Issue 6123 - Allow DNA plugin to reuse global config for bind method …

…and connection protocol (#6124) Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: #6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
389ds · May 28, 2024 · 2bfa8be · 2bfa8be
1 parent c09c0f2
commit 2bfa8be
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
@@ -136,6 +136,8 @@ struct configEntry
     char *shared_cfg_dn;
     char *remote_binddn;
     char *remote_bindpw;
+    char *remote_bind_method;
+    char *remote_conn_prot;
     PRUint64 timeout;
     /* This lock protects the 5 members below.  All
      * of the above members are safe to read as long
@@ -1172,6 +1174,10 @@ dna_parse_config_entry(Slapi_PBlock *pb, Slapi_Entry *e, int apply)
     /* now grab the password */
     entry->remote_bindpw = slapi_entry_attr_get_charptr(e, DNA_REMOTE_BIND_PW);
 
+    /* Optionally, get the remote bind method and a connection protocol */
+    entry->remote_bind_method = slapi_entry_attr_get_charptr(e, DNA_REMOTE_BIND_METHOD);
+    entry->remote_conn_prot = slapi_entry_attr_get_charptr(e, DNA_REMOTE_CONN_PROT);
+
     /* validate that we have both a bind dn or password, or we have none */
     if ((entry->remote_bindpw != NULL && entry->remote_binddn == NULL) ||
         (entry->remote_binddn != NULL && entry->remote_bindpw == NULL)) {
@@ -1472,6 +1478,8 @@ dna_free_config_entry(struct configEntry **entry)
     slapi_ch_free_string(&e->shared_cfg_dn);
     slapi_ch_free_string(&e->remote_binddn);
     slapi_ch_free_string(&e->remote_bindpw);
+    slapi_ch_free_string(&e->remote_bind_method);
+    slapi_ch_free_string(&e->remote_conn_prot);
 
     slapi_destroy_mutex(e->lock);
 
@@ -1875,9 +1883,15 @@ dna_get_shared_servers(struct configEntry *config_entry, PRCList **servers, int
                 server->remote_bindpw = config_entry->remote_bindpw;
                 server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i],
                                                                           DNA_REMOTE_BIND_METHOD);
+		if (server->remote_bind_method == NULL && config_entry->remote_bind_method != NULL)
+			server->remote_bind_method = slapi_ch_strdup(config_entry->remote_bind_method);
+
                 server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i],
                                                                         DNA_REMOTE_CONN_PROT);
 
+		if (server->remote_conn_prot == NULL && config_entry->remote_conn_prot != NULL)
+			server->remote_conn_prot = slapi_ch_strdup(config_entry->remote_conn_prot);
+
                 /* validate the entry */
                 if (!server->host || (server->port == 0 && server->secureport == 0)) {
                     /* free and skip this one */