Defect #8978

LDAP timeout if an LDAP auth provider is unreachable

Added by Davide Ferrari over 6 years ago. Updated over 5 years ago.

Status:ClosedStart date:2011-08-03
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:LDAP
Target version:2.1.0
Resolution:Fixed Affected version:

Description

Hi

we are using Redmine with a like 3 different LDAP auth sources, and sometimes if one of the goes down, almsot every process involved with Redmine slow down terribly.
It seems that when some use rtry to log in, Redmien try to contact the server that's not responding, waiting indefinitely for the action to be completed, making everything slow. There should be a (configurable perhaps?) timeout (I think that a sane default could be 30 seconds), and then the LDAP source should be considered dead (at least for that request).

i'm using Redmine 1.1.2.stable.5317

ldap_timeout-v2.0.3.patch Magnifier (2.46 KB) Brett Patterson, 2012-06-29 04:32

ldap_timeout_v2-redmine2.0.3.patch Magnifier - LDAP Timeout patch - v2 - redmine 2.0.3 (3.91 KB) Brett Patterson, 2012-06-30 04:10

Associated revisions

Revision 9931
Added by Jean-Philippe Lang over 5 years ago

Adds a configurable timeout for LDAP authentication (#8978).

Revision 9932
Added by Jean-Philippe Lang over 5 years ago

Fills locales (#8978).

History

#1 Updated by Terence Mill over 6 years ago

you can try if redmine_ldap_sync can handle this better.

#2 Updated by Brett Patterson over 5 years ago

I can confirm this happens in 2.0.3 as well. We used to use LDAP to authenticate and when we took our LDAP system offline I forgot some users were still configured and instead of seeing a message about unable to log in or LDAP authentication server unreachable, it gave a 500 error.

#3 Updated by Brett Patterson over 5 years ago

Here's a quick patch I made against 2.0.3. This will catch a timeout error after 30 seconds and redirect the user with a proper error message. This is english only and really is a proof-of-concept. Ideally the timeout would default to 30 seconds but could be modified via the administration settings (or per-LDAP definition).

Perhaps the Timeout class is not the best solution in this case; however, from my testing it works.

#4 Updated by Etienne Massip over 5 years ago

  • Target version set to Candidate for next major release

Brett Patterson wrote:

Perhaps the Timeout class is not the best solution in this case; however, from my testing it works.

Actually seems to be a great idea.

#5 Updated by Brett Patterson over 5 years ago

Worked on it some more and now the timeout is configurable on a per-connection basis in the LDAP settings. If no timeout value is set, the default of 20 is set.

In order to use this, the following SQL must be run:

ALTER TABLE `auth_sources` ADD COLUMN `timeout` int(11) DEFAULT NULL AFTER `port`;

#6 Updated by Jean-Philippe Lang over 5 years ago

  • Target version changed from Candidate for next major release to 2.1.0

Is there a good reason to set the timeout for each LDAP instead of a global setting?

#7 Updated by Brett Patterson over 5 years ago

A good reason not really. It may be preferable to have "local" LDAP connections have a faster timeout than remote ones, so there may be some instances where adding an extra second here and there is preferable.

#8 Updated by Jean-Philippe Lang over 5 years ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Feature added in r9931 with slight changes and test. Thanks.

#9 Updated by Davide Ferrari over 5 years ago

Thanks a lot!

Also available in: Atom PDF