ldap module: retry on initial connection

LDAP library returns a partially open handle for connection. Retrying connection on module instantiation helps to succesfully connect using this partially open handle. Resolves: #1992551
2021-10-13 14:10:04 +02:00 · 2021-10-13 14:10:04 +02:00 · e0e1728663
commit e0e1728663
parent f0aba117d7
2 changed files with 56 additions and 1 deletions
--- a/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch
+++ b/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch
@ -0,0 +1,49 @@
 From ab6bbcc41293ae745c1607618f88e5404b98d769 Mon Sep 17 00:00:00 2001
 From: Antonio Torres <antorres@redhat.com>
 Date: Wed, 13 Oct 2021 13:29:02 +0200
 Subject: [PATCH] ldap: allow to connect on partially open handle
 The LDAP library returns a partially open connection. Setting the
 'retry' flag to true during the module inst creation and the pool start
 to 0 allows to connect even if the connection is not completely opened
 yet.
 Upstream commit: https://github.com/FreeRADIUS/freeradius-server/commit/21d95b268b4cf56e75064898d83123825d673818
 Signed-off-by: Antonio Torres <antorres@redhat.com>
 ---
 diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
 index f25ee9e2e0..4b6ae44afb 100644
 --- a/src/modules/rlm_ldap/ldap.c
 +++ b/src/modules/rlm_ldap/ldap.c
@@ -717,7 +717,8 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle
 	 *	For sanity, for when no connections are viable,
 	 *	and we can't make a new one.
 	 */
 -	num = retry ? fr_connection_pool_get_num(inst->pool) : 0;
 +	num = 0;
 +	if (inst->pool && retry) num = fr_connection_pool_get_num(inst->pool);
 	for (i = num; i >= 0; i--) {
 #ifdef WITH_SASL
 		if (sasl && sasl->mech) {
@@ -758,7 +759,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle
 			break;
 		case LDAP_PROC_RETRY:
 -			if (retry) {
 +			if (num) {
 				*pconn = fr_connection_reconnect(inst->pool, *pconn);
 				if (*pconn) {
 					LDAP_DBGW_REQ("Bind with %s to %s failed: %s. Got new socket, retrying...",
@@ -1563,7 +1564,7 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
 	}
 	status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password,
 -			       &(conn->inst->admin_sasl), false);
 +			       &(conn->inst->admin_sasl), true);
 	if (status != LDAP_PROC_SUCCESS) {
 		goto error;
 	}
 -- 
 2.31.1
--- a/freeradius.spec
+++ b/freeradius.spec
@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.21
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: http://www.freeradius.org/
@ -26,6 +26,7 @@ Patch3: freeradius-bootstrap-create-only.patch
 Patch4: freeradius-no-buildtime-cert-gen.patch
 Patch5: freeradius-bootstrap-make-permissions.patch
 Patch6: freeradius-Fix-resource-hard-limit-error.patch
 Patch7: freeradius-ldap-allow-to-connect-on-partially-open-handle.patch
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -209,6 +210,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %build
 # Force compile/link options, extra security for network facing daemon
@ -851,6 +853,10 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 %changelog
 * Wed Oct 13 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-22
 - Allow to connect to partially open LDAP handle
  Related: rhbz#1992551
 * Mon Sep 27 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-21
 - Move FR's systemd unit PID file from /var/run to /run
  Related: rhbz#2006368