AD: fall back to LDAP if GC is not available.

AD provider went offline if the Global Catalog could not be connected although
there was also the LDAP port available. With this patch, AD provider will
fall back to the LDAP port before going offline.

New boolean flag ignore_mark_offline was added to structure  sdap_id_conn_ctx
If this flag is enabled function be_mark_offline will not be called.

Resolves:
https://fedorahosted.org/sssd/ticket/2104

3 files changed, 24 insertions, 4 deletions

diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index f09b9c6fe..20f9c23fa 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -118,6 +118,14 @@ ad_handle_acct_info_done(struct tevent_req *subreq)
                                             struct ad_handle_acct_info_state);
 
     ret = sdap_handle_acct_req_recv(subreq, &dp_error, &err, &sdap_err);
+    if (dp_error == DP_ERR_OFFLINE
+        && state->conn[state->cindex]->ignore_mark_offline) {
+         /* This is a special case: GC does not work.
+          *  We need to Fall back to ldap
+          */
+        ret = EOK;
+        sdap_err = ENOENT;
+    }
     talloc_zfree(subreq);
     if (ret != EOK) {
         tevent_req_error(req, ret);
@@ -192,9 +200,12 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
         /* Always try GC first */
         clist[0] = ad_ctx->gc_ctx;
         if (IS_SUBDOMAIN(dom) == true) {
+            clist[0]->ignore_mark_offline = false;
             /* Subdomain users are only present in GC. */
             break;
         }
+        /* fall back to ldap if gc is not available */
+        clist[0]->ignore_mark_offline = true;
 
         /* With root domain users we have the option to
          * fall back to LDAP in case ie POSIX attributes
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 0d565fc63..fb9a34c60 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -52,6 +52,8 @@ struct sdap_id_conn_ctx {
     struct sdap_id_conn_cache *conn_cache;
     /* dlinklist pointers */
     struct sdap_id_conn_ctx *prev, *next;
+    /* do not go offline, try another connection */
+    bool ignore_mark_offline;
 };
 
 struct sdap_id_ctx {
diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c
index 52cf78569..5e166e19f 100644
--- a/src/providers/ldap/sdap_id_op.c
+++ b/src/providers/ldap/sdap_id_op.c
@@ -553,10 +553,17 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq)
     }
 
     if (ret != EOK && !can_retry) {
-        /* be is going offline as there is no more servers to try */
-        DEBUG(1, ("Failed to connect, going offline (%d [%s])\n",
-                  ret, strerror(ret)));
-        be_mark_offline(conn_cache->id_conn->id_ctx->be);
+        if (conn_cache->id_conn->ignore_mark_offline) {
+            DEBUG(SSSDBG_TRACE_FUNC,
+                  ("Failed to connect to server, but ignore mark offline "
+                   "is enabled.\n"));
+        } else {
+            /* be is going offline as there is no more servers to try */
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  ("Failed to connect, going offline (%d [%s])\n",
+                   ret, strerror(ret)));
+            be_mark_offline(conn_cache->id_conn->id_ctx->be);
+        }
         is_offline = true;
     }