In our installer LDAP library (also used by replication tools) we handle the case where the remote server hasn't started yet (wait_on_bind). What this doesn't handle is if the connection fails with SERVER_DOWN due to a TLS failure like hostname doesn't match the remote cert.

Binding anyway causes a segfault in openldap.

I've opened a bug against openldap, it shouldn't segfault. I also added this patch as a workaround.

rob
>From e5949142f22abd716dd9f247e73c56ee43a5d4ac Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 26 Jan 2012 16:32:29 -0500
Subject: [PATCH] Don't try to bind on TLS failure

We have bind code that can handle the case where a server hasn't
come up yet. It needs to handle a real connection failure such
as the TLS hostname not matching. If we try to bind anyway we end
up with a segfault in openldap.

https://fedorahosted.org/freeipa/ticket/2301
---
 ipaserver/ipaldap.py |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index e2b7486..a5a5307 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject):
         try:
             bind_func(*args, **kwargs)
         except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-            if not timeout:
+            if not timeout or 'TLS' in e.args[0]['info']:
+                # No connection to continue on if we have a TLS failure
+                # https://bugzilla.redhat.com/show_bug.cgi?id=784989
                 raise e
             try:
                 self.__wait_for_connection(timeout)
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to