LDAP realm client side response timeout setting

[albertzaharovits]

The timeout.ldap_search AD and LDAP realm settings controls the search operation timeout on the server side. The default is 5s.

But, the UnboundID library exposes a client side timeout for the response which also defaults to 5s. There is no setting to adjust this. Hence, if the administrator adjusts timeout.ldap_search and the LDAP server takes more time to process the search request, the request will nevertheless be aborted client side when the time exceeds the response time.

We should expose the response timeout setting for the LDAP connection, the same way we expose connect and read timeouts, and have it default to the timeout.ldap_search, because increasing this setting's value without adjusting the client side response timeout is pointless (hence this is a bug - increasing timeout.ldap_search is ineffectual).

[elasticmachine]

Pinging @elastic/es-security

[albertzaharovits]

This is a sample stack excerpt for v6.8:

[2019-08-27T08:33:02,094][WARN ][o.e.x.s.a.AuthenticationService] [elasticsearch-elasticsearch-3] An error occurred while attempting to authenticate [user] against realm [active_directory]
com.unboundid.ldap.sdk.LDAPException: The asynchronous operation encountered a client-side timeout after waiting 5000 milliseconds for a response to arrive.
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.toException(LdapUtils.java:408) ~[x-pack-security-6.8.0.jar:6.8.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.access$200(LdapUtils.java:54) ~[x-pack-security-6.8.0.jar:6.8.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$LdapSearchResultListener.searchResultReceived(LdapUtils.java:515) [x-pack-security-6.8.0.jar:6.8.0]
at com.unboundid.ldap.sdk.AsyncSearchHelper.responseReceived(AsyncSearchHelper.java:245) [unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.AsyncTimeoutTimerTask.run(AsyncTimeoutTimerTask.java:122) [unboundid-ldapsdk-4.0.8.jar:4.0.8] 

While digging further in the UnboundID sources it looks like the response timeout that we set:

options.setResponseTimeoutMillis(config.getSetting(SessionFactorySettings.TIMEOUT_TCP_READ_SETTING).millis());

is used in many more cases than only tcp read timeout (SO_TIMEOUT option in Java) and should avoid the aforementioned timeout case.

So, it seems that we expose the necessary configuration to avoid this timeout condition. I will investigate further how to see if I can make it more prominent in the docs.

[elasticmachine]

Pinging @elastic/es-docs

[jrodewig]

[docs issue triage]