[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Syncrepl patch for retry on SASL bind failure (ITS#3032)
Full_Name: Luke Howard
Version: 2.2.6
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (203.13.32.100)
Let me preface this by saying that this patch is a workaround that solves a SASL
mechanism-specific issue, and that it could be solved in a much better fashion.
That said, I'm posting this because it is useful to our application, and until
such time that a more generalized solution is available, it may be useful to
others.
ldap_sasl_interactive_bind_s() will return LDAP_LOCAL_ERROR if, when using
GSS-API, Kerberos credentials have not come available. In our case, this is the
case when slapd starts or when the KDC is unavailable. (We have a Credentials
Manager plugin that spawns a thread and manages Kerberos credentials for the
local DSA; because this is asynchronous with respect to syncrepl, there exists a
race condition when slapd starts.)
This patch is against REL_ENG_2_2.
Index: syncrepl.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/syncrepl.c,v
retrieving revision 1.24.2.15
diff -u -r1.24.2.15 syncrepl.c
--- syncrepl.c 18 Mar 2004 01:01:02 -0000 1.24.2.15
+++ syncrepl.c 19 Mar 2004 03:55:06 -0000
@@ -270,6 +270,12 @@
"ldap_sasl_interactive_bind_s failed (%d)\n",
rc, 0, 0 );
#endif
+
+ /* check if Kerberos credentials cache is not active */
+ if ( strcmp( si->si_saslmech, "GSSAPI" ) == 0 &&
+ rc == LDAP_LOCAL_ERROR ) {
+ rc = LDAP_SERVER_DOWN; /* force retry */
+ }
goto done;
}
#else /* HAVE_CYRUS_SASL */