Read timeout parameter for LDAP connections: ldap.readTimeout
By default LDAP connection would wait indefinitely on an LDAP
request to return. In case LDAP server is very slow this may cause
all SSH command creation threads to get blocked.
This change introduces the ldap.readTimeout parameter. The value
is in the usual time-unit format i.e. "1 s", "100 ms", etc...
A timed-out LDAP request seems not to cause failure of the SSH command
for which the LDAP request was fired. Instead, the exception is
handled in the PopulatingCache.get method where it is logged and the
creator.missing(key) is returned. This seems to be expected behaviour.
Change-Id: I278b324018934a77a2886878b89c4f0c0f4ae65e
Signed-off-by: Sasa Zivkov <sasa.zivkov@sap.com>
diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index 4b81734..7c0b836 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -1406,6 +1406,16 @@
+
By default, `ignore`.
+[[ldap.readTimeout]]ldap.readTimeout::
++
+_(Optional)_ The read timeout for an LDAP operation. The value is
+in the usual time-unit format like "1 s", "100 ms", etc...
+A timeout can be used to avoid blocking all of the SSH command start
+threads in case when the LDAP server becomes slow.
++
+By default there is no timeout and Gerrit will wait for the LDAP
+server to respond until the TCP connection times out.
+
[[ldap.accountBase]]ldap.accountBase::
+
Root of the tree containing all user accounts. This is typically
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
index e11e9bb..4dd4742 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
@@ -18,6 +18,7 @@
import com.google.gerrit.reviewdb.AccountGroup;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.GroupCache;
+import com.google.gerrit.server.config.ConfigUtil;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.util.ssl.BlindSSLSocketFactory;
import com.google.inject.Inject;
@@ -32,6 +33,7 @@
import java.util.List;
import java.util.Properties;
import java.util.Set;
+import java.util.concurrent.TimeUnit;
import javax.naming.CompositeName;
import javax.naming.Context;
@@ -53,6 +55,7 @@
private final String referral;
private final boolean sslVerify;
private volatile LdapSchema ldapSchema;
+ private final String readTimeOutMillis;
@Inject
Helper(@GerritServerConfig final Config config, final GroupCache groupCache) {
@@ -63,6 +66,14 @@
this.password = LdapRealm.optional(config, "password");
this.referral = LdapRealm.optional(config, "referral");
this.sslVerify = config.getBoolean("ldap", "sslverify", true);
+ String timeout = LdapRealm.optional(config, "readTimeout");
+ if (timeout != null) {
+ readTimeOutMillis =
+ Long.toString(ConfigUtil.getTimeUnit(timeout, 0,
+ TimeUnit.MILLISECONDS));
+ } else {
+ readTimeOutMillis = null;
+ }
}
private Properties createContextProperties() {
@@ -73,6 +84,9 @@
Class<? extends SSLSocketFactory> factory = BlindSSLSocketFactory.class;
env.put("java.naming.ldap.factory.socket", factory.getName());
}
+ if (readTimeOutMillis != null) {
+ env.put("com.sun.jndi.ldap.read.timeout", readTimeOutMillis);
+ }
return env;
}
