[Freeipa-devel] [PATCH] 0071 Recover from invalid cached credentials in ipasam
Simo Sorce
ssorce at redhat.com
Tue Aug 21 15:29:25 UTC 2012
----- Original Message -----
> On Tue, 21 Aug 2012, Simo Sorce wrote:
> >----- Original Message -----
> >> On Tue, 21 Aug 2012, Simo Sorce wrote:
> >> >----- Original Message -----
> >> >> Hi,
> >> >>
> >> >> https://fedorahosted.org/freeipa/ticket/3009
> >> >
> >> >What prevents this patch from causing an infinite loop if we keep
> >> >getting the same error back at each interaction ?
> >>
> >> The loop is triggered when kerberos credentials were obtained
> >> successfully based on cached credentials in the ccache but SASL
> >> operation denied them. At this point a code after notdone label
> >> will
> >> wipe out content of the ccache and attempt to acquire credentials
> >> online based on the content of samba's keytab.
> >>
> >> Obtained credentials will be put into the ccache for further
> >> cached
> >> use.
> >>
> >> If any step in acquiring credentials fails, the callback returns
> >> with
> >> LDAP_LOCAL_ERROR, effectively ending current SASL auth attempt. On
> >> higher level smbldap API user retries several times (up to two
> >> dozen
> >> times) to authenticate and on complete failure calls smb_panic().
> >>
> >> If credentials were acquired at previous step correctly SASL step
> >> cannot fail
> >> with LDAP_INVALID_CREDENTIALS, there will be another error
> >> message,
> >> either LDAP_INAPPROPRIATE_AUTH or LDAP_INSUFFICIENT_ACCESS. In
> >> case
> >> of
> >> FreeIPA setup we shouldn't remaining security error,
> >> LDAP_X_PROXY_AUTHZ_FAILURE. Any of those will get us out of the
> >> loop.
> >>
> >> Thus, this loop is run at most twice.
> >
> >Ok, then ACK.
>
> I've rewrote the patch to use helper functions instead of looping.
Indeed it looks better this way.
Simo.
More information about the Freeipa-devel
mailing list