URL:
https://github.com/SSSD/sssd/pull/5532
Title: #5532: ldap: retry ldap_install_tls() when watchdog interruption
alexey-tikhonov commented:
"""
> Did you try your latest version with your reproducer?
Yes, when the process fails it is retried.
Thanks for the logs. Functionally it looks good.
But I have a question:
```
(11:39:30): [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(11:39:30): [sdap_uri_callback] (0x0400): Constructed uri
'ldaps://10.0.155.220:636'
(11:39:30): [decide_tls_usage] (0x2000): [ldaps://10.0.155.220:636] is a secure channel.
No need to run START_TLS
(11:39:30): [sssd_async_socket_init_send] (0x0400): Setting 12 seconds timeout for
connecting
...network delay
(11:39:40): [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect
error] [unknown error]
(11:39:40): [sss_ldap_init_sys_connect_done] (0x0020): Assuming TLS handshake was
interrupted
(11:39:40): [sss_ldap_init_state_destructor] (0x0400): calling ldap_unbind_ext for
ldap:[0xdf4950] sd:[26]
(11:39:40): [sss_ldap_init_state_destructor] (0x0400): closing socket [26]
(11:39:40): [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed:
[1432158320]: TLS handshake was interrupted.
(11:39:40): [sdap_handle_release] (0x2000): Trace: sh[0xdf7020], connected[0], ops[(nil)],
ldap[(nil)], destructor_lock[0], release_memory[0]
(11:39:40): [sdap_cli_connect_done] (0x0040): Performing retry due to TLS handshake
interruption
(11:39:40): [fo_set_port_status] (0x0100): Marking port 636 of server
'10.0.155.220' as 'not working'
(11:39:40): [fo_set_port_status] (0x0400): Marking port 636 of duplicate server
'10.0.155.220' as 'not working'
(11:39:40): [decide_tls_usage] (0x2000): [ldaps://10.0.155.220:636] is a secure channel.
No need to run START_TLS
(11:39:40): [sssd_async_socket_init_send] (0x0400): Setting 12 seconds timeout for
connecting
(11:39:42): [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldaps://10.0.155.220:636/??base] with fd [26].
```
-- why `Marking port ... as 'not working'`? IIUC, this is exactly ip:port that
is being retried (and succeeds).
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5532#issuecomment-801848446