From d239b492ad0382d7061690219275f175c05e1830 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 4 Dec 2009 11:04:34 +0100 Subject: Try to renew Kerberos credentials When using GSSAPI we need a valid service ticket to talk to the LDAP server. If the ticket is expired the LDAP client returns with 'Can't contact LDAP server'. Currently we set the backend offline if this error occurs although the server is still available. This patch checks if the TGT is expired and tries to renew the credentials before going offline. --- server/providers/ldap/ldap_id_enum.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'server/providers/ldap/ldap_id_enum.c') diff --git a/server/providers/ldap/ldap_id_enum.c b/server/providers/ldap/ldap_id_enum.c index 1ddcbf8f..bc06e8bd 100644 --- a/server/providers/ldap/ldap_id_enum.c +++ b/server/providers/ldap/ldap_id_enum.c @@ -227,6 +227,14 @@ fail: DEBUG(9, ("User enumeration failed with: (%d)[%s]\n", (int)err, strerror(err))); + if (sdap_check_gssapi_reconnect(state->ctx)) { + talloc_zfree(state->ctx->gsh); + subreq = enum_users_send(state, state->ev, state->ctx, state->purge); + if (subreq != NULL) { + tevent_req_set_callback(subreq, ldap_id_enum_users_done, req); + return; + } + } sdap_mark_offline(state->ctx); } @@ -268,7 +276,15 @@ static void ldap_id_enum_groups_done(struct tevent_req *subreq) return; fail: - /* always go offline on failures */ + /* check if credentials are expired otherwise go offline on failures */ + if (sdap_check_gssapi_reconnect(state->ctx)) { + talloc_zfree(state->ctx->gsh); + subreq = enum_groups_send(state, state->ev, state->ctx, state->purge); + if (subreq != NULL) { + tevent_req_set_callback(subreq, ldap_id_enum_groups_done, req); + return; + } + } sdap_mark_offline(state->ctx); DEBUG(1, ("Failed to enumerate groups (%d [%s]), retrying later!\n", (int)err, strerror(err))); -- cgit