Active Directory auth: try other domain-controllers even when STARTTLS fails
Review Request #5701 — Created April 11, 2014 and submitted
When STARTTLS fails for a domain controller don't bail out: instead keep
trying the other domain controllers. E.g. it could fail for the same
reason that unencrypted binds could fail: server unavailability.
This change ensures that unavailable servers as well as servers with
unrecognized certificates are skipped while still logging a decent
message for server admins to find out what's going on.
NOTE: this patch applies to 2.0.x and master as well and looks to apply cleanly to 1.0.x, 1.5.x and 1.6.x as well but I'm not sure that those are still maintained (their release branches still live on github).
Tested this on my company's review board server. Without it I get a failure every few login-attempts when one of our domain controllers is down (I've got TLS enabled for active directory authentication). With this patch it only logs a warning and goes on with the next server.
The fact that it only fails every once in a while is probably related due to SRV order-randomisation within the same priority level (all of our domain controllers get assigned the same priority).