Set ldap_search_timeout default to 5 seconds

The manpages had five seconds listed, but the source disagreed (it
was set to 60 seconds).
This resulted in long wait times when unlocking the screen after
network disconnection, for example.

If enumerate=True, we will set this value to a minimum of 30s

5 files changed, 47 insertions, 2 deletions

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 89437d97f..49d902945 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -386,6 +386,31 @@
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ldap_search_timeout (integer)</term>
+                    <listitem>
+                        <para>
+                            Specifies the timeout (in seconds) that ldap
+                            searches are allowed to run before they are
+                            cancelled and cached results are returned (and
+                            offline mode is entered)
+                        </para>
+                        <para>
+                            Default: 5 (When enumerate = False)
+                        </para>
+                        <para>
+                            Default: 30 (When enumerate = True - this option
+                            will be forced to a minumum of 30s in this case)
+                        </para>
+                        <para>
+                            Note: this option is subject to change in future
+                            versions of the SSSD. It will likely be replaced
+                            at some point by a series of timeouts for
+                            specific lookup types.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
                     <term>ldap_network_timeout (integer)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 4bcd534c8..76ac02e16 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -42,7 +42,7 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_authtok_type", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB },
-    { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+    { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
     { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
     { "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING },
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index f3fa610e5..eeecc371f 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -130,6 +130,16 @@ int sssm_ipa_id_init(struct be_ctx *bectx,
         goto done;
     }
 
+    /* FIXME: This is a workaround for 1.2.0. In the future, we need to have
+     * separate timeouts for enumeration operations
+     * If enumeration is enabled and the search timeout is less
+     * than 30s, force it to a minimum of 30s.
+     */
+    if(bectx->domain->enumerate &&
+            dp_opt_get_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT) < 30) {
+        dp_opt_set_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT, 30);
+    }
+
     if(dp_opt_get_bool(ipa_options->basic, IPA_DYNDNS_UPDATE)) {
         /* Perform automatic DNS updates when the
          * IP address changes.
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 8fcea9677..0257ef638 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -36,7 +36,7 @@ struct dp_option default_basic_opts[] = {
     { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_authtok_type", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB },
-    { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+    { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
     { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
     { "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING },
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 5c6f4b790..af98d8e52 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -82,6 +82,16 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
         goto done;
     }
 
+    /* FIXME: This is a workaround for 1.2.0. In the future, we need to have
+     * separate timeouts for enumeration operations
+     * If enumeration is enabled and the search timeout is less
+     * than 30s, force it to a minimum of 30s.
+     */
+    if(bectx->domain->enumerate &&
+            dp_opt_get_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT) < 30) {
+        dp_opt_set_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT, 30);
+    }
+
     dns_service_name = dp_opt_get_string(ctx->opts->basic,
                                          SDAP_DNS_SERVICE_NAME);
     DEBUG(7, ("Service name for discovery set to %s\n", dns_service_name));