Skip to content

Commit

Permalink
HPCC-30077 User authenticate did not properly cycle through all AD hosts
Browse files Browse the repository at this point in the history
Added outer loop iterating over all AD hosts when creating a connection
to validate a user

Signed-Off-By: Kenneth Rowland [email protected]
  • Loading branch information
kenrowland committed Jul 24, 2024
1 parent d081e53 commit 8252994
Showing 1 changed file with 22 additions and 17 deletions.
39 changes: 22 additions & 17 deletions system/security/LdapSecurity/ldapconnection.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1925,28 +1925,33 @@ class CLdapClient : implements ILdapClient, public CInterface
StringBuffer hostbuf;
int rc = LDAP_SERVER_DOWN;
char *ldap_errstring=NULL;
for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
for (int numHosts=0; numHosts < m_ldapconfig->getHostCount(); numHosts++)
{
m_ldapconfig->getLdapHost(hostbuf);//get next available AD, as it may have changed
DBGLOG("LdapBind for user %s (retries=%d) on host %s.", username, retries, hostbuf.str());
for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
{
LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort(), m_ldapconfig->getCipherSuite());
rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getLdapTimeout(), m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
if(rc != LDAP_SUCCESS)
ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
LDAP_UNBIND(user_ld);
}
DBGLOG("finished LdapBind for user %s, rc=%d", username, rc);
m_ldapconfig->getLdapHost(hostbuf);//get next available AD, as it may have changed
DBGLOG("LdapBind for user %s (retries=%d) on host %s.", username, retries, hostbuf.str());
{
LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort(), m_ldapconfig->getCipherSuite());
rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getLdapTimeout(), m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
if(rc != LDAP_SUCCESS)
ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
LDAP_UNBIND(user_ld);
}
DBGLOG("finished LdapBind for user %s, rc=%d", username, rc);

if(rc==LDAP_SERVER_DOWN || rc==LDAP_UNAVAILABLE)
{
m_ldapconfig->rejectHost(hostbuf);
continue;//try again with next configured LDAP host
if(rc==LDAP_TIMEOUT && retries < LDAPSEC_MAX_RETRIES)
{
sleep(LDAPSEC_RETRY_WAIT);
DBGLOG("Server %s temporarily unreachable, retrying ...", hostbuf.str());
}
else
break;
}
else if(rc==LDAP_TIMEOUT && retries < LDAPSEC_MAX_RETRIES)

if(LdapServerDown(rc))
{
sleep(LDAPSEC_RETRY_WAIT);
DBGLOG("Server %s temporarily unreachable, retrying ...", hostbuf.str());
m_ldapconfig->rejectHost(hostbuf); // move to next host
}
else
break;
Expand Down

0 comments on commit 8252994

Please sign in to comment.