summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2012-05-09 18:31:21 +0200
committerStephen Gallagher <sgallagh@redhat.com>2012-05-09 19:23:09 -0400
commit163a17f00c42f2405d8fb0a2af3bc9d8b7309260 (patch)
tree5c341ddffbb109f743022c63a13a5b5594888712 /src
parent0327d4d33a0fba0590d9066ace18f7128b2de2c5 (diff)
downloadsssd-163a17f00c42f2405d8fb0a2af3bc9d8b7309260.tar.gz
sssd-163a17f00c42f2405d8fb0a2af3bc9d8b7309260.tar.bz2
sssd-163a17f00c42f2405d8fb0a2af3bc9d8b7309260.zip
Try all KDCs when getting TGT for LDAP
When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
Diffstat (limited to 'src')
-rw-r--r--src/providers/ldap/sdap_async_connection.c33
1 files changed, 18 insertions, 15 deletions
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 9e4d86aa..e933e296 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -942,7 +942,19 @@ static void sdap_kinit_done(struct tevent_req *subreq)
ret = sdap_get_tgt_recv(subreq, state, &result,
&kerr, &ccname, &expire_time);
talloc_zfree(subreq);
- if (ret != EOK) {
+ if (ret == ETIMEDOUT) {
+ /* The child didn't even respond. Perhaps the KDC is too busy,
+ * retry with another KDC */
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Communication with KDC timed out, trying the next one\n"));
+ be_fo_set_port_status(state->be, state->kdc_srv, PORT_NOT_WORKING);
+ nextreq = sdap_kinit_next_kdc(req);
+ if (!nextreq) {
+ tevent_req_error(req, ENOMEM);
+ }
+ return;
+ } else if (ret != EOK) {
+ /* A severe error while executing the child. Abort the operation. */
state->result = SDAP_AUTH_FAILED;
DEBUG(1, ("child failed (%d [%s])\n", ret, strerror(ret)));
tevent_req_error(req, ret);
@@ -1493,20 +1505,11 @@ static void sdap_cli_kinit_done(struct tevent_req *subreq)
ret = sdap_kinit_recv(subreq, &result, &expire_time);
talloc_zfree(subreq);
- if (ret) {
- if (ret == ETIMEDOUT) { /* child timed out, retry another server */
- be_fo_set_port_status(state->be, state->srv, PORT_NOT_WORKING);
- ret = sdap_cli_resolve_next(req);
- if (ret != EOK) {
- tevent_req_error(req, ret);
- }
- return;
- }
-
- tevent_req_error(req, ret);
- return;
- }
- if (result != SDAP_AUTH_SUCCESS) {
+ if (ret != EOK || result != SDAP_AUTH_SUCCESS) {
+ /* We're not able to authenticate to the LDAP server.
+ * There's not much we can do except for going offline */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ ("Cannot get a TGT: ret [%d] result [%d]\n", ret, result));
tevent_req_error(req, EACCES);
return;
}