PHP :: Bug #69574 :: ldap connection timeouts not enforced

Bug #69574	ldap connection timeouts not enforced
Submitted:	2015-05-05 13:54 UTC	Modified:	2022-08-11 19:40 UTC
From:	ryan dot brothers at gmail dot com	Assigned:	mcmic (profile)
Status:	Closed	Package:	LDAP related
PHP Version:	5.6.8	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-05-05 13:54 UTC] ryan dot brothers at gmail dot com

Description:
------------
I am trying to simulate a LDAP server timing out.  I'm setting the options LDAP_OPT_NETWORK_TIMEOUT and LDAP_OPT_TIMELIMIT, but the script runs indefinitely without timing out.

In one ssh session, I am running the following command to simulate a socket listener:

nc -l 1234

If I run the below script in a second ssh session, it runs forever and never times out.

Is there a way to have this script timeout after a certain number of seconds?


Test script:
---------------
<?php
$ldap = ldap_connect('127.0.0.1:1234');

ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 3);

ldap_bind($ldap);


Expected result:
----------------
Script times out in 3 seconds.


Actual result:
--------------
Script never times out.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-09-09 13:47 UTC] mcmic@php.net

I can’t reproduce this, I tried your script, I got «PHP Warning:  ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /tmp/test.php on line 3»
So I replaced the call to ldap_connect by «$ldap = ldap_connect('127.0.0.1:1234');»
I launched «nc -l 1234» in a shell, in an other one the PHP script, I only got «PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /tmp/test.php on line 8» immediatly, not even after 3 seconds.

Not sure how to test this otherwise…

[2015-09-09 13:48 UTC] mcmic@php.net

I meant I replaced it by «$ldap = ldap_connect('localhost', 1234);», sorry.

[2015-09-09 13:51 UTC] mcmic@php.net

Ok, got it, I had to do «nc -l -p 1234» instead of «nc -l 1234».
I can reproduce the bug.

[2015-09-09 13:51 UTC] mcmic@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: mcmic

[2015-09-09 15:24 UTC] mcmic@php.net

Ok, so the problem is:

LDAP_OPT_TIMELIMIT is only for searches, not bind operations
LDAP_OPT_NETWORK_TIMEOUT is for socket level timeout, in your test there is no such thing as the nc is indeed listening on the socket.

What you need is LDAP_OPT_TIMEOUT from openldap, which is not available yet in PHP.
So I’m gonna add this to php-ldap as it seems usefull.

[2015-09-10 10:00 UTC] mcmic@php.net

-Status: Assigned +Status: Closed

[2015-09-10 10:00 UTC] mcmic@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I added support for LDAP_OPT_TIMEOUT, please check that it fixes your problem.

[2022-08-11 18:10 UTC] tanjh58 at hotmail dot com

This doesn't work for ldaps protocol. Here is my code: 

<?php
$ldap = ldap_connect('ldaps://127.0.0.1:636');

ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMEOUT, 3);

ldap_bind($ldap);
?>

This never timeout.

[2022-08-11 18:38 UTC] requinix@php.net

-Summary: ldap timeouts not enforced +Summary: ldap connection timeouts not enforced

[2022-08-11 18:38 UTC] requinix@php.net

Connection timeouts must be set before connecting. Set LDAP_OPT_NETWORK_TIMEOUT globally before calling ldap_connect() by passing null in place of a connection.


ldap_set_option(null, LDAP_OPT_NETWORK_TIMEOUT, 3);
ldap_connect('127.0.0.1:1234');


Meanwhile ldap_bind() is something else.

[2022-08-11 19:40 UTC] heiglandreas@php.net

As ldap_connect doesn't actually "connect", the logic is quite flawed here as the first command actually connecting to the server in the example is the ldap_bind.

But in the end that's nitpicking. The TIMEOUT needs to be set before the ldap_connect, so the ldap_set_option gets NULL as connection parameter.

[2022-08-12 03:04 UTC] tanjh58 at hotmail dot com

For ldap protocol, I did the similar code:
<?php
$ldap = ldap_connect('ldap://127.0.0.1:389');

ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 3);
ldap_set_option($ldap, LDAP_OPT_TIMEOUT, 3);

ldap_bind($ldap);
?>
This times out in 3 seconds.

How could you set timeout before ldap_connect, if $ldap is not set by ldap_connect call?

[2022-08-12 17:06 UTC] tanjh58 at hotmail dot com

Since this bug is closed, I opened a new one: https://github.com/php/php-src/issues/9320

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC