In our installer LDAP library (also used by replication tools) we handle the case where the remote server hasn't started yet (wait_on_bind). What this doesn't handle is if the connection fails with SERVER_DOWN due to a TLS failure like hostname doesn't match the remote cert.

Binding anyway causes a segfault in openldap.

I've opened a bug against openldap, it shouldn't segfault. I also added this patch as a workaround.

>From e5949142f22abd716dd9f247e73c56ee43a5d4ac Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Thu, 26 Jan 2012 16:32:29 -0500
Subject: [PATCH] Don't try to bind on TLS failure

We have bind code that can handle the case where a server hasn't
come up yet. It needs to handle a real connection failure such
as the TLS hostname not matching. If we try to bind anyway we end
up with a segfault in openldap.
 ipaserver/ |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/ipaserver/ b/ipaserver/
index e2b7486..a5a5307 100644
--- a/ipaserver/
+++ b/ipaserver/
@@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject):
             bind_func(*args, **kwargs)
         except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-            if not timeout:
+            if not timeout or 'TLS' in e.args[0]['info']:
+                # No connection to continue on if we have a TLS failure
+                #
                 raise e

Freeipa-devel mailing list

Reply via email to