From fbf9b5b473ef11e9059d97f5ada134e8c87056d2 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Mon, 17 Apr 2023 20:34:10 +0000
Subject: [PATCH] backport of commit d5584b614aa9825b309a3e2e271faf6c6144c880

---
 sdk/helper/ldaputil/client.go | 25 ++++++++++++++++++-------
 sdk/helper/ldaputil/ldap.go   | 13 +++----------
 2 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go
index 4a7622d01ee3..220a84c0a671 100644
--- a/sdk/helper/ldaputil/client.go
+++ b/sdk/helper/ldaputil/client.go
@@ -29,11 +29,6 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) {
 	var conn Connection
 	urls := strings.Split(cfg.Url, ",")
 
-	// Default timeout in the pacakge is 60 seconds, which we default to on our
-	// end. This is useful if you want to take advantage of the URL list to increase
-	// availability of LDAP.
-	ldap.DefaultTimeout = time.Duration(cfg.ConnectionTimeout) * time.Second
-
 	for _, uut := range urls {
 		u, err := url.Parse(uut)
 		if err != nil {
@@ -46,12 +41,20 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) {
 		}
 
 		var tlsConfig *tls.Config
+		dialer := net.Dialer{
+			Timeout: time.Duration(cfg.ConnectionTimeout) * time.Second,
+		}
+
 		switch u.Scheme {
 		case "ldap":
 			if port == "" {
 				port = "389"
 			}
-			conn, err = c.LDAP.Dial("tcp", net.JoinHostPort(host, port))
+
+			fullAddr := fmt.Sprintf("%s://%s", u.Scheme, net.JoinHostPort(host, port))
+			opt := ldap.DialWithDialer(&dialer)
+
+			conn, err = c.LDAP.DialURL(fullAddr, opt)
 			if err != nil {
 				break
 			}
@@ -74,7 +77,15 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) {
 			if err != nil {
 				break
 			}
-			conn, err = c.LDAP.DialTLS("tcp", net.JoinHostPort(host, port), tlsConfig)
+
+			fullAddr := fmt.Sprintf("%s://%s", u.Scheme, net.JoinHostPort(host, port))
+			opt := ldap.DialWithDialer(&dialer)
+			tls := ldap.DialWithTLSConfig(tlsConfig)
+
+			conn, err = c.LDAP.DialURL(fullAddr, opt, tls)
+			if err != nil {
+				break
+			}
 		default:
 			retErr = multierror.Append(retErr, fmt.Errorf("invalid LDAP scheme in url %q", net.JoinHostPort(host, port)))
 			continue
diff --git a/sdk/helper/ldaputil/ldap.go b/sdk/helper/ldaputil/ldap.go
index 82ace01773cc..73e36b230dc0 100644
--- a/sdk/helper/ldaputil/ldap.go
+++ b/sdk/helper/ldaputil/ldap.go
@@ -1,8 +1,6 @@
 package ldaputil
 
 import (
-	"crypto/tls"
-
 	"github.com/go-ldap/ldap/v3"
 )
 
@@ -13,16 +11,11 @@ func NewLDAP() LDAP {
 // LDAP provides ldap functionality, but through an interface
 // rather than statically. This allows faking it for tests.
 type LDAP interface {
-	Dial(network, addr string) (Connection, error)
-	DialTLS(network, addr string, config *tls.Config) (Connection, error)
+	DialURL(addr string, opts ...ldap.DialOpt) (Connection, error)
 }
 
 type ldapIfc struct{}
 
-func (l *ldapIfc) Dial(network, addr string) (Connection, error) {
-	return ldap.Dial(network, addr)
-}
-
-func (l *ldapIfc) DialTLS(network, addr string, config *tls.Config) (Connection, error) {
-	return ldap.DialTLS(network, addr, config)
+func (l *ldapIfc) DialURL(addr string, opts ...ldap.DialOpt) (Connection, error) {
+	return ldap.DialURL(addr, opts...)
 }