5 files changed, 47 insertions, 2 deletions

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 89437d97f..49d902945 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -386,6 +386,31 @@
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ldap_search_timeout (integer)</term>
+                    <listitem>
+                        <para>
+                            Specifies the timeout (in seconds) that ldap
+                            searches are allowed to run before they are
+                            cancelled and cached results are returned (and
+                            offline mode is entered)
+                        </para>
+                        <para>
+                            Default: 5 (When enumerate = False)
+                        </para>
+                        <para>
+                            Default: 30 (When enumerate = True - this option
+                            will be forced to a minumum of 30s in this case)
+                        </para>
+                        <para>
+                            Note: this option is subject to change in future
+                            versions of the SSSD. It will likely be replaced
+                            at some point by a series of timeouts for
+                            specific lookup types.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
                     <term>ldap_network_timeout (integer)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 4bcd534c8..76ac02e16 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -42,7 +42,7 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_authtok_type", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB },
-    { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+    { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
     { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
     { "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING },
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index f3fa610e5..eeecc371f 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -130,6 +130,16 @@ int sssm_ipa_id_init(struct be_ctx *bectx,
         goto done;
     }
 
+    /* FIXME: This is a workaround for 1.2.0. In the future, we need to have
+     * separate timeouts for enumeration operations
+     * If enumeration is enabled and the search timeout is less
+     * than 30s, force it to a minimum of 30s.
+     */
+    if(bectx->domain->enumerate &&
+            dp_opt_get_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT) < 30) {
+        dp_opt_set_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT, 30);
+    }
+
     if(dp_opt_get_bool(ipa_options->basic, IPA_DYNDNS_UPDATE)) {
         /* Perform automatic DNS updates when the
          * IP address changes.
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 8fcea9677..0257ef638 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -36,7 +36,7 @@ struct dp_option default_basic_opts[] = {
     { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_authtok_type", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB },
-    { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+    { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
     { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
     { "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING },
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 5c6f4b790..af98d8e52 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -82,6 +82,16 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
         goto done;
     }
 
+    /* FIXME: This is a workaround for 1.2.0. In the future, we need to have
+     * separate timeouts for enumeration operations
+     * If enumeration is enabled and the search timeout is less
+     * than 30s, force it to a minimum of 30s.
+     */
+    if(bectx->domain->enumerate &&
+            dp_opt_get_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT) < 30) {
+        dp_opt_set_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT, 30);
+    }
+
     dns_service_name = dp_opt_get_string(ctx->opts->basic,
                                          SDAP_DNS_SERVICE_NAME);
     DEBUG(7, ("Service name for discovery set to %s\n", dns_service_name));