Martin Kosek wrote:
On Thu, 2012-01-26 at 16:37 -0500, Rob Crittenden wrote:
In our installer LDAP library (also used by replication tools) we handle
the case where the remote server hasn't started yet (wait_on_bind). What
this doesn't handle is if the connection fails with SERVER_DOWN due to a
TLS failure like hostname doesn't match the remote cert.
Binding anyway causes a segfault in openldap.
I've opened a bug against openldap, it shouldn't segfault. I also added
this patch as a workaround.
rob
I wasn't able to reproduce the crash yet, but it seems that your patch
corrupts the error messages.
Instead of standard error like:
# ipa-replica-manage del vm-xxx
Unable to delete replica vm-xxx: {'desc': "Can't contact LDAP server"}
I get those (after I applied your patch):
# ipa-replica-manage del vm-xxx
Unable to delete replica vm-xxx: 'info'
# ipa-replica-manage del vm-142
Unable to delete replica vm-142: 'info'
# ipa-replica-manage force-sync --from=vm-xxx
unexpected error: 'info'
# ipa-replica-manage force-sync --from=vm-142
unexpected error: 'info'
I had run into the same problem last night but forgot to send out an
updated patch. Attached.
rob
>From 32789dc7a9e179846d931855a9c2c269e5574e60 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 26 Jan 2012 16:32:29 -0500
Subject: [PATCH 1/2] Don't try to bind on TLS failure
We have bind code that can handle the case where a server hasn't
come up yet. It needs to handle a real connection failure such
as the TLS hostname not matching. If we try to bind anyway we end
up with a segfault in openldap.
https://fedorahosted.org/freeipa/ticket/2301
---
ipaserver/ipaldap.py | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index e2b7486..acaea26 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject):
try:
bind_func(*args, **kwargs)
except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
- if not timeout:
+ if not timeout or 'TLS' in e.args[0].get('info', ''):
+ # No connection to continue on if we have a TLS failure
+ # https://bugzilla.redhat.com/show_bug.cgi?id=784989
raise e
try:
self.__wait_for_connection(timeout)
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel