diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2012-07-31 17:25:35 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-08-07 11:39:16 +0200 |
commit | 10a67601de071a664df84dd98255b629d739710f (patch) | |
tree | cc1f79a14c6e6886b40498b4c497f9716c97a8fe /src/providers/ipa/ipa_hbac_rules.h | |
parent | 33dd2356d5b2cadf14e912a0e9f7a8a56f6bc5f1 (diff) | |
download | sssd-10a67601de071a664df84dd98255b629d739710f.tar.gz sssd-10a67601de071a664df84dd98255b629d739710f.tar.bz2 sssd-10a67601de071a664df84dd98255b629d739710f.zip |
Failover: Return last tried server if it's still being tried
In the failover, we treat both KDC and LDAP on the IPA server as a single
"port", numbered 0. This was done in order to make sure that the SSSD
always talks to the same server for both LDAP and Kerberos.
However, this clever hack breaks when the IPA provider needs to establish an
GSSAPI encrypted LDAP connection because we're asking the fail over code to
yield a server while no server has yet been marked as tried. This triggers a
fail over for the KDC, so in effect, the TGT is received from second server.
If the second server is not available for some reason, the whole provider
goes offline.
The fail over needs to detect that the server asked for is still being
resolved and return the same pointer.
Diffstat (limited to 'src/providers/ipa/ipa_hbac_rules.h')
0 files changed, 0 insertions, 0 deletions