Skip to content

Don't apply adaptive timeouts to LDAP queries #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: v4
Choose a base branch
from
Open

Don't apply adaptive timeouts to LDAP queries #252

wants to merge 3 commits into from

Conversation

definitelynotagoblin
Copy link
Contributor

@definitelynotagoblin definitelynotagoblin commented Oct 6, 2025
edited by coderabbitai bot
Loading

Description

LDAP queries are too volatile I suspect in runtime for adaptive timeouts. By the time backoff logic triggers, retries are already exhausted.
These queries should already be gated by connection checks, so we should be pretty confident that they respond successfully, and so we'll disable adaptive timeouts on them.

Motivation and Context

SpecterOps/SharpHound#177
Closes BED-6603

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Documentation updates are needed, and have been made accordingly.
  • I have added and/or updated tests to cover my changes.
  • All new and existing tests passed.
  • My changes include a database migration.

Summary by CodeRabbit

  • Bug Fixes

    • Disabled adaptive timeout adjustments in LDAP connection handling to reduce sporadic delays and premature timeouts.

  • Performance

    • Made timeout behavior more predictable and stable for directory lookups; reduced variance in query timing.

  • Chores

    • Tuned adaptive-timeout parameters to be more conservative in spike detection and history retention.

@definitelynotagoblin definitelynotagoblin self-assigned this Oct 6, 2025
@definitelynotagoblin definitelynotagoblin added the bug Something isn't working label Oct 6, 2025
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Oct 6, 2025
edited
Loading

Walkthrough

Constructor in src/CommonLib/LdapConnectionPool.cs now initializes three AdaptiveTimeout instances with useAdaptiveTimeout: false, disabling adaptive behavior for LDAP timeouts. src/CommonLib/AdaptiveTimeout.cs tuning constants were changed (TimeSpikeThreshold, StdDevMultiplier, CountOfLatestSuccessToKeep). No public API changes.

Changes

Cohort / File(s) Summary
LDAP timeout initialization
src/CommonLib/LdapConnectionPool.cs		 Replaced three implicit AdaptiveTimeout initializations with explicit AdaptiveTimeout(..., useAdaptiveTimeout: false), disabling adaptive timeout adjustments while preserving max timeout values and other constructor logic.
Adaptive timeout tuning
src/CommonLib/AdaptiveTimeout.cs		 Adjusted internal constants: TimeSpikeThreshold 5→3, StdDevMultiplier 5→7 (more conservative bound), CountOfLatestSuccessToKeep 4→3. No API/signature changes—behavioral tuning only.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor App as Application
    participant Pool as LdapConnectionPool
    participant AT as AdaptiveTimeout
    participant LDAP as LDAP Server

    App->>Pool: new LdapConnectionPool(...)
    note right of Pool: Constructor initializes 3 AdaptiveTimeout instances
    rect rgba(200,230,255,0.25)
      Pool->>AT: Initialize(useAdaptiveTimeout: false)
      note right of AT: Adaptive logic disabled → fixed timeout semantics
    end

    App->>Pool: Execute LDAP query
    Pool->>AT: Request current timeout (fixed)
    Pool->>LDAP: Send request with timeout
    LDAP-->>Pool: Response or timeout
    Pool-->>App: Return result or error
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • MikeX777

Poem

I nibble at clocks beneath the moon,
Three timeouts hushed, the ticks in tune.
Spikes now tamed, the averages lean,
A rabbit’s hop — precise, serene. 🐇

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)
Check name Status Explanation Resolution
Description Check ⚠️ Warning The pull request description includes the required Description and Motivation and Context sections with relevant detail and issue references, but the How Has This Been Tested section remains empty, leaving out critical information about testing steps, environments, and results. This omission prevents reviewers from understanding how the changes were validated. Please fill in the How Has This Been Tested section with detailed information on test environments, specific tests run, and results to demonstrate how the change was verified.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (1 passed)
Check name Status Explanation
Title Check ✅ Passed The title succinctly and accurately describes the primary change in this pull request by stating that adaptive timeouts will no longer be applied to LDAP queries, directly reflecting the modifications in LdapConnectionPool and aligning with the author’s intent. It is specific, clear, and concise without extraneous information.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch non-adaptive-timeout-ldaps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Oct 6, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
src/CommonLib/LdapConnectionPool.cs (1)

61-63: LGTM with optional documentation suggestion.

The explicit disabling of adaptive timeouts for LDAP query operations aligns with the PR objective. The code correctly passes useAdaptiveTimeout: false to ensure queries always use the 2-minute max timeout instead of adjusting based on execution time statistics.

Consider adding inline comments to explain the rationale for disabling adaptive timeouts on these specific operations but not on _testConnectionAdaptiveTimeout (line 64). This would help future maintainers understand the intentional distinction:

+// Adaptive timeouts disabled for LDAP queries due to runtime volatility.
+// Connection tests (line 64) retain adaptive behavior since they gate query success.
 _queryAdaptiveTimeout = new AdaptiveTimeout(maxTimeout: TimeSpan.FromMinutes(2), Logging.LogProvider.CreateLogger("LdapQuery"), useAdaptiveTimeout: false);
 _pagedQueryAdaptiveTimeout = new AdaptiveTimeout(maxTimeout: TimeSpan.FromMinutes(2), Logging.LogProvider.CreateLogger("LdapPagedQuery"), useAdaptiveTimeout: false);
 _rangedRetrievalAdaptiveTimeout = new AdaptiveTimeout(maxTimeout: TimeSpan.FromMinutes(2), Logging.LogProvider.CreateLogger("LdapRangedRetrieval"), useAdaptiveTimeout: false);
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1ec7cba and f67773c.

