diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2012-05-09 18:31:21 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-05-09 19:23:09 -0400 |
commit | 163a17f00c42f2405d8fb0a2af3bc9d8b7309260 (patch) | |
tree | 5c341ddffbb109f743022c63a13a5b5594888712 /src | |
parent | 0327d4d33a0fba0590d9066ace18f7128b2de2c5 (diff) | |
download | sssd-163a17f00c42f2405d8fb0a2af3bc9d8b7309260.tar.gz sssd-163a17f00c42f2405d8fb0a2af3bc9d8b7309260.tar.bz2 sssd-163a17f00c42f2405d8fb0a2af3bc9d8b7309260.zip |
Try all KDCs when getting TGT for LDAP
When the ldap child process is killed after a timeout, try the next KDC.
When none of the ldap child processes succeed, just abort the connection
because we wouldn't be able to authenticate to the LDAP server anyway.
https://fedorahosted.org/sssd/ticket/1324
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 9e4d86aa..e933e296 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -942,7 +942,19 @@ static void sdap_kinit_done(struct tevent_req *subreq) ret = sdap_get_tgt_recv(subreq, state, &result, &kerr, &ccname, &expire_time); talloc_zfree(subreq); - if (ret != EOK) { + if (ret == ETIMEDOUT) { + /* The child didn't even respond. Perhaps the KDC is too busy, + * retry with another KDC */ + DEBUG(SSSDBG_MINOR_FAILURE, + ("Communication with KDC timed out, trying the next one\n")); + be_fo_set_port_status(state->be, state->kdc_srv, PORT_NOT_WORKING); + nextreq = sdap_kinit_next_kdc(req); + if (!nextreq) { + tevent_req_error(req, ENOMEM); + } + return; + } else if (ret != EOK) { + /* A severe error while executing the child. Abort the operation. */ state->result = SDAP_AUTH_FAILED; DEBUG(1, ("child failed (%d [%s])\n", ret, strerror(ret))); tevent_req_error(req, ret); @@ -1493,20 +1505,11 @@ static void sdap_cli_kinit_done(struct tevent_req *subreq) ret = sdap_kinit_recv(subreq, &result, &expire_time); talloc_zfree(subreq); - if (ret) { - if (ret == ETIMEDOUT) { /* child timed out, retry another server */ - be_fo_set_port_status(state->be, state->srv, PORT_NOT_WORKING); - ret = sdap_cli_resolve_next(req); - if (ret != EOK) { - tevent_req_error(req, ret); - } - return; - } - - tevent_req_error(req, ret); - return; - } - if (result != SDAP_AUTH_SUCCESS) { + if (ret != EOK || result != SDAP_AUTH_SUCCESS) { + /* We're not able to authenticate to the LDAP server. + * There's not much we can do except for going offline */ + DEBUG(SSSDBG_TRACE_FUNC, + ("Cannot get a TGT: ret [%d] result [%d]\n", ret, result)); tevent_req_error(req, EACCES); return; } |