Skip to content

Commit

Permalink
Fix some LDAP connection bugs
Browse files Browse the repository at this point in the history
In #36281 we made some improvements to the LDAP reconnect behavior.
These changes considered the case where we had a connection to the
LDAP server but then got disconnected. They did not consider the case
where we never succesfully established a connection at all.
  • Loading branch information
zmb3 committed Oct 28, 2024
1 parent d3e4b2d commit c323087
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 1 deletion.
10 changes: 10 additions & 0 deletions lib/srv/desktop/discovery.go
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,16 @@ func (s *WindowsService) ldapSearchFilter() string {

// getDesktopsFromLDAP discovers Windows hosts via LDAP
func (s *WindowsService) getDesktopsFromLDAP() map[string]types.WindowsDesktop {
// Check whether we've ever successfully initialized our LDAP client.
s.mu.Lock()
if !s.ldapInitialized {
s.cfg.Logger.DebugContext(context.Background(), "LDAP not ready, skipping discovery and attempting to reconnect")
s.mu.Unlock()
s.initializeLDAP()
return nil
}
s.mu.Unlock()

filter := s.ldapSearchFilter()
s.cfg.Logger.DebugContext(context.Background(), "searching for desktops", "filter", filter)

Expand Down
15 changes: 14 additions & 1 deletion lib/srv/desktop/windows_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -450,7 +450,20 @@ func (s *WindowsService) startLDAPConnectionCheck(ctx context.Context) {
for {
select {
case <-t.Chan():
// attempt to read CAs in the NTAuth store (we know we have permissions to do so)
// First check if we have successfully initialized the LDAP client.
// If not, then do that now and return.
// (This mimics the check that is performed when LDAP discovery is enabled.)
s.mu.Lock()
if !s.ldapInitialized {
s.cfg.Logger.DebugContext(context.Background(), "LDAP not ready, attempting to reconnect")
s.mu.Unlock()
s.initializeLDAP()
return
}
s.mu.Unlock()

// If we have initizlied the LDAP client, then try to use it to make sure we're still connected
// by attempting to read CAs in the NTAuth store (we know we have permissions to do so).
ntAuthDN := "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration," + s.cfg.LDAPConfig.DomainDN()
_, err := s.lc.Read(ntAuthDN, "certificationAuthority", []string{"cACertificate"})
if trace.IsConnectionProblem(err) {
Expand Down

0 comments on commit c323087

Please sign in to comment.