s3/ldap: delay the ldap search alarm termination a bit

do the alarm termination of the the ldap search a bit delayed so the LDAP
server has a chance to tell us that the time limit was reached and the
search was abandoned. If the search is terminated this way we also get
the correct LDAP return code in the logs. If alarm() stops the search the ldap
search routine will report that the LDAP server is down which would trigger us
to rebind to the server needlessly which we also want to avoid.

1 files changed, 13 insertions, 2 deletions

diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 5c99e4b6e8..dcb99c9a65 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -1432,6 +1432,7 @@ static int smbldap_search_ext(struct smbldap_state *ldap_state,
 	char           *utf8_filter;
 	time_t		endtime = time_mono(NULL)+lp_ldap_timeout();
 	struct		timeval timeout;
+	int		alarm_timer;
 	size_t		converted_size;
 
 	SMB_ASSERT(ldap_state);
@@ -1477,11 +1478,21 @@ static int smbldap_search_ext(struct smbldap_state *ldap_state,
 	 * covers the case where the server's operation takes too long. It
 	 * does not cover the case where the request hangs on its way to the
 	 * server. The server side timeout is not strictly necessary, it's
-	 * just a bit more kind to the server. VL. */
+	 * just a bit more kind to the server. VL.
+	 * We prefer to get the server termination though because otherwise we
+	 * have to rebind to the LDAP server aѕ we get a LDAP_SERVER_DOWN in the
+	 * alarm termination case. So let's call the alarm 2s later, which
+	 * should be enough for the server to report the timelimit exceeded.
+	 * in case the ldal timeout is 0 (no limit) we set the _no_ alarm
+	 * accordingly. BJ. */
 
 	got_alarm = 0;
 	CatchSignal(SIGALRM, gotalarm_sig);
-	alarm(lp_ldap_timeout());
+	alarm_timer = lp_ldap_timeout();
+	if (alarm_timer > 0) {
+		alarm_timer += 2;
+	}
+	alarm(alarm_timer);
 	/* End setup timeout. */
 
 	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {