diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-10 12:48:16 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-23 08:33:46 +0100 |
| commit | b123a618dd8837f8a2db385542f0d7f3d7679d9b (patch) | |
| tree | 36effde27949cd40f19e94fcbbed304fe812f2e3 /src | |
| parent | ef9ca5848ea08aafa0827f5d2922d49130ba324d (diff) | |
| download | sssd-b123a618dd8837f8a2db385542f0d7f3d7679d9b.tar.gz sssd-b123a618dd8837f8a2db385542f0d7f3d7679d9b.tar.xz sssd-b123a618dd8837f8a2db385542f0d7f3d7679d9b.zip | |
SDAP: Make simple bind timeout configurable
Resolves:
https://fedorahosted.org/sssd/ticket/1501
Reuse the value of sdap_opt_timeout to set a longer bind timeout for
user authentication, ID connection authentication and authentication
during IPA migration mode.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/man/sssd-ldap.5.xml | 3 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_auth.c | 7 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_auth.c | 4 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async.h | 3 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 13 |
5 files changed, 21 insertions, 9 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 613b63f69..e598d70c5 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1235,7 +1235,8 @@ Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. Also controls the timeout - when communicating with the KDC in case of SASL bind. + when communicating with the KDC in case of SASL + bind and the timeout of an LDAP bind operation. </para> <para> Default: 6 diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index f9a0706be..223448338 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -330,6 +330,7 @@ static void ipa_migration_flag_connect_done(struct tevent_req *req) const char *dn; int dp_err = DP_ERR_FATAL; int ret; + int auth_timeout; ret = sdap_cli_connect_recv(req, state, NULL, &state->sh, NULL); talloc_zfree(req); @@ -369,8 +370,12 @@ static void ipa_migration_flag_connect_done(struct tevent_req *req) goto done; } + auth_timeout = dp_opt_get_int( + state->ipa_auth_ctx->sdap_auth_ctx->opts->basic, + SDAP_OPT_TIMEOUT); + req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn, - state->pd->authtok); + state->pd->authtok, auth_timeout); if (req == NULL) { DEBUG(SSSDBG_OP_FAILURE, "sdap_auth_send failed.\n"); goto done; diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index bdcc4505d..3147b49b0 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -831,7 +831,9 @@ static void auth_do_bind(struct tevent_req *req) subreq = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, state->dn, - state->authtok); + state->authtok, + dp_opt_get_int(state->ctx->opts->basic, + SDAP_OPT_TIMEOUT)); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index ef9b3bbad..941b81a41 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -122,7 +122,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, const char *sasl_mech, const char *sasl_user, const char *user_dn, - struct sss_auth_token *authtok); + struct sss_auth_token *authtok, + int simple_bind_timeout); errno_t sdap_auth_recv(struct tevent_req *req, TALLOC_CTX *memctx, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index bc03a87a2..ded371098 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -625,6 +625,7 @@ static void simple_bind_done(struct sdap_op *op, static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_handle *sh, + int timeout, const char *user_dn, struct berval *pw) { @@ -686,9 +687,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, if (ret) goto fail; } - /* FIXME: get timeouts from configuration, for now 5 secs. */ ret = sdap_op_add(state, ev, sh, msgid, - simple_bind_done, req, 5, &state->op); + simple_bind_done, req, timeout, &state->op); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n"); goto fail; @@ -1275,7 +1275,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, const char *sasl_mech, const char *sasl_user, const char *user_dn, - struct sss_auth_token *authtok) + struct sss_auth_token *authtok, + int simple_bind_timeout) { struct tevent_req *req, *subreq; struct sdap_auth_state *state; @@ -1311,7 +1312,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, pw.bv_len = pwlen; state->is_sasl = false; - subreq = simple_bind_send(state, ev, sh, user_dn, &pw); + subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw); if (!subreq) { tevent_req_error(req, ENOMEM); return tevent_req_post(req, ev); @@ -1852,7 +1853,9 @@ static void sdap_cli_auth_step(struct tevent_req *req) state->sh, sasl_mech, dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID), - user_dn, authtok); + user_dn, authtok, + dp_opt_get_int(state->opts->basic, + SDAP_OPT_TIMEOUT)); if (!subreq) { tevent_req_error(req, ENOMEM); return; |