HPCC-30077 User authenticate did not properly cycle through all AD hosts

Added outer loop iterating over all AD hosts when creating a connection to validate a user Signed-Off-By: Kenneth Rowland [email protected]
hpcc-systems · Jul 31, 2024 · 101bb4c · 101bb4c
1 parent 027c58f
commit 101bb4c
Showing 1 changed file with 22 additions and 17 deletions.
diff --git a/system/security/LdapSecurity/ldapconnection.cpp b/system/security/LdapSecurity/ldapconnection.cpp
@@ -1925,28 +1925,33 @@ class CLdapClient : implements ILdapClient, public CInterface
             StringBuffer hostbuf;
             int rc = LDAP_SERVER_DOWN;
             char *ldap_errstring=NULL;
-            for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
+            for (int numHosts=0; numHosts < m_ldapconfig->getHostCount(); numHosts++)
             {
-                m_ldapconfig->getLdapHost(hostbuf);//get next available AD, as it may have changed
-                DBGLOG("LdapBind for user %s (retries=%d) on host %s.", username, retries, hostbuf.str());
+                for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
                 {
-                    LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort(), m_ldapconfig->getCipherSuite());
-                    rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getLdapTimeout(), m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
-                    if(rc != LDAP_SUCCESS)
-                        ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
-                    LDAP_UNBIND(user_ld);
-                }
-                DBGLOG("finished LdapBind for user %s, rc=%d", username, rc);
+                    m_ldapconfig->getLdapHost(hostbuf);//get next available AD, as it may have changed
+                    DBGLOG("LdapBind for user %s (retries=%d) on host %s.", username, retries, hostbuf.str());
+                    {
+                        LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort(), m_ldapconfig->getCipherSuite());
+                        rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getLdapTimeout(), m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
+                        if(rc != LDAP_SUCCESS)
+                            ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
+                        LDAP_UNBIND(user_ld);
+                    }
+                    DBGLOG("finished LdapBind for user %s, rc=%d", username, rc);
 
-                if(rc==LDAP_SERVER_DOWN || rc==LDAP_UNAVAILABLE)
-                {
-                    m_ldapconfig->rejectHost(hostbuf);
-                    continue;//try again with next configured LDAP host
+                    if(rc==LDAP_TIMEOUT && retries < LDAPSEC_MAX_RETRIES)
+                    {
+                        sleep(LDAPSEC_RETRY_WAIT);
+                        DBGLOG("Server %s temporarily unreachable, retrying ...", hostbuf.str());
+                    }
+                    else
+                        break;
                 }
-                else if(rc==LDAP_TIMEOUT && retries < LDAPSEC_MAX_RETRIES)
+
+                if(LdapServerDown(rc))
                 {
-                    sleep(LDAPSEC_RETRY_WAIT);
-                    DBGLOG("Server %s temporarily unreachable, retrying ...", hostbuf.str());
+                    m_ldapconfig->rejectHost(hostbuf); // move to next host
                 }
                 else
                     break;