[SSSD] Re: [PATCH] Failover to next server if authentication fails

Tue, 10 May 2016 07:00:37 -0700 

On Thu, Apr 21, 2016 at 02:54:21PM +0200, Pavel Březina wrote:
> We can fail in sasl_bind_send() with ERR_AUTH_FAILED for basically
> unspecified reason but we do not failover to next server. This patch should
> fix it.
> 
> As said on the meeting, I didn't reproduce it and I'm not sure if it will
> fix the customer issue unless they confirm it, but it seems to be a valid
> patch anyway.

> From c9e3bf2726d9edba3cddc91c4ae98a87a5c1652a Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
> Date: Wed, 6 Apr 2016 13:20:59 +0200
> Subject: [PATCH 1/2] Inform about (un)successful connection
> 
> ---
>  src/providers/ldap/sdap_async_connection.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/src/providers/ldap/sdap_async_connection.c 
> b/src/providers/ldap/sdap_async_connection.c
> index 
> f9074afb0c1340c7c2a50d4df0021eee4ae0d076..435cb1bb6864b516d386fafa360d062f780b5d04
>  100644
> --- a/src/providers/ldap/sdap_async_connection.c
> +++ b/src/providers/ldap/sdap_async_connection.c
> @@ -2035,6 +2035,9 @@ int sdap_cli_connect_recv(struct tevent_req *req,
>      if (tevent_req_is_error(req, &tstate, &err)) {
>          /* mark the server as bad if connection failed */
>          if (state->srv) {
> +            DEBUG(SSSDBG_OP_FAILURE, "Unable to establish connection "
> +                  "[%d]: %s\n", err, sss_strerror(err));
> +

In file included from /sssd/src/util/util.h:54:0,
                 from /sssd/src/providers/ldap/sdap_async_connection.c:26:
/sssd/src/providers/ldap/sdap_async_connection.c: In function 
'sdap_cli_connect_recv':
/sssd/src/providers/ldap/sdap_async_connection.c:2038:38: warning: format '%d' 
expects argument of type 'int', but argument 6 has type 'uint64_t {aka long 
unsigned int}' [-Wformat=]
             DEBUG(SSSDBG_OP_FAILURE, "Unable to establish connection "
                                      ^
/sssd/src/util/debug.h:108:22: note: in definition of macro 'DEBUG'
                      format, ##__VA_ARGS__); \
                      ^

>              be_fo_set_port_status(state->be, state->service->name,
>                                    state->srv, PORT_NOT_WORKING);
>          } else {
> @@ -2048,6 +2051,8 @@ int sdap_cli_connect_recv(struct tevent_req *req,
>          }
>          return EIO;
>      } else if (state->srv) {
> +        DEBUG(SSSDBG_TRACE_FUNC, "Connection established.\n");
> +
>          be_fo_set_port_status(state->be, state->service->name,
>                                state->srv, PORT_WORKING);
>      }
> -- 
> 2.1.0
> 

> From 8d6f024ac77ddb8dc87d7fd693cfe5846f3a88d6 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
> Date: Wed, 6 Apr 2016 13:21:21 +0200
> Subject: [PATCH 2/2] Failover to next server if authentication fails

I was only able to test this patch 'synthetically', by setting ret to the
ERR_AUTH_FAILED value. But then it seemed to do the right thing, so ACK.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

Reply via email to