|
 |
ced1f5 |
From 1f46fa6760913de0f757e39106936d24e5736912 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
ced1f5 |
Date: Tue, 7 Nov 2017 23:34:42 +0100
|
|
|
ced1f5 |
Subject: [PATCH 35/35] LDAP: Improve error treatment from sdap_cli_connect()
|
|
|
ced1f5 |
in ldap_auth
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Because we weren't treating the errors coming from
|
|
|
ced1f5 |
sdap_cli_connect_recv() properly we ended up introducing a regression in
|
|
|
ced1f5 |
the commit add72860c7, related to offline authentication.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
From now on, let's properly treat errors coming from auth_connect_send(),
|
|
|
ced1f5 |
which were treated before by going offline when be_resolve_server_recv()
|
|
|
ced1f5 |
failed, and propagate ETIMEDOUT to the request, thus going offline and
|
|
|
ced1f5 |
allowing offline authentication on those cases.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Related:
|
|
|
ced1f5 |
https://pagure.io/SSSD/sssd/issue/3451
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ced1f5 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit 20d18db36096e3fa2636143a83a12a2e3a7f26d6)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/providers/ldap/ldap_auth.c | 16 ++++++++++++++--
|
|
|
ced1f5 |
1 file changed, 14 insertions(+), 2 deletions(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
|
ced1f5 |
index a3b1480aae4272d2e10f105a1eaf3a5816c3487c..2e0e2cfd6f8af2bf0c9ad15bd956a55a34777a3c 100644
|
|
|
ced1f5 |
--- a/src/providers/ldap/ldap_auth.c
|
|
|
ced1f5 |
+++ b/src/providers/ldap/ldap_auth.c
|
|
|
ced1f5 |
@@ -716,8 +716,20 @@ static void auth_connect_done(struct tevent_req *subreq)
|
|
|
ced1f5 |
ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
|
|
|
ced1f5 |
talloc_zfree(subreq);
|
|
|
ced1f5 |
if (ret != EOK) {
|
|
|
ced1f5 |
- if (auth_connect_send(req) == NULL) {
|
|
|
ced1f5 |
- tevent_req_error(req, ENOMEM);
|
|
|
ced1f5 |
+ /* As sdap_cli_connect_recv() returns EIO in case all the servers are
|
|
|
ced1f5 |
+ * down and we have to go offline, let's treat it accordingly here and
|
|
|
ced1f5 |
+ * allow the PAM responder to with to offline authentication.
|
|
|
ced1f5 |
+ *
|
|
|
ced1f5 |
+ * Unfortunately, there's not much pattern within our code and the way
|
|
|
ced1f5 |
+ * to indicate we're going down in this part of the code is returning
|
|
|
ced1f5 |
+ * an ETIMEDOUT.
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
+ if (ret == EIO) {
|
|
|
ced1f5 |
+ tevent_req_error(req, ETIMEDOUT);
|
|
|
ced1f5 |
+ } else {
|
|
|
ced1f5 |
+ if (auth_connect_send(req) == NULL) {
|
|
|
ced1f5 |
+ tevent_req_error(req, ENOMEM);
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
return;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.13.6
|
|
|
ced1f5 |
|