4f6ca3e9cc
Using an infinite timeout will make libldap use blocking thread for establishing the TLS connection both when using StartTTLS and when using LDAPS. This leaves the LDAP_OPT_NETWORK_TIMEOUT to its default (-1) when using TLS connection. Related: rhbz#1992551 Signed-off-by: Antonio Torres <antorres@redhat.com>
32 lines
1.2 KiB
Diff
32 lines
1.2 KiB
Diff
From: Antonio Torres <antorres@redhat.com>
|
|
Date: Fri, 28 Jan 2022
|
|
Subject: Use infinite timeout when using LDAP+start-TLS
|
|
|
|
This will ensure that the TLS connection to the LDAP server will complete
|
|
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
|
|
the process. Infinite timeout is the OpenLDAP default.
|
|
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
|
|
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
|
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
---
|
|
src/modules/rlm_ldap/ldap.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
|
index cf7a84e069..841bf888a1 100644
|
|
--- a/src/modules/rlm_ldap/ldap.c
|
|
+++ b/src/modules/rlm_ldap/ldap.c
|
|
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
|
}
|
|
|
|
#ifdef LDAP_OPT_NETWORK_TIMEOUT
|
|
- if (inst->net_timeout) {
|
|
+ bool using_tls = inst->start_tls ||
|
|
+ inst->port == 636 ||
|
|
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
|
|
+ if (inst->net_timeout && !using_tls) {
|
|
memset(&tv, 0, sizeof(tv));
|
|
tv.tv_sec = inst->net_timeout;
|
|
|