Skip to content

Fix LDAP network timeout not being honored on Linux #119210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 17, 2025
Merged

Fix LDAP network timeout not being honored on Linux #119210

merged 9 commits into from
Sep 17, 2025

Conversation

Copy link
Contributor

Copilot AI commented Aug 29, 2025
edited
Loading

Fixes #62075

Problem

On Linux, System.DirectoryServices.Protocols.LdapConnection does not honor the Timeout property at the network layer, causing network operations (such as connect or bind) to potentially hang indefinitely or much longer than the requested timeout. This occurs because the native LDAP handle does not have LDAP_OPT_NETWORK_TIMEOUT set, while on Windows the timeout is properly enforced at the network layer.

Solution

This PR implements proper network-level timeout support for Linux by setting LDAP_OPT_NETWORK_TIMEOUT via ldap_set_option on the LDAP handle after initialization and before any bind or search operations.

Key Changes

  1. Added LDAP_OPT_NETWORK_TIMEOUT constant (0x5005) to the LdapOption enum
  2. Added P/Invoke support for setting timeval structures via ldap_set_option_timeval
  3. Modified InternalConnectToServer in LdapConnection.Linux.cs to set network timeout using the Timeout property value
  4. Added comprehensive tests to verify timeout behavior across platforms
  5. Uses proper error handling with CheckAndSetLdapError for timeout option setting

Implementation Details

The timeout is set in InternalConnectToServer after successful URI configuration:

var timeout = new LDAP_TIMEVAL()
{
    tv_sec = (int)(_connectionTimeOut.Ticks / TimeSpan.TicksPerSecond),
    tv_usec = (int)((_connectionTimeOut.Ticks % TimeSpan.TicksPerSecond) / 10)
};

int timeoutResult = LdapPal.SetTimevalOption(_ldapHandle, LdapOption.LDAP_OPT_NETWORK_TIMEOUT, ref timeout);
ErrorChecking.CheckAndSetLdapError(timeoutResult);

The implementation uses standard error handling patterns consistent with other LDAP options in the codebase.

Testing

  • Added cross-platform unit tests to verify timeout functionality
  • Added timeout failure test using unreachable endpoint (192.0.2.1)
  • All existing tests continue to pass (46/46 LdapConnectionTests pass)
  • Manual verification confirms proper exception handling and timeout behavior

Impact

This change brings Linux behavior in line with Windows and makes the Timeout property work as documented across platforms. While this could change behavior for callers whose connections previously took longer than the default timeout (30s) without overriding it, this is a desirable bug fix that improves reliability and cross-platform consistency.

Fixes scenarios where LDAP connections would hang indefinitely on Linux when network connectivity issues occurred, particularly important for applications that rely on predictable timeout behavior.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI and others added 3 commits August 29, 2025 16:57
@ericstj
Implement LDAP_OPT_NETWORK_TIMEOUT for Linux LDAP connections
9ef9a4d 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
@ericstj
Add tests to verify LDAP network timeout functionality on Linux
966a310 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
@ericstj
Fix microseconds calculation for LDAP network timeout
1ab3a4c 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
Copilot AI changed the title [WIP] Honor LdapConnection.Timeout at the network layer on Linux using LDAP_OPT_NETWORK_TIMEOUT Fix LDAP network timeout not being honored on Linux Aug 29, 2025
Copilot finished work on behalf of ericstj August 29, 2025 17:12
Copilot AI requested a review from ericstj August 29, 2025 17:12
@ericstj

This comment was marked as off-topic.

Sign in to view

This comment was marked as off-topic.

Sign in to view
Copilot finished work on behalf of ericstj August 29, 2025 17:45
ericstj
ericstj reviewed Aug 29, 2025
View reviewed changes
@ericstj
Copy link
Member

ericstj commented Sep 2, 2025

@copilot can you address the feedback?

