Refactor sdap_cli_connect

[pbrezina]

sdap: remove be context from sdap_cli_connect code

This is a steps towards new implementation of new failover mechanism.
The new code will reuse sdap_cli_connect to connect to the LDAP server
but it will not use any be resolver stuff. This patch moves be resolver
usage one level up so the connection code can be easily reused.

It also moves kinit before connecting to LDAP into a separate,
standalone step (previously it was connect -> kinit -> sasl bind,
now it is kinit -> connect -> sasl bind).

[pbrezina]

The underlying code will be reused in the new failover mechanism, but I expect the the new failover code will likely be part of the master branch before the code starts using it and the old failover is removed, so I'd like to get this reviewed and merged.

[gemini-code-assist]

Code Review

This pull request refactors the LDAP connection logic by separating server resolution and kinit from the core connection function sdap_cli_connect. The server resolution and kinit logic is moved into a new set of functions, sdap_cli_resolve_and_connect_*. This change is a step towards a new failover mechanism and also changes the authentication flow to perform kinit before connecting to the LDAP server. The changes are mostly in src/providers/ldap/sdap_async_connection.c and affect several call sites. The refactoring is well-structured, but I found one issue where a configuration option check was missed during the refactoring.

[alexey-tikhonov]

Note: Covscan is green.

[alexey-tikhonov]

I did a first round and have no other comments so far (besides two questions inline), but I must admit it's easy to get lost in sdap_cli_connect_step() vs sdap_connect_send, etc...

[pbrezina]

Thank you. Those lines were just a left over and can be safely removed.

but I must admit it's easy to get lost in sdap_cli_connect_step() vs sdap_connect_send, etc...

Yes, the logic is wild and the code would welcome proper refactoring. But I want to avoid doing that along upcoming failover changes to avoid issues in this area.

[alexey-tikhonov]

Thank you, ACK.

[sumit-bose]

Hi,

thank you for the patch, code wise it looks good and I'm using the patch since about a week on my laptop without issues, ACK.

bye,
Sumit

[sssd-bot]

The pull request was accepted by @sumit-bose with the following PR CI status:

---

🟢 CodeFactor (success)
🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🔴 ci / system (fedora-44) (failure)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.