The thought behind leaving the option of using -1 was that some companies may have a deeply nested structure and do not mind the the cost of the lookups.
I do see the use case, but I am more worried that someone will have a slow LDAP/AD server and will cause a general slowdown of Namenode.
Also another issue that I see is that with infinite recursion we really have no control over time out, based on this patch, time out is per query. So in the infinite recursion scheme the time is number of times you recur multiplied by time out. At that point timeOut really has no meaning. As you pointed out, in the current scheme it is 2 * timeOut. In your new scheme it will be max(Recur Depth, Configured Value) * timeOut. But in the infinite scheme, it is N * timeout where N is dependent on some values in AD.
I am worried that support cost for such a feature would be too high, Also if we really need it, we know that with your patch it is an easy change to make.
The DIRECTORY_SEARCH_TIMEOUT is a timeout set for each LDAP query.
That works very well since we know the MAX_UPPER bound for the query. So max time is maxDepth * time out. Would you care to document that with your settings?
I do not think you can make less LDAP queries.
Thank you, good to know.
I am looking forward to your next patch.