the original
+connection did.
+The \fBtry-\fP prefix instructs the proxy to continue operations
+if start TLS failed; its use is highly deprecated.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
+
 .SH SCENARIOS
 A powerful (and in some sense dangerous) rewrite engine has been added
 to both the LDAP and Meta backends.
diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h
index 2a260e21f8..a6fbdfa925 100644
--- a/servers/slapd/back-meta/back-meta.h
+++ b/servers/slapd/back-meta/back-meta.h
@@ -82,9 +82,6 @@ typedef struct dncookie {
 #endif
 } dncookie;
 
-/* TODO: allow to define it on a per-target basis */
-#define META_BIND_TIMEOUT	10000
-
 int ldap_back_dn_massage(dncookie *dc, struct berval *dn,
 	struct berval *res);
 
@@ -232,6 +229,8 @@ typedef struct metatarget_t {
 	int			mt_version;
 	time_t			mt_network_timeout;
 	time_t			mt_idle_timeout;
+	struct timeval		mt_bind_timeout;
+#define META_BIND_TIMEOUT	10000
 	time_t			mt_timeout[ LDAP_BACK_OP_LAST ];
 } metatarget_t;
 
@@ -276,6 +275,7 @@ typedef struct metainfo_t {
 	int			mi_version;
 	time_t			mi_network_timeout;
 	time_t			mi_idle_timeout;
+	struct timeval		mi_bind_timeout;
 	time_t			mi_timeout[ LDAP_BACK_OP_LAST ];
 } metainfo_t;
 
diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c
index 158e862b10..88c9a722f1 100644
--- a/servers/slapd/back-meta/bind.c
+++ b/servers/slapd/back-meta/bind.c
@@ -342,8 +342,7 @@ rebind:;
 		 * handle response!!!
 		 */
 retry:;
-		tv.tv_sec = 0;
-		tv.tv_usec = META_BIND_TIMEOUT;
+		tv = mt->mt_bind_timeout;
 		switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) {
 		case 0:
 			snprintf( buf, sizeof( buf ),
@@ -499,8 +498,7 @@ rebind:;
 		 * handle response!!!
 		 */
 retry:;
-		tv.tv_sec = 0;
-		tv.tv_usec = META_BIND_TIMEOUT;
+		tv = mt->mt_bind_timeout;
 		switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) {
 		case 0:
 			snprintf( buf, sizeof( buf ),
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index 9e50749618..811154523b 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -157,9 +157,9 @@ meta_back_db_config(
 		mi->mi_targets[ i ].mt_nretries = mi->mi_nretries;
 		mi->mi_targets[ i ].mt_flags = mi->mi_flags;
 		mi->mi_targets[ i ].mt_version = mi->mi_version;
-		mi->mi_targets[ i ].mt_idle_timeout = mi->mi_idle_timeout;
 		mi->mi_targets[ i ].mt_network_timeout = mi->mi_network_timeout;
-
+		mi->mi_targets[ i ].mt_idle_timeout = mi->mi_idle_timeout;
+		mi->mi_targets[ i ].mt_bind_timeout = mi->mi_bind_timeout;
 		for ( c = 0; c < LDAP_BACK_OP_LAST; c++ ) {
 			mi->mi_targets[ i ].mt_timeout[ c ] = mi->mi_timeout[ c ];
 		}
@@ -402,6 +402,40 @@ meta_back_db_config(
 
 		*tp = (time_t)t;
 
+	/* bind timeout when connecting to ldap servers */
+	} else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
+		int 		i = mi->mi_ntargets - 1;
+		unsigned long	t;
+		struct timeval	*tp = mi->mi_ntargets ?
+				&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_bind_timeout
+				: &mi->mi_bind_timeout;
+
+		switch ( argc ) {
+		case 1:
+			Debug( LDAP_DEBUG_ANY,
+	"%s: line %d: missing timeout value in \"bind-timeout <microseconds>\" line\n",
+				fname, lineno, 0 );
+			return 1;
+		case 2:
+			break;
+		default:
+			Debug( LDAP_DEBUG_ANY,
+	"%s: line %d: extra cruft after timeout value in \"bind-timeout <microseconds>\" line\n",
+				fname, lineno, 0 );
+			return 1;
+		}
+
+		if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) {
+			Debug( LDAP_DEBUG_ANY,
+	"%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout <microseconds>\" line\n",
+				fname, lineno, argv[ 1 ] );
+			return 1;
+
+		}
+
+		tp->tv_sec = t/1000000;
+		tp->tv_usec = t%1000000;
+
 	/* name to use for meta_back_group */
 	} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
 			|| strcasecmp( argv[ 0 ], "binddn" ) == 0 )
diff --git a/servers/slapd/back-meta/init.c b/servers/slapd/back-meta/init.c
index 627a26c27b..181fec29c4 100644
--- a/servers/slapd/back-meta/init.c
+++ b/servers/slapd/back-meta/init.c
@@ -87,6 +87,8 @@ meta_back_db_init(
 	 * this may change
 	 */
 	mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
+	mi->mi_bind_timeout.tv_sec = 0;
+	mi->mi_bind_timeout.tv_usec = META_BIND_TIMEOUT;
 
 	ldap_pvt_thread_mutex_init( &mi->mi_conninfo.lai_mutex );
 	ldap_pvt_thread_mutex_init( &mi->mi_cache.mutex );
-- 
2.39.5