summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2012-03-08 13:29:04 +0100
committerMartin Kosek <mkosek@redhat.com>2012-03-14 08:30:51 +0100
commit75b3755648c9bb0c9a8f724bed654a9f0136144d (patch)
tree7cf195a6870d51db9150d91ec88618a7432e0ef7 /ipaserver/install
parentf5e5bf8f82ba2051ace5fc5f29d7bf25631e0a2c (diff)
downloadfreeipa-75b3755648c9bb0c9a8f724bed654a9f0136144d.tar.gz
freeipa-75b3755648c9bb0c9a8f724bed654a9f0136144d.tar.xz
freeipa-75b3755648c9bb0c9a8f724bed654a9f0136144d.zip
Fix ipa-replica-manage TLS connection error
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up a winsync replication. We always receive a connection error stating that Peer's certificate is not recognized even though we pass a correct certificate. This patch fixes the way we set up TLS. The change is backwards compatible with older versions of openldap. https://fedorahosted.org/freeipa/ticket/2500
Diffstat (limited to 'ipaserver/install')
-rw-r--r--ipaserver/install/replication.py7
1 files changed, 5 insertions, 2 deletions
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 7e89eeb47..c8c5bc139 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -755,9 +755,12 @@ class ReplicationManager(object):
try:
# Validate AD connection
ad_conn = ldap.initialize('ldap://%s' % ipautil.format_netloc(ad_dc_name))
- #the next one is to workaround bugs arounf opendalp libs+NSS db
- ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+ # the next one is to workaround bugs arounf opendalp libs+NSS db
+ # we need to first specify the OPT_X_TLS_CACERTFILE and _after_
+ # that initialize the context to prevent TLS connection errors:
+ # https://bugzilla.redhat.com/show_bug.cgi?id=800787
ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert)
+ ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
ad_conn.start_tls_s()
ad_conn.simple_bind_s(ad_binddn, ad_pwd)
res = ad_conn.search_s("", ldap.SCOPE_BASE, '(objectClass=*)',