[PATCH] Make ldap simple bind asynchronous
by Martin Nagy
Hi,
here it is. I included some description in the commit log, it is
necessary to read it in order to understand why I did some things this
way. Any suggestions to make the patch better are most welcome.
Martin
13 years, 11 months
[PATCH] Try all servers during Kerberos auth (sssd 1.2)
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Kerberos backend would previously try only the first server and if
it was unreachable, it immediatelly went offline.
This patch was rebased on top of Sumit's tevent_req rewrite of
krb_auth.c on the sssd-1-2 branch.
It also handles the case where the child times out and removes the
special-casing of SSS_PAM_CHAUTHTOK in krb5_resolve_kdc_done(). The
special casing didn't in fact have any effect as when using KDC for
password changes we don't distinguish between the kdc and kpasswd
service (they use the same "port" in terms of failover).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkva+PoACgkQHsardTLnvCX0XACfWTfPs9OljR9jrQN5pnBB2rF8
BAsAoJTA/JOLnbmdldTo/3xZQgBRRs6D
=inHf
-----END PGP SIGNATURE-----
13 years, 11 months
failover reconnections
by Simo Sorce
Hi Eugene,
I decided to start a new thread to discuss so that we can close the
previous parenthesis and concentrate on the problem at hand.
On Mon, 19 Apr 2010 15:19:22 +0400
Eugene Indenbom <eindenbom(a)gmail.com> wrote:
> So now we are ready to continue with fixing failover reconnect and
> GSSAPI authentication in LDAP and IPA providers. From my point of
> view at least the following problems needs to be addressed by final
> solution:
>
> 1. When two (or more) BE requests are executed in parallel and there
> is no cached connection, only one LDAP connection should be
> established. In current implementation 2 connections will be
> established and the first one killed failing the operation that
> connected first.
ACK (within the boundaries of the ID provider)
> 2. When OFFLINE state is detected during request execution (there
> were cached connection, but all failover servers failed to connect
> during request execution), the backend must return DP_ERR_OFFLINE. It
> currently returns DP_ERR_FATAL with EIO error. Next request completes
> with DP_ERR_OFFLINE. So there is a big inconsistency in behaviour.
I think this makes sense.
> 3. It is essential to close LDAP connection before GSSAPI ticket is
> expired as closing connection with already expired ticket still
> writes a message in message log.
Premise:
I have started a discussion upstream wrt killing GSSAPI connection when
credentials expire. Heimdal doesn't do that. MIT does, but things may
change.
Until the issue is resolved upstream I think it makes sense to avoid
bad messages in the logs, but only as long as avoid them doesn't
require complex and convoluted code.
> 4. The about-to-expire connection should be closed gracefully: all
> requests already in progress and using the connection should be
> completed, new requests should establish and use new connection.
Hopefully we can avoid "expiring" connections (see premise above), but
I think we need to be even more aggressive, and close connections when
they go idle. This way we can free server resources and in most cases
we will close much before we even get close to expiration time.
> 5. ipa_access backend should also use failover retries.
ACK
> 6. I think it is essential to reduce amount of copy-paste code
> handling LDAP connect/reconnect code. My strong opinion is that a
> special mechanism for handling LDAP connect/retry logic is required.
If we need it then we need it at a deep level, down close to the
openldap library boundary, so that we do not have to restart functions
at a higher level. As close as possible to the wire.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
13 years, 11 months
[PATCH] Support SRV servers in failover
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PATCH 1/2] Remove freed server_common entities from list
We didn't hit this before as we never removed common entities. When
using service requests, we remove the resolved fo_servers when we hit a
timeout, so the server_common can be also removed.
[PATCH 2/2] Support SRV servers in failover
Adds a new failover API call fo_add_srv_server that allows the caller
to specify a server that is later resolved into a list of specific
servers using SRV requests.
Also adds a new failover option that specifies how often should the
servers resolved from SRV query considered valid until we need a
refresh.
The "real" servers to connect to are returned to the user as usual,
using the fo_resolve_service_{send,recv} calls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvRbu8ACgkQHsardTLnvCVHSQCeKdBEiB/QsuT+0C+R9vmPBHA1
gIEAoNL/NZ4k+4/Lu0I8NljrVz57jjm0
=yhns
-----END PGP SIGNATURE-----
13 years, 11 months
[PATCHES] New functionality for refarray and new comment object
by Dmitri Pal
Hello,
Patch 1: New functionality for refarray. Some basic functionality was
missing. Now it is added.
Patch 2: New object to preserve and store comments in the INI file.
Takes advantage of the refarray interface.
This patch includes a separate unit test. Nothing uses this object yet.
It will be a part of the new more complex value object I am currently
working on.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
13 years, 11 months
[PATCH] Add dns_resolver_timeout option
by Stephen Gallagher
We had a hard-coded timeout of five seconds for DNS lookups in the
async resolver. This patch adds an option 'dns_resolver_timeout'
to specify this value (Default: 5)
--
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
13 years, 11 months
[PATCH] Sort SRV replies according to RFC 2782
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This functionality is needed for service discovery.
RFC 2782 defines a way to sort replies to a SRV query. In short, the
algorithm sorts all replies by priority and then does a weight-based
selection for every priority level.
For details, please see the sections "Usage rules" for overview of the
algorithm and section "The 'Weight' field" for description on the weight
selection.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvQKOAACgkQHsardTLnvCUvugCgvKUd51mYA83BsGw8xUimIics
ykIAn33ULENdEfmztCtb7NHjoAUVZDR0
=O4Cr
-----END PGP SIGNATURE-----
13 years, 11 months
[PATCH] Silence warnings with -O2
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I noticed there were some warnings when compiling with the default
Fedora CFLAGS.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEUEARECAAYFAkvWrXMACgkQHsardTLnvCVkxgCXaaabtzBTvRnowaE0/Ox2Y1Fg
CQCgqoqu1Vkx7NtHUzTB+xxT5yb9q+0=
=ZA59
-----END PGP SIGNATURE-----
13 years, 11 months
[PATCH] Fix wrong return value
by Sumit Bose
Hi,
the patch which removes the authentication tokens from the PAM stack
didn't return the right status code if a password change fails. To make
it easier to read I introduced a new variable.
bye,
Sumit
13 years, 11 months
