[Freeipa-devel] [PATCH] 934 don't bind on TLS connect failure
Rob Crittenden
rcritten at redhat.com
Fri Jan 27 18:22:51 UTC 2012
Martin Kosek wrote:
> On Thu, 2012-01-26 at 16:37 -0500, Rob Crittenden wrote:
>> In our installer LDAP library (also used by replication tools) we handle
>> the case where the remote server hasn't started yet (wait_on_bind). What
>> this doesn't handle is if the connection fails with SERVER_DOWN due to a
>> TLS failure like hostname doesn't match the remote cert.
>>
>> Binding anyway causes a segfault in openldap.
>>
>> I've opened a bug against openldap, it shouldn't segfault. I also added
>> this patch as a workaround.
>>
>> rob
>
> I wasn't able to reproduce the crash yet, but it seems that your patch
> corrupts the error messages.
>
> Instead of standard error like:
> # ipa-replica-manage del vm-xxx
> Unable to delete replica vm-xxx: {'desc': "Can't contact LDAP server"}
>
> I get those (after I applied your patch):
> # ipa-replica-manage del vm-xxx
> Unable to delete replica vm-xxx: 'info'
> # ipa-replica-manage del vm-142
> Unable to delete replica vm-142: 'info'
> # ipa-replica-manage force-sync --from=vm-xxx
> unexpected error: 'info'
> # ipa-replica-manage force-sync --from=vm-142
> unexpected error: 'info'
I had run into the same problem last night but forgot to send out an
updated patch. Attached.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-934-1-bind.patch
Type: text/x-diff
Size: 1224 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120127/57eb0b3d/attachment.bin>
More information about the Freeipa-devel
mailing list