[Freeipa-devel] [PATCH] 934 don't bind on TLS connect failure
Martin Kosek
mkosek at redhat.com
Fri Jan 27 10:38:53 UTC 2012
On Thu, 2012-01-26 at 16:37 -0500, Rob Crittenden wrote:
> In our installer LDAP library (also used by replication tools) we handle
> the case where the remote server hasn't started yet (wait_on_bind). What
> this doesn't handle is if the connection fails with SERVER_DOWN due to a
> TLS failure like hostname doesn't match the remote cert.
>
> Binding anyway causes a segfault in openldap.
>
> I've opened a bug against openldap, it shouldn't segfault. I also added
> this patch as a workaround.
>
> rob
I wasn't able to reproduce the crash yet, but it seems that your patch
corrupts the error messages.
Instead of standard error like:
# ipa-replica-manage del vm-xxx
Unable to delete replica vm-xxx: {'desc': "Can't contact LDAP server"}
I get those (after I applied your patch):
# ipa-replica-manage del vm-xxx
Unable to delete replica vm-xxx: 'info'
# ipa-replica-manage del vm-142
Unable to delete replica vm-142: 'info'
# ipa-replica-manage force-sync --from=vm-xxx
unexpected error: 'info'
# ipa-replica-manage force-sync --from=vm-142
unexpected error: 'info'
Martin
More information about the Freeipa-devel
mailing list