From 317d5947b84ae2707e46b89fb0d8318c07174e13 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 26 May 2021 19:06:10 +0200 Subject: [PATCH] dirmngr: Use --ldaptimeout for OpenPGP LDAP keyservers. * dirmngr/ks-engine-ldap.c (my_ldap_connect): Use LDAP_OPT_TIMEOUT. * dirmngr/dirmngr.c (main): Move --ldaptimeout setting to ... (parse_rereadable_options): here. -- Note that this has not yet been tested. In fact a test with OpenLDAP using a modified route got stuck in the connection attempt. Maybe it works on Windows - will be tested later. Signed-off-by: Werner Koch --- dirmngr/dirmngr.c | 8 +++++--- dirmngr/ks-engine-ldap.c | 16 +++++++++++++++- doc/dirmngr.texi | 12 +++++++----- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 9298cad92..04fe9e238 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -645,6 +645,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) set_dns_timeout (0); opt.connect_timeout = 0; opt.connect_quick_timeout = 0; + opt.ldaptimeout = DEFAULT_LDAP_TIMEOUT; ldapserver_list_needs_reset = 1; return 1; } @@ -779,6 +780,10 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) opt.connect_quick_timeout = pargs->r.ret_ulong * 1000; break; + case oLDAPTimeout: + opt.ldaptimeout = pargs->r.ret_int; + break; + default: return 0; /* Not handled. */ } @@ -1035,9 +1040,6 @@ main (int argc, char **argv) # endif /*USE_LDAP*/ break; case oLDAPAddServers: opt.add_new_ldapservers = 1; break; - case oLDAPTimeout: - opt.ldaptimeout = pargs.r.ret_int; - break; case oFakedSystemTime: gnupg_set_time ((time_t)pargs.r.ret_ulong, 0); diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index 01f24fbbc..094a10576 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -313,7 +313,7 @@ ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri) { const char data[] = "Handler for LDAP URLs:\n" - " ldap://HOST:PORT/[BASEDN]???[bindname=BINDNAME,password=PASSWORD]\n" + " ldap://HOST:PORT/[BASEDN]????[bindname=BINDNAME,password=PASSWORD]\n" "\n" "Note: basedn, bindname and password need to be percent escaped. In\n" "particular, spaces need to be replaced with %20 and commas with %2c.\n" @@ -646,6 +646,20 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, goto out; } } + if (opt.ldaptimeout) + { + int ver = opt.ldaptimeout; + + lerr = ldap_set_option (ldap_conn, LDAP_OPT_TIMELIMIT, &ver); + if (lerr != LDAP_SUCCESS) + { + log_error ("ks-ldap: unable to set LDAP timelimit to %us: %s\n", + opt.ldaptimeout, ldap_err2string (lerr)); + err = ldap_err_to_gpg_err (lerr); + goto out; + } + + } #endif diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 8ebfea848..c53be6ff9 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -440,7 +440,7 @@ encoded as Latin-1. There is no other solution here than to put such a password in the binary encoding into the file (i.e. non-ascii characters won't show up readable).@footnote{The @command{gpgconf} tool might be helpful for frontends as it enables editing this configuration file using -percent-escaped strings.}jj +percent-escaped strings.} @item --ldapserver @var{spec} @@ -448,10 +448,12 @@ percent-escaped strings.}jj This is an alternative way to specify LDAP servers for CRL and X.509 certificate retrieval. If this option is used the servers configured in @file{dirmngr_ldapservers.conf} (or the file given by -@option{--ldapserverlist-file}) are cleared. Reloading dirmngr will -consider these again will in no case use those from -@file{dirmngr_ldapservers.conf} again. The @var{spec} is either a -proper LDAP URL or a colon delimited list of the form +@option{--ldapserverlist-file}) are cleared. Note that +@file{dirmngr_ldapservers.conf} is not read again by a reload +signal. However, @option{--ldapserver} options are read again. + +@var{spec} is either a proper LDAP URL or a colon delimited list of +the form @sc{hostname:port:username:password:base_dn:flags:}