On 06/27/2011 11:58 AM, Howard Chu schrobtete: > Thomas Egerer wrote: >> On 06/24/2011 09:15 PM, Howard Chu schrobtete: >>> You appear to be using a very old version of OpenLDAP then. >> This is correct, I am currently using openldap 2.1.30, still... > > You're supposed to provide your version info at the *beginning* of the > discussion. OpenLDAP 2.1 was obsoleted in 2004. You're right, my bad. This mail refers to the current git-version of openldap (052ac2f ITS#6828 silence warning in prev commit).
>>> The LDAP_OPT_TIMEOUT setting will timeout any synchronous request, and >>> has done so since early 2007 at least. >> ... I cannot confirm this. Even when I use openldap 2.4.23 I can >> reproduce my DoS-scenario by starting a 'nc -l localhost -p 389' and >> performing an 'ldapsearch -l 5 -h localhost ...' which ends up in an >> unresponsive ldapsearch. > > The "-l" option to ldapsearch sets the Search Request time limit, which > is not the same as the API timeout that LDAP_OPT_TIMEOUT controls. As far as I can read from the default value which is controlled by the LDAP_OPT_TIMEOUT option is -1 which means an infinite waiting time. Wouldn't it make sense then, to also uso the timeout value given by the '-l' option to the LDAP_OPT_TIMEOUT, or introduce a seperate option if you do not want to mix the different timeout values? I don't see any chance of telling ldapsearch to how to use a timeout value for the LDAP_OPT_TIMEOUT. Regards Thomas
