Skip to content

Fix LDAP network timeout not being honored on Linux #119210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Fix LDAP network timeout not being honored on Linux #119210

wants to merge 8 commits into from
+72 −1

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 29, 2025
edited
Loading

Fixes #62075

Problem

On Linux, System.DirectoryServices.Protocols.LdapConnection does not honor the Timeout property at the network layer, causing network operations (such as connect or bind) to potentially hang indefinitely or much longer than the requested timeout. This occurs because the native LDAP handle does not have LDAP_OPT_NETWORK_TIMEOUT set, while on Windows the timeout is properly enforced at the network layer.

Solution

This PR implements proper network-level timeout support for Linux by setting LDAP_OPT_NETWORK_TIMEOUT via ldap_set_option on the LDAP handle after initialization and before any bind or search operations.

Key Changes

  1. Added LDAP_OPT_NETWORK_TIMEOUT constant (0x5005) to the LdapOption enum
  2. Added P/Invoke support for setting timeval structures via ldap_set_option_timeval
  3. Modified InternalConnectToServer in LdapConnection.Linux.cs to set network timeout using the Timeout property value
  4. Added comprehensive tests to verify timeout behavior across platforms
  5. Uses proper error handling with CheckAndSetLdapError for timeout option setting

Implementation Details

The timeout is set in InternalConnectToServer after successful URI configuration:

var timeout = new LDAP_TIMEVAL()
{
    tv_sec = (int)(_connectionTimeOut.Ticks / TimeSpan.TicksPerSecond),
    tv_usec = (int)((_connectionTimeOut.Ticks % TimeSpan.TicksPerSecond) / 10)
};

int timeoutResult = LdapPal.SetTimevalOption(_ldapHandle, LdapOption.LDAP_OPT_NETWORK_TIMEOUT, ref timeout);
ErrorChecking.CheckAndSetLdapError(timeoutResult);

The implementation uses standard error handling patterns consistent with other LDAP options in the codebase.

Testing

  • Added cross-platform unit tests to verify timeout functionality
  • Added timeout failure test using unreachable endpoint (192.0.2.1)
  • All existing tests continue to pass (46/46 LdapConnectionTests pass)
  • Manual verification confirms proper exception handling and timeout behavior

Impact

This change brings Linux behavior in line with Windows and makes the Timeout property work as documented across platforms. While this could change behavior for callers whose connections previously took longer than the default timeout (30s) without overriding it, this is a desirable bug fix that improves reliability and cross-platform consistency.

Fixes scenarios where LDAP connections would hang indefinitely on Linux when network connectivity issues occurred, particularly important for applications that rely on predictable timeout behavior.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI and others added 3 commits August 29, 2025 16:57
@Copilot @ericstj
Implement LDAP_OPT_NETWORK_TIMEOUT for Linux LDAP connections
9ef9a4d 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
@Copilot @ericstj
Add tests to verify LDAP network timeout functionality on Linux
966a310 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
@Copilot @ericstj
Fix microseconds calculation for LDAP network timeout
1ab3a4c 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] Honor LdapConnection.Timeout at the network layer on Linux using LDAP_OPT_NETWORK_TIMEOUT Fix LDAP network timeout not being honored on Linux Aug 29, 2025
Copilot finished work on behalf of ericstj August 29, 2025 17:12
@Copilot Copilot AI requested a review from ericstj August 29, 2025 17:12
@ericstj

This comment was marked as off-topic.

Sign in to view
@Copilot Copilot SWE Agent

This comment was marked as off-topic.

Sign in to view
Copilot finished work on behalf of ericstj August 29, 2025 17:45
ericstj
ericstj reviewed Aug 29, 2025
View reviewed changes
@ericstj
Copy link
Member

ericstj commented Sep 2, 2025

@copilot can you address the feedback?

Copilot AI and others added 2 commits September 2, 2025 19:10
@Copilot @ericstj
Address PR feedback: improve tests and error handling
75f43a4 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
@Copilot @ericstj
Mark unreachable server timeout test as OuterLoop
4ccb9ae 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented Sep 2, 2025

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 192.0.2.1
    • Triggering command: /home/REDACTED/work/runtime/runtime/artifacts/bin/testhost/net10.0-linux-Debug-x64/dotnet exec --runtimeconfig /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/System.DirectoryServices.Protocols.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/System.DirectoryServices.Protocols.Tests.deps.json /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/testhost.dll --port 45025 --endpoint 127.0.0.1:045025 --role client --parentprocessid 58534 --datacollectionport 38201 --telemetryoptedin false (packet block)
  • server
    • Triggering command: /home/REDACTED/work/runtime/runtime/artifacts/bin/testhost/net10.0-linux-Debug-x64/dotnet exec --runtimeconfig /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/System.DirectoryServices.Protocols.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/System.DirectoryServices.Protocols.Tests.deps.json /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/testhost.dll --port 37491 --endpoint 127.0.0.1:037491 --role client --parentprocessid 59763 --datacollectionport 38459 --telemetryoptedin false (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@Copilot Copilot AI requested a review from ericstj September 2, 2025 19:16
Copilot finished work on behalf of ericstj September 2, 2025 19:16
@build-analysis build-analysis bot mentioned this pull request Sep 2, 2025
Closed
@ericstj ericstj marked this pull request as ready for review September 11, 2025 15:20
@Copilot Copilot AI review requested due to automatic review settings September 11, 2025 15:20
Copilot
Copilot AI reviewed Sep 11, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a bug where System.DirectoryServices.Protocols.LdapConnection does not honor the Timeout property at the network layer on Linux, potentially causing network operations to hang indefinitely. The solution implements proper network-level timeout support for Linux by setting LDAP_OPT_NETWORK_TIMEOUT via ldap_set_option.

  • Added LDAP_OPT_NETWORK_TIMEOUT constant and P/Invoke support for setting timeval structures
  • Modified InternalConnectToServer in Linux implementation to set network timeout using the Timeout property
  • Added comprehensive cross-platform tests to verify timeout behavior

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/libraries/System.DirectoryServices.Protocols/tests/LdapConnectionTests.cs Added unit tests for timeout functionality including unreachable server test
src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/ldap/LdapConnection.Linux.cs Modified InternalConnectToServer to set network timeout after URI configuration
src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/Interop/LdapPal.Linux.cs Added SetTimevalOption method for setting timeval-based LDAP options
src/libraries/Common/src/Interop/Linux/OpenLdap/Interop.Ldap.cs Added P/Invoke declaration for ldap_set_option_timeval
src/libraries/Common/src/Interop/Interop.Ldap.cs Added LDAP_OPT_NETWORK_TIMEOUT constant to LdapOption enum

@ericstj @Copilot
Update src/libraries/System.DirectoryServices.Protocols/src/System/Di…
4e86015 
…rectoryServices/Protocols/ldap/LdapConnection.Linux.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericstj ericstj ericstj left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ericstj ericstj

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

System.DirectoryServices.Protocols LdapConnection should have bindtimeout property. how to timeout on bind currently?
2 participants
@Copilot @ericstj