Copilot AI and others added 2 commits September 2, 2025 19:10
@ericstj
Address PR feedback: improve tests and error handling
75f43a4 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
@ericstj
Mark unreachable server timeout test as OuterLoop
4ccb9ae 
Co-authored-by: ericstj <8918108+ericstj@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Sep 2, 2025

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 192.0.2.1
    • Triggering command: /home/REDACTED/work/runtime/runtime/artifacts/bin/testhost/net10.0-linux-Debug-x64/dotnet exec --runtimeconfig /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/System.DirectoryServices.Protocols.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/System.DirectoryServices.Protocols.Tests.deps.json /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/testhost.dll --port 45025 --endpoint 127.0.0.1:045025 --role client --parentprocessid 58534 --datacollectionport 38201 --telemetryoptedin false (packet block)
  • server
    • Triggering command: /home/REDACTED/work/runtime/runtime/artifacts/bin/testhost/net10.0-linux-Debug-x64/dotnet exec --runtimeconfig /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/System.DirectoryServices.Protocols.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/System.DirectoryServices.Protocols.Tests.deps.json /home/REDACTED/work/runtime/runtime/artifacts/bin/System.DirectoryServices.Protocols.Tests/Debug/net10.0-linux/testhost.dll --port 37491 --endpoint 127.0.0.1:037491 --role client --parentprocessid 59763 --datacollectionport 38459 --telemetryoptedin false (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from ericstj September 2, 2025 19:16
Copilot finished work on behalf of ericstj September 2, 2025 19:16
@build-analysis build-analysis bot mentioned this pull request Sep 2, 2025
Closed
@ericstj ericstj marked this pull request as ready for review September 11, 2025 15:20
@Copilot Copilot AI review requested due to automatic review settings September 11, 2025 15:20
Copilot
Copilot AI reviewed Sep 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a bug where System.DirectoryServices.Protocols.LdapConnection does not honor the Timeout property at the network layer on Linux, potentially causing network operations to hang indefinitely. The solution implements proper network-level timeout support for Linux by setting LDAP_OPT_NETWORK_TIMEOUT via ldap_set_option.

  • Added LDAP_OPT_NETWORK_TIMEOUT constant and P/Invoke support for setting timeval structures
  • Modified InternalConnectToServer in Linux implementation to set network timeout using the Timeout property
  • Added comprehensive cross-platform tests to verify timeout behavior

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/libraries/System.DirectoryServices.Protocols/tests/LdapConnectionTests.cs Added unit tests for timeout functionality including unreachable server test
src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/ldap/LdapConnection.Linux.cs Modified InternalConnectToServer to set network timeout after URI configuration
src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/Interop/LdapPal.Linux.cs Added SetTimevalOption method for setting timeval-based LDAP options
src/libraries/Common/src/Interop/Linux/OpenLdap/Interop.Ldap.cs Added P/Invoke declaration for ldap_set_option_timeval
src/libraries/Common/src/Interop/Interop.Ldap.cs Added LDAP_OPT_NETWORK_TIMEOUT constant to LdapOption enum

ericstj and others added 2 commits September 11, 2025 08:22
@ericstj @Copilot
Update src/libraries/System.DirectoryServices.Protocols/src/System/Di…
4e86015 
…rectoryServices/Protocols/ldap/LdapConnection.Linux.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ericstj
Merge branch 'main' into copilot/fix-eecfc6c9-c633-469d-b1a9-be94cbb7…
5219b26 
…1db9
@ericstj ericstj requested a review from a team September 15, 2025 21:55
tarekgh
tarekgh approved these changes Sep 15, 2025
View reviewed changes
Copy link
Member

@tarekgh tarekgh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! left a minor question.

@ericstj
Copy link
Member

ericstj commented Sep 17, 2025

Got feedback from customer contact that this does seem to be working in a test environment. They could not test in production. Will merge for now. Customer has a workaround so not planning to backport this to 10.0.

@ericstj ericstj merged commit 9130524 into main Sep 17, 2025
88 checks passed
@jkotas jkotas deleted the copilot/fix-eecfc6c9-c633-469d-b1a9-be94cbb71db9 branch September 22, 2025 23:28
@github-actions github-actions bot locked and limited conversation to collaborators Oct 23, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ericstj ericstj ericstj left review comments

@tarekgh tarekgh tarekgh approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

@ericstj ericstj

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

System.DirectoryServices.Protocols LdapConnection should have bindtimeout property. how to timeout on bind currently?

3 participants

@ericstj @tarekgh