From b6f039a4ccad4709ba361a511db6577cde95a9a8 Mon Sep 17 00:00:00 2001
From: Steven Hawkins <shawkins@redhat.com>
Date: Tue, 19 Aug 2025 12:43:42 -0400
Subject: [PATCH] fix: adding a default for ldap connection timeout (#41726)

closes: #39299

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
---
 .../server_admin/topics/user-federation/ldap.adoc            | 3 ++-
 .../upgrading/topics/changes/changes-26_4_0.adoc             | 5 +++++
 .../src/main/java/org/keycloak/storage/ldap/LDAPConfig.java  | 5 ++++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/docs/documentation/server_admin/topics/user-federation/ldap.adoc b/docs/documentation/server_admin/topics/user-federation/ldap.adoc
index 965bc0ba54b..9c6162cac32 100644
--- a/docs/documentation/server_admin/topics/user-federation/ldap.adoc
+++ b/docs/documentation/server_admin/topics/user-federation/ldap.adoc
@@ -179,11 +179,12 @@ The LDAP connection pool configuration is configured using the following system
 |Description
 | `com.sun.jndi.ldap.connect.pool.authentication` | A list of space-separated authentication types of connections that may be pooled. Valid types are "none", "simple", and "DIGEST-MD5"
 | `com.sun.jndi.ldap.connect.pool.initsize` | The string representation of an integer that represents the number of connections per connection identity to create when initially creating a connection for the identity
-| `com.sun.jndi.ldap.connect.pool.maxsize` | The string representation of an integer that represents the maximum number of connections per connection identity that can be maintained concurrently
+| `com.sun.jndi.ldap.connect.pool.maxsize` | The string representation of an integer that represents the maximum number of connections per connection identity that can be maintained concurrently. Note setting this value too low may cause contention in obtaining LDAP connections. See also `com.sun.jndi.ldap.connect.timeout`. 
 | `com.sun.jndi.ldap.connect.pool.prefsize` | The string representation of an integer that represents the preferred number of connections per connection identity that should be maintained concurrently
 | `com.sun.jndi.ldap.connect.pool.timeout` | The string representation of an integer that represents the number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool
 | `com.sun.jndi.ldap.connect.pool.protocol` | A list of space-separated protocol types of connections that may be pooled. Valid types are "plain" and "ssl"
 | `com.sun.jndi.ldap.connect.pool.debug` | A string that indicates the level of debug output to produce. Valid values are "fine" (trace connection creation and removal) and "all" (all debugging information)
+| `com.sun.jndi.ldap.connect.timeout` | The string representation of an integer that represents how long in milliseconds obtaining a connection should take. This is also applicable to wait times due to connection pool contention. Effectively defaults to 5000.
 |===
 
 By default, connection pooling is enabled for both `plain` and `ssl` protocols.
diff --git a/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc b/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc
index 8b8940ba67c..184cce1e8a7 100644
--- a/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc
+++ b/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc
@@ -122,6 +122,11 @@ When tracing is enabled, now also calls to other nodes of a {project_name} clust
 
 To disable this kind of tracing, set the option `tracing-infinispan-enabled` to `false`.
 
+=== LDAP Connection Timeout Default
+
+If no value is specified either on the LDAP configuration as the connectionTimeout or via the `com.sun.jndi.ldap.connect.timeout` system property, the default timeout
+will be 5 seconds. This will ensure that requests will see errors rather than indefinite waits in obtaining an LDAP connection from the pool or when making a connection to the LDAP server.
+
 === Login theme optimized for OTP and recovery code entry
 
 The input fields  in the login theme for OTP and recovery codes and have been optimized:
diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java
index 91d5a9a0ca1..949d17fbd3a 100644
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java
@@ -34,6 +34,8 @@ import java.util.Set;
  */
 public class LDAPConfig {
 
+    public static final String DEFAULT_CONNECTION_TIMEOUT = "5000";
+
     private final MultivaluedHashMap<String, String> config;
     private final Set<String> binaryAttributeNames = new HashSet<>();
 
@@ -142,7 +144,8 @@ public class LDAPConfig {
     }
 
     public String getConnectionTimeout() {
-        return config.getFirst(LDAPConstants.CONNECTION_TIMEOUT);
+        return config.getFirstOrDefault(LDAPConstants.CONNECTION_TIMEOUT,
+                System.getProperty("com.sun.jndi.ldap.connect.timeout", DEFAULT_CONNECTION_TIMEOUT));
     }
 
     public String getReadTimeout() {