[Freeipa-devel] [PATCH] 934 don't bind on TLS connect failure
Martin Kosek
mkosek at redhat.com
Mon Jan 30 09:34:54 UTC 2012
On Fri, 2012-01-27 at 13:22 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Thu, 2012-01-26 at 16:37 -0500, Rob Crittenden wrote:
> >> In our installer LDAP library (also used by replication tools) we handle
> >> the case where the remote server hasn't started yet (wait_on_bind). What
> >> this doesn't handle is if the connection fails with SERVER_DOWN due to a
> >> TLS failure like hostname doesn't match the remote cert.
> >>
> >> Binding anyway causes a segfault in openldap.
> >>
> >> I've opened a bug against openldap, it shouldn't segfault. I also added
> >> this patch as a workaround.
> >>
> >> rob
> >
> > I wasn't able to reproduce the crash yet, but it seems that your patch
> > corrupts the error messages.
> >
> > Instead of standard error like:
> > # ipa-replica-manage del vm-xxx
> > Unable to delete replica vm-xxx: {'desc': "Can't contact LDAP server"}
> >
> > I get those (after I applied your patch):
> > # ipa-replica-manage del vm-xxx
> > Unable to delete replica vm-xxx: 'info'
> > # ipa-replica-manage del vm-142
> > Unable to delete replica vm-142: 'info'
> > # ipa-replica-manage force-sync --from=vm-xxx
> > unexpected error: 'info'
> > # ipa-replica-manage force-sync --from=vm-142
> > unexpected error: 'info'
>
> I had run into the same problem last night but forgot to send out an
> updated patch. Attached.
>
> rob
ACK. Pushed to master, ipa-2-2.
Martin
More information about the Freeipa-devel
mailing list