URL: https://github.com/SSSD/sssd/pull/442 Author: fidencio Title: #442: LDAP: Improve error treatment from sdap_cli_connect() in ldap_auth Action: opened
PR body: """ Because we weren't treating the errors coming from sdap_cli_connect_recv() properly we ended up introducing a regression in the commit add72860c7, related to offline authentication. From now on, let's properly treat errors coming from auth_connect_send(), which were treated before by going offline when be_resolve_server_recv() failed, and propagate ETIMEDOUT to the request, thus going offline and allowing offline authentication on those cases. This patch fixes the regression reported by Lukáš on https://bugzilla.redhat.com/show_bug.cgi?id=1459609#c9. (And I have to say a big thanks for finding this out!) Related: https://pagure.io/SSSD/sssd/issue/3451 Signed-off-by: Fabiano Fidêncio <[email protected]> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/442/head:pr442 git checkout pr442
From 92325340d322d4c8742fb8a6b85d2587285acb33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <[email protected]> Date: Tue, 7 Nov 2017 23:34:42 +0100 Subject: [PATCH] LDAP: Improve error treatment from sdap_cli_connect() in ldap_auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Because we weren't treating the errors coming from sdap_cli_connect_recv() properly we ended up introducing a regression in the commit add72860c7, related to offline authentication. From now on, let's properly treat errors coming from auth_connect_send(), which were treated before by going offline when be_resolve_server_recv() failed, and propagate ETIMEDOUT to the request, thus going offline and allowing offline authentication on those cases. Related: https://pagure.io/SSSD/sssd/issue/3451 Signed-off-by: Fabiano Fidêncio <[email protected]> --- src/providers/ldap/ldap_auth.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index a3b1480aa..2e0e2cfd6 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -716,8 +716,20 @@ static void auth_connect_done(struct tevent_req *subreq) ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL); talloc_zfree(subreq); if (ret != EOK) { - if (auth_connect_send(req) == NULL) { - tevent_req_error(req, ENOMEM); + /* As sdap_cli_connect_recv() returns EIO in case all the servers are + * down and we have to go offline, let's treat it accordingly here and + * allow the PAM responder to with to offline authentication. + * + * Unfortunately, there's not much pattern within our code and the way + * to indicate we're going down in this part of the code is returning + * an ETIMEDOUT. + */ + if (ret == EIO) { + tevent_req_error(req, ETIMEDOUT); + } else { + if (auth_connect_send(req) == NULL) { + tevent_req_error(req, ENOMEM); + } } return; }
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
