DirectoryAuth - broken ldap connections

[Martin Kofahl]

In particular cases (currently unknown -- firewall setup, broken server software, maybe even libldap), an existing ldap connection resp. the connection object gets invalid.

After successful authentication, permissions are revoked after some time (depending on cache_timeout):

Dispatching <RequestWithSession "GET '/admin'">
Retrieving session for ID u'username'
Checking permission called with: action(TRAC_ADMIN),                    username(username), resource(<Resource u'admin:general/basics'>), perm(<trac.perm.PermissionCache object at 0x7fbaf32e4a50>)
_dir_search: searching ou=users,dc=example,dc=com for (&(uid=username)(objectClass=person))(6e115com0601a78ac47ca2600bf695142)
_bind_dir: attempting general bind to ldaps://ldap.example.com:636 as cn=Trac Authentication,cn=Technical DNs,cn=config
_bind_dir: Bound to ldaps://ldap.example.com:636 correctly.
_dir_search: starting LDAP search of ldaps://ldap.example.com:636 ou=users,dc=example,dc=com using (&(uid=username)(objectClass=person)) for ['uid']
_ldap_search: ldap query with page size 1000
_ldap_search: serverControls: []
_ldap_search: result = []
_dir_search: dir miss.

Adding a trace_file in auth.py, libldap only reports SERVER_DOWN.

Although the DirectoryAuthPlugin makes use of the ReconnectLDAPObject, bind_s is the only call benefit from it. All other methods are call asynchronous, not handling SERVER_DOWN exceptions.

[Martin Kofahl]

configuration dir_reconnect = False|True

[Martin Kofahl]

As a workaround, the new setting dir_reconnect can be set to True making Trac to always reconnect the ldap server.

[bebbo]

In 17284:

refs #13095: added an additional connect attempt in case the connection is broken.

ReconnectLDAPObject seems not to hold what I expect.

Now if search _ldap_search throws an exception _bind_dir is used to obtain a new connection and the _ldap_search is tried again.