Fix ipa-replica-manage TLS connection error

New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.

This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.

https://fedorahosted.org/freeipa/ticket/2500

1 files changed, 5 insertions, 2 deletions

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 7e89eeb47..c8c5bc139 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -755,9 +755,12 @@ class ReplicationManager(object):
         try:
             # Validate AD connection
             ad_conn = ldap.initialize('ldap://%s' % ipautil.format_netloc(ad_dc_name))
-            #the next one is to workaround bugs arounf opendalp libs+NSS db
-            ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+            # the next one is to workaround bugs arounf opendalp libs+NSS db
+            # we need to first specify the OPT_X_TLS_CACERTFILE and _after_
+            # that initialize the context to prevent TLS connection errors:
+            # https://bugzilla.redhat.com/show_bug.cgi?id=800787
             ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert)
+            ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
             ad_conn.start_tls_s()
             ad_conn.simple_bind_s(ad_binddn, ad_pwd)
             res = ad_conn.search_s("", ldap.SCOPE_BASE, '(objectClass=*)',