Add new ldap_network_timeout config option

Introduction of PHP 5.3 support with 1.3.x allows setting of LDAP network timeout (LDAP_OPT_NETWORK_TIMEOUT) before binding the server. When the LDAP server is not available with this option set to its default value of 0 (infinite), the system will seem to hang for several minutes, depending on the TCP stack settings, until control is finally returned to Mantis. Setting this option to a low value makes the system more responsive, and also allows automatic and rapid failover to the next available LDAP server when the hostname defined in $g_ldap_server resolves to multiple IP addresses, which are tried in sequence by ldap_bind(). Fixes #12544
mantisbt · Apr 16, 2015 · ca813d8 · ca813d8
1 parent b6abfcb
commit ca813d8
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 1 deletion.
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
@@ -1857,6 +1857,17 @@
  */
 $g_ldap_protocol_version = 0;
 
+/**
+ * Duration of the timeout for TCP connection to the LDAP server (in seconds).
+ * Set this to a low value when the hostname defined in $g_ldap_server resolves
+ * to multiple IP addresses, allowing rapid failover to the next available LDAP
+ * server.
+ * Defaults to 0 (infinite)
+ *
+ * @global int $g_ldap_network_timeout
+ */
+$g_ldap_network_timeout = 0;
+
 /**
  * Determines whether the LDAP library automatically follows referrals returned
  * by LDAP servers or not. This maps to LDAP_OPT_REFERRALS ldap library option.

diff --git a/core/ldap_api.php b/core/ldap_api.php
@@ -64,8 +64,17 @@ function ldap_connect_bind( $p_binddn = '', $p_password = '' ) {
 	$t_ds = @ldap_connect( $t_ldap_server );
 	if( $t_ds !== false && $t_ds > 0 ) {
 		log_event( LOG_LDAP, 'Connection accepted by LDAP server' );
-		$t_protocol_version = config_get( 'ldap_protocol_version' );
 
+		$t_network_timeout = config_get( 'ldap_network_timeout' );
+		if( $t_network_timeout > 0 ) {
+			log_event( LOG_LDAP, "Setting LDAP network timeout to " . $t_network_timeout );
+			$t_result = @ldap_set_option( $t_ds, LDAP_OPT_NETWORK_TIMEOUT, $t_network_timeout );
+			if( !$t_result ) {
+				ldap_log_error( $t_ds );
+			}
+		}
+
+		$t_protocol_version = config_get( 'ldap_protocol_version' );
 		if( $t_protocol_version > 0 ) {
 			log_event( LOG_LDAP, 'Setting LDAP protocol version to ' . $t_protocol_version );
 			$t_result = @ldap_set_option( $t_ds, LDAP_OPT_PROTOCOL_VERSION, $t_protocol_version );

diff --git a/docbook/Admin_Guide/en-US/config/auth.xml b/docbook/Admin_Guide/en-US/config/auth.xml
@@ -141,6 +141,21 @@ ldaps://ldap.example.com:3269/
 				</listitem>
 			</varlistentry>
 
+			<varlistentry>
+				<term>$g_ldap_network_timeout</term>
+
+				<listitem>
+					<para>Duration of the timeout for TCP connection to the
+					LDAP server (in seconds). Defaults to
+					<emphasis>0</emphasis> (infinite).</para>
+
+					<para>Set this to a low value when the hostname defined
+					in $g_ldap_server resolves to multiple IP addresses,
+					allowing rapid failover to the next available LDAP
+					server.</para>
+				</listitem>
+			</varlistentry>
+
 			<varlistentry>
 				<term>$g_ldap_follow_referrals</term>