[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Syncrepl patch for retry on SASL bind failure (ITS#3032)
Applied with tweaks. Thanks, Kurt
At 07:56 PM 3/18/2004, lukeh@padl.com wrote:
>Full_Name: Luke Howard
>Version: 2.2.6
>OS: Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (203.13.32.100)
>
>
>Let me preface this by saying that this patch is a workaround that solves a SASL
>mechanism-specific issue, and that it could be solved in a much better fashion.
>That said, I'm posting this because it is useful to our application, and until
>such time that a more generalized solution is available, it may be useful to
>others.
>
>ldap_sasl_interactive_bind_s() will return LDAP_LOCAL_ERROR if, when using
>GSS-API, Kerberos credentials have not come available. In our case, this is the
>case when slapd starts or when the KDC is unavailable. (We have a Credentials
>Manager plugin that spawns a thread and manages Kerberos credentials for the
>local DSA; because this is asynchronous with respect to syncrepl, there exists a
>race condition when slapd starts.)
>
>This patch is against REL_ENG_2_2.
>
>Index: syncrepl.c
>===================================================================
>RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/syncrepl.c,v
>retrieving revision 1.24.2.15
>diff -u -r1.24.2.15 syncrepl.c
>--- syncrepl.c 18 Mar 2004 01:01:02 -0000 1.24.2.15
>+++ syncrepl.c 19 Mar 2004 03:55:06 -0000
>@@ -270,6 +270,12 @@
> "ldap_sasl_interactive_bind_s failed (%d)\n",
> rc, 0, 0 );
> #endif
>+
>+ /* check if Kerberos credentials cache is not active */
>+ if ( strcmp( si->si_saslmech, "GSSAPI" ) == 0 &&
>+ rc == LDAP_LOCAL_ERROR ) {
>+ rc = LDAP_SERVER_DOWN; /* force retry */
>+ }
> goto done;
> }
> #else /* HAVE_CYRUS_SASL */