[Freeipa-devel] [PATCH] 964 catch connection exceptions

Thu, 23 Feb 2012 14:33:33 -0800

The call to create_connection in the backend was outside a try/except so we would miss public ACI errors. This will catch them. 

To test this you can delete the S4U2Proxy delegation:

$ ldapmodify -x -D 'cn=directory manager' -W
LDAP Password:
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: modify
delete: memberPrincipal

$ kinit admin
$ user-show admin
ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE

To fix your instance run:

# ipa-ldap-updater --ldapi /usr/share/ipa/updates/30-s4u2proxy.update

rob

>From 51dc727ccc20d79b1f8fe80c426d3e16a87b8a79 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 23 Feb 2012 17:25:53 -0500
Subject: [PATCH] Catch public exceptions when creating the LDAP context in
 WSGI.

Made specifically for the case where S4U2Proxy delegation fails.

https://fedorahosted.org/freeipa/ticket/2414
---
 ipaserver/plugins/ldap2.py |    3 +++
 ipaserver/rpcserver.py     |    8 +++++++-
 2 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 6ed21217a9b5f6951d95a7d3c2b7e12552300dc5..182de76a9b6de53b8e7fdcee17fe4aca506cb21d 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -240,6 +240,9 @@ def _handle_errors(e, **kw):
     except _ldap.SUCCESS:
         pass
     except _ldap.LDAPError, e:
+        if 'NOT_ALLOWED_TO_DELEGATE' in info:
+            raise errors.ACIError(info="KDC returned NOT_ALLOWED_TO_DELEGATE")
+        root_logger.info('Unhandled LDAPError: %s' % str(e))
         raise errors.DatabaseError(desc=desc, info=info)
 
 
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 91e525a317304fa39f6f0828e0b4dd0c007891bb..205dc7655235fdaa749b711b8a268aeb044a5274 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -317,9 +317,15 @@ class xmlserver(WSGIExecutioner):
         '''
 
         self.debug('WSGI xmlserver.__call__:')
-        self.create_context(ccache=environ.get('KRB5CCNAME'))
         try:
+            self.create_context(ccache=environ.get('KRB5CCNAME'))
             response = super(xmlserver, self).__call__(environ, start_response)
+        except PublicError, e:
+            status = '200 OK'
+            response = status
+            headers = [('Content-Type', 'text/plain')]
+            start_response(status, headers)
+            return self.marshal(None, e)
         finally:
             destroy_context()
         return response
-- 
1.7.6.5


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to