Don't try to bind on TLS failure

We have bind code that can handle the case where a server hasn't come up yet. It needs to handle a real connection failure such as the TLS hostname not matching. If we try to bind anyway we end up with a segfault in openldap. https://fedorahosted.org/freeipa/ticket/2301
author: Rob Crittenden <rcritten@redhat.com> 2012-01-26 16:32:29 -0500
committer: Martin Kosek <mkosek@redhat.com> 2012-01-30 10:33:41 +0100
commit: ce360f37f884f76512c3d806819267a214352970 (patch)
tree: 36dc1189a6b1bc93936386aa28c624a34d9f0e7f /ipaserver/ipaldap.py
parent: 0b9279a30a04de447b324eeb87e7a9e3b288bb1d (diff)
download: freeipa-ce360f37f884f76512c3d806819267a214352970.tar.gz
freeipa-ce360f37f884f76512c3d806819267a214352970.tar.xz
freeipa-ce360f37f884f76512c3d806819267a214352970.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index 4dca60464..a6f2c9d1a 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject):
         try:
             bind_func(*args, **kwargs)
         except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-            if not timeout:
+            if not timeout or 'TLS' in e.args[0].get('info', ''):
+                # No connection to continue on if we have a TLS failure
+                # https://bugzilla.redhat.com/show_bug.cgi?id=784989
                 raise e
             try:
                 self.__wait_for_connection(timeout)
author	Rob Crittenden <rcritten@redhat.com>	2012-01-26 16:32:29 -0500
committer	Martin Kosek <mkosek@redhat.com>	2012-01-30 10:33:41 +0100
commit	ce360f37f884f76512c3d806819267a214352970 (patch)
tree	36dc1189a6b1bc93936386aa28c624a34d9f0e7f /ipaserver/ipaldap.py
parent	0b9279a30a04de447b324eeb87e7a9e3b288bb1d (diff)
download	freeipa-ce360f37f884f76512c3d806819267a214352970.tar.gz freeipa-ce360f37f884f76512c3d806819267a214352970.tar.xz freeipa-ce360f37f884f76512c3d806819267a214352970.zip