diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-01-26 16:32:29 -0500 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-01-30 10:33:41 +0100 |
commit | ce360f37f884f76512c3d806819267a214352970 (patch) | |
tree | 36dc1189a6b1bc93936386aa28c624a34d9f0e7f /ipaserver/ipaldap.py | |
parent | 0b9279a30a04de447b324eeb87e7a9e3b288bb1d (diff) | |
download | freeipa-ce360f37f884f76512c3d806819267a214352970.tar.gz freeipa-ce360f37f884f76512c3d806819267a214352970.tar.xz freeipa-ce360f37f884f76512c3d806819267a214352970.zip |
Don't try to bind on TLS failure
We have bind code that can handle the case where a server hasn't
come up yet. It needs to handle a real connection failure such
as the TLS hostname not matching. If we try to bind anyway we end
up with a segfault in openldap.
https://fedorahosted.org/freeipa/ticket/2301
Diffstat (limited to 'ipaserver/ipaldap.py')
-rw-r--r-- | ipaserver/ipaldap.py | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 4dca60464..a6f2c9d1a 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject): try