php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69574 ldap connection timeouts not enforced
Submitted: 2015-05-05 13:54 UTC Modified: 2022-08-11 19:40 UTC
From: ryan dot brothers at gmail dot com Assigned: mcmic (profile)
Status: Closed Package: LDAP related
PHP Version: 5.6.8 OS: Linux
Private report: No CVE-ID: None
 [2015-05-05 13:54 UTC] ryan dot brothers at gmail dot com
Description:
------------
I am trying to simulate a LDAP server timing out.  I'm setting the options LDAP_OPT_NETWORK_TIMEOUT and LDAP_OPT_TIMELIMIT, but the script runs indefinitely without timing out.

In one ssh session, I am running the following command to simulate a socket listener:

nc -l 1234

If I run the below script in a second ssh session, it runs forever and never times out.

Is there a way to have this script timeout after a certain number of seconds?


Test script:
---------------
<?php
$ldap = ldap_connect('127.0.0.1:1234');

ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 3);

ldap_bind($ldap);


Expected result:
----------------
Script times out in 3 seconds.


Actual result:
--------------
Script never times out.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-09 13:47 UTC] mcmic@php.net
I can’t reproduce this, I tried your script, I got «PHP Warning:  ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /tmp/test.php on line 3»
So I replaced the call to ldap_connect by «$ldap = ldap_connect('127.0.0.1:1234');»
I launched «nc -l 1234» in a shell, in an other one the PHP script, I only got «PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /tmp/test.php on line 8» immediatly, not even after 3 seconds.

Not sure how to test this otherwise…
 [2015-09-09 13:48 UTC] mcmic@php.net
I meant I replaced it by «$ldap = ldap_connect('localhost', 1234);», sorry.
 [2015-09-09 13:51 UTC] mcmic@php.net
Ok, got it, I had to do «nc -l -p 1234» instead of «nc -l 1234».
I can reproduce the bug.
 [2015-09-09 13:51 UTC] mcmic@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: mcmic
 [2015-09-09 15:24 UTC] mcmic@php.net
Ok, so the problem is:

LDAP_OPT_TIMELIMIT is only for searches, not bind operations
LDAP_OPT_NETWORK_TIMEOUT is for socket level timeout, in your test there is no such thing as the nc is indeed listening on the socket.

What you need is LDAP_OPT_TIMEOUT from openldap, which is not available yet in PHP.
So I’m gonna add this to php-ldap as it seems usefull.
 [2015-09-10 10:00 UTC] mcmic@php.net
-Status: Assigned +Status: Closed
 [2015-09-10 10:00 UTC] mcmic@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I added support for LDAP_OPT_TIMEOUT, please check that it fixes your problem.
 [2022-08-11 18:10 UTC] tanjh58 at hotmail dot com
This doesn't work for ldaps protocol. Here is my code: 

<?php
$ldap = ldap_connect('ldaps://127.0.0.1:636');

ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMEOUT, 3);

ldap_bind($ldap);
?>

This never timeout.
 [2022-08-11 18:38 UTC] requinix@php.net
-Summary: ldap timeouts not enforced +Summary: ldap connection timeouts not enforced
 [2022-08-11 18:38 UTC] requinix@php.net
Connection timeouts must be set before connecting. Set LDAP_OPT_NETWORK_TIMEOUT globally before calling ldap_connect() by passing null in place of a connection.


ldap_set_option(null, LDAP_OPT_NETWORK_TIMEOUT, 3);
ldap_connect('127.0.0.1:1234');


Meanwhile ldap_bind() is something else.
 [2022-08-11 19:40 UTC] heiglandreas@php.net
As ldap_connect doesn't actually "connect", the logic is quite flawed here as the first command actually connecting to the server in the example is the ldap_bind.

But in the end that's nitpicking. The TIMEOUT needs to be set before the ldap_connect, so the ldap_set_option gets NULL as connection parameter.
 [2022-08-12 03:04 UTC] tanjh58 at hotmail dot com
For ldap protocol, I did the similar code:
<?php
$ldap = ldap_connect('ldap://127.0.0.1:389');

ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMEOUT, 3);

ldap_bind($ldap);
?>
This times out in 3 seconds.

How could you set timeout before ldap_connect, if $ldap is not set by ldap_connect call?
 [2022-08-12 17:06 UTC] tanjh58 at hotmail dot com
Since this bug is closed, I opened a new one: https://github.com/php/php-src/issues/9320
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 09:01:30 2024 UTC