📒 Files selected for processing (1)
  • src/CommonLib/LdapConnectionPool.cs (1 hunks)
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: definitelynotagoblin
PR: SpecterOps/SharpHoundCommon#217
File: src/CommonLib/LdapConnectionPool.cs:677-677
Timestamp: 2025-06-26T16:59:06.972Z
Learning: In SharpHoundCommonLib's LdapConnectionPool.cs, the team acknowledges that method `GetConnectionForSpecificServerAsync` has misleading naming - it contains "Async" in the name but is actually synchronous and blocks on async code, which they recognize as confusing but may need to live with due to backwards compatibility constraints.
📚 Learning: 2025-06-26T16:59:06.972Z 
Learnt from: definitelynotagoblin
PR: SpecterOps/SharpHoundCommon#217
File: src/CommonLib/LdapConnectionPool.cs:677-677
Timestamp: 2025-06-26T16:59:06.972Z
Learning: In SharpHoundCommonLib's LdapConnectionPool.cs, the team acknowledges that method `GetConnectionForSpecificServerAsync` has misleading naming - it contains "Async" in the name but is actually synchronous and blocks on async code, which they recognize as confusing but may need to live with due to backwards compatibility constraints.

Applied to files:

  • src/CommonLib/LdapConnectionPool.cs
🧬 Code graph analysis (1)
src/CommonLib/LdapConnectionPool.cs (2)
src/CommonLib/AdaptiveTimeout.cs (3)
  • AdaptiveTimeout (12-347)
  • AdaptiveTimeout (28-47)
  • TimeSpan (226-240)
src/CommonLib/Logging/Logging.cs (2)
  • Logging (7-20)
  • LogProvider (22-35)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build
🔇 Additional comments (1)
src/CommonLib/LdapConnectionPool.cs (1)

64-64: Verify the intentional distinction for test connection timeouts.

The _testConnectionAdaptiveTimeout still uses adaptive timeouts (default useAdaptiveTimeout: true) while the query timeouts on lines 61-63 explicitly disable it. Based on the PR rationale that connection checks already gate query success, this distinction appears intentional—test connections can benefit from adaptive behavior to efficiently validate connections, while queries should use fixed timeouts.

Please confirm this intentional design: connection tests retain adaptive timeout behavior because they're more stable/predictable than queries and benefit from the adaptive mechanism, while queries themselves are too volatile to benefit from adaptation. If this is correct, consider documenting this distinction (see comment on lines 61-63).

coderabbitai[bot]
coderabbitai bot reviewed Oct 10, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
src/CommonLib/AdaptiveTimeout.cs (1)

217-225: Align the Chebyshev comment with the new 7σ bound

The explanatory comment still cites 5σ coverage even though we now use a 7σ multiplier. Please update the math so future readers aren’t misled.

-    // Within 5 standard deviations will have a conservative lower bound of catching 96% of executions (1 - 1/5^2),
+    // Within 7 standard deviations will have a conservative lower bound of catching ~98% of executions (1 - 1/7^2),
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f67773c and a6366b5.

📒 Files selected for processing (2)
  • src/CommonLib/AdaptiveTimeout.cs (1 hunks)
  • src/CommonLib/LdapConnectionPool.cs (1 hunks)
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: definitelynotagoblin
PR: SpecterOps/SharpHoundCommon#217
File: src/CommonLib/LdapConnectionPool.cs:677-677
Timestamp: 2025-06-26T16:59:06.972Z
Learning: In SharpHoundCommonLib's LdapConnectionPool.cs, the team acknowledges that method `GetConnectionForSpecificServerAsync` has misleading naming - it contains "Async" in the name but is actually synchronous and blocks on async code, which they recognize as confusing but may need to live with due to backwards compatibility constraints.
📚 Learning: 2025-06-26T16:59:06.972Z 
Learnt from: definitelynotagoblin
PR: SpecterOps/SharpHoundCommon#217
File: src/CommonLib/LdapConnectionPool.cs:677-677
Timestamp: 2025-06-26T16:59:06.972Z
Learning: In SharpHoundCommonLib's LdapConnectionPool.cs, the team acknowledges that method `GetConnectionForSpecificServerAsync` has misleading naming - it contains "Async" in the name but is actually synchronous and blocks on async code, which they recognize as confusing but may need to live with due to backwards compatibility constraints.

Applied to files:

  • src/CommonLib/LdapConnectionPool.cs
🧬 Code graph analysis (1)
src/CommonLib/LdapConnectionPool.cs (2)
src/CommonLib/AdaptiveTimeout.cs (3)
  • AdaptiveTimeout (12-347)
  • AdaptiveTimeout (28-47)
  • TimeSpan (226-240)
src/CommonLib/Logging/Logging.cs (2)
  • Logging (7-20)
  • LogProvider (22-35)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@definitelynotagoblin definitelynotagoblin

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@definitelynotagoblin