Re: [Freeipa-devel] [PATCH] 934 don't bind on TLS connect failure

Fri, 27 Jan 2012 10:23:27 -0800 

Martin Kosek wrote:

On Thu, 2012-01-26 at 16:37 -0500, Rob Crittenden wrote:

In our installer LDAP library (also used by replication tools) we handle
the case where the remote server hasn't started yet (wait_on_bind). What
this doesn't handle is if the connection fails with SERVER_DOWN due to a
TLS failure like hostname doesn't match the remote cert.

Binding anyway causes a segfault in openldap.

I've opened a bug against openldap, it shouldn't segfault. I also added
this patch as a workaround.

rob


I wasn't able to reproduce the crash yet, but it seems that your patch
corrupts the error messages.

Instead of standard error like:
# ipa-replica-manage del vm-xxx
Unable to delete replica vm-xxx: {'desc': "Can't contact LDAP server"}

I get those (after I applied your patch):
# ipa-replica-manage del vm-xxx
Unable to delete replica vm-xxx: 'info'
# ipa-replica-manage del vm-142
Unable to delete replica vm-142: 'info'
# ipa-replica-manage force-sync --from=vm-xxx
unexpected error: 'info'
# ipa-replica-manage force-sync --from=vm-142
unexpected error: 'info'
I had run into the same problem last night but forgot to send out an updated patch. Attached. 

rob

>From 32789dc7a9e179846d931855a9c2c269e5574e60 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 26 Jan 2012 16:32:29 -0500
Subject: [PATCH 1/2] Don't try to bind on TLS failure

We have bind code that can handle the case where a server hasn't
come up yet. It needs to handle a real connection failure such
as the TLS hostname not matching. If we try to bind anyway we end
up with a segfault in openldap.

https://fedorahosted.org/freeipa/ticket/2301
---
 ipaserver/ipaldap.py |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index e2b7486..acaea26 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject):
         try:
             bind_func(*args, **kwargs)
         except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-            if not timeout:
+            if not timeout or 'TLS' in e.args[0].get('info', ''):
+                # No connection to continue on if we have a TLS failure
+                # https://bugzilla.redhat.com/show_bug.cgi?id=784989
                 raise e
             try:
                 self.__wait_for_connection(timeout)
-- 
1.7.6


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to