diff options
author | jim-p <jimp@pfsense.org> | 2015-08-13 12:54:31 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2015-08-13 12:54:31 -0400 |
commit | 9a0c4cd22f853fb77593ad83ebd82c7cc25d6f30 (patch) | |
tree | 13efa9d76ff782d693294f5089688f22cc28a4d9 | |
parent | 089938860dbefc6f511b7743f553414def7e8f06 (diff) | |
download | pfsense-9a0c4cd22f853fb77593ad83ebd82c7cc25d6f30.zip pfsense-9a0c4cd22f853fb77593ad83ebd82c7cc25d6f30.tar.gz |
Provide an LDAP server timeout field. Default to 25 seconds. Part of ticket #3383
Previous default was ~1m20sec.
-rw-r--r-- | etc/inc/auth.inc | 6 | ||||
-rw-r--r-- | usr/local/www/system_authservers.php | 24 |
2 files changed, 28 insertions, 2 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index e99c0c6..0ebee76 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -929,6 +929,7 @@ function ldap_get_groups($username, $authcfg) { $ldapname = $authcfg['name']; $ldapfallback = false; $ldapscope = $authcfg['ldap_scope']; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 25; } else return false; @@ -954,6 +955,8 @@ function ldap_get_groups($username, $authcfg) { ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); + ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); /* bind as user that has rights to read group attributes */ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; @@ -1060,6 +1063,7 @@ function ldap_backed($username, $passwd, $authcfg) { $ldapver = $authcfg['ldap_protver']; $ldapname = $authcfg['name']; $ldapscope = $authcfg['ldap_scope']; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 25; } else return false; @@ -1080,6 +1084,8 @@ function ldap_backed($username, $passwd, $authcfg) { ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); + ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); /* Make sure we can connect to LDAP */ $error = false; diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index a58ef0e..d9d7ed4 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -97,6 +97,7 @@ if ($act == "edit") { $pconfig['ldap_caref'] = $a_server[$id]['ldap_caref']; $pconfig['ldap_host'] = $a_server[$id]['host']; $pconfig['ldap_port'] = $a_server[$id]['ldap_port']; + $pconfig['ldap_timeout'] = $a_server[$id]['ldap_timeout']; $pconfig['ldap_urltype'] = $a_server[$id]['ldap_urltype']; $pconfig['ldap_protver'] = $a_server[$id]['ldap_protver']; $pconfig['ldap_scope'] = $a_server[$id]['ldap_scope']; @@ -217,8 +218,12 @@ if ($_POST) { if (auth_get_authserver($pconfig['name']) && !isset($id)) $input_errors[] = gettext("An authentication server with the same name already exists."); - if (($pconfig['type'] == "radius") && isset($_POST['radius_timeout']) && !empty($_POST['radius_timeout']) && (!is_numeric($_POST['radius_timeout']) || (is_numeric($_POST['radius_timeout']) && ($_POST['radius_timeout'] <= 0)))) - $input_errors[] = gettext("RADIUS Timeout value must be numeric and positive."); + if (($pconfig['type'] == "ldap") || ($pconfig['type'] == "radius")) { + $to_field = "{$pconfig['type']}_timeout"; + if (isset($_POST[$to_field]) && !empty($_POST[$to_field]) && (!is_numeric($_POST[$to_field]) || (is_numeric($_POST[$to_field]) && ($_POST[$to_field] <= 0)))) { + $input_errors[] = sprintf(gettext("%s Timeout value must be numeric and positive."), strtoupper($pconfig['type'])); + } + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { @@ -268,6 +273,13 @@ if ($_POST) { unset($server['ldap_binddn']); unset($server['ldap_bindpw']); } + + if ($pconfig['ldap_timeout']) { + $server['ldap_timeout'] = $pconfig['ldap_timeout']; + } else { + $server['ldap_timeout'] = 25; + } + } if ($server['type'] == "radius") { @@ -398,6 +410,7 @@ function radius_srvcschange(){ function select_clicked() { if (document.getElementById("ldap_port").value == '' || + document.getElementById("ldap_timeout").value == '' || document.getElementById("ldap_host").value == '' || document.getElementById("ldap_scope").value == '' || document.getElementById("ldap_basedn").value == '' || @@ -566,6 +579,13 @@ function select_clicked() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Server Timeout");?></td> + <td width="78%" class="vtable"> + <input name="ldap_timeout" type="text" class="formfld unknown" id="ldap_timeout" size="5" value="<?=htmlspecialchars($pconfig['ldap_timeout']);?>"/> + <br /><?= gettext("Timeout for LDAP operations (seconds). Default: 25"); ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Search scope");?></td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="2" summary="search scope"> |