From e0e1728663ebb19cf7887d03b00d6cb78ca4a3b4 Mon Sep 17 00:00:00 2001 From: Antonio Torres Date: Wed, 13 Oct 2021 14:10:04 +0200 Subject: [PATCH] ldap module: retry on initial connection LDAP library returns a partially open handle for connection. Retrying connection on module instantiation helps to succesfully connect using this partially open handle. Resolves: #1992551 --- ...-to-connect-on-partially-open-handle.patch | 49 +++++++++++++++++++ freeradius.spec | 8 ++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 freeradius-ldap-allow-to-connect-on-partially-open-handle.patch diff --git a/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch b/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch new file mode 100644 index 0000000..41755ee --- /dev/null +++ b/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch @@ -0,0 +1,49 @@ +From ab6bbcc41293ae745c1607618f88e5404b98d769 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Wed, 13 Oct 2021 13:29:02 +0200 +Subject: [PATCH] ldap: allow to connect on partially open handle + +The LDAP library returns a partially open connection. Setting the +'retry' flag to true during the module inst creation and the pool start +to 0 allows to connect even if the connection is not completely opened +yet. + +Upstream commit: https://github.com/FreeRADIUS/freeradius-server/commit/21d95b268b4cf56e75064898d83123825d673818 + +Signed-off-by: Antonio Torres +--- +diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c +index f25ee9e2e0..4b6ae44afb 100644 +--- a/src/modules/rlm_ldap/ldap.c ++++ b/src/modules/rlm_ldap/ldap.c +@@ -717,7 +717,8 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle + * For sanity, for when no connections are viable, + * and we can't make a new one. + */ +- num = retry ? fr_connection_pool_get_num(inst->pool) : 0; ++ num = 0; ++ if (inst->pool && retry) num = fr_connection_pool_get_num(inst->pool); + for (i = num; i >= 0; i--) { + #ifdef WITH_SASL + if (sasl && sasl->mech) { +@@ -758,7 +759,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle + break; + + case LDAP_PROC_RETRY: +- if (retry) { ++ if (num) { + *pconn = fr_connection_reconnect(inst->pool, *pconn); + if (*pconn) { + LDAP_DBGW_REQ("Bind with %s to %s failed: %s. Got new socket, retrying...", +@@ -1563,7 +1564,7 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance) + } + + status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password, +- &(conn->inst->admin_sasl), false); ++ &(conn->inst->admin_sasl), true); + if (status != LDAP_PROC_SUCCESS) { + goto error; + } +-- +2.31.1 + diff --git a/freeradius.spec b/freeradius.spec index b52eed8..b8d2893 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.21 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freeradius.org/ @@ -26,6 +26,7 @@ Patch3: freeradius-bootstrap-create-only.patch Patch4: freeradius-no-buildtime-cert-gen.patch Patch5: freeradius-bootstrap-make-permissions.patch Patch6: freeradius-Fix-resource-hard-limit-error.patch +Patch7: freeradius-ldap-allow-to-connect-on-partially-open-handle.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -209,6 +210,7 @@ This plugin provides the REST support for the FreeRADIUS server project. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -851,6 +853,10 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Wed Oct 13 2021 Antonio Torres - 3.0.21-22 +- Allow to connect to partially open LDAP handle + Related: rhbz#1992551 + * Mon Sep 27 2021 Antonio Torres - 3.0.21-21 - Move FR's systemd unit PID file from /var/run to /run Related: rhbz#2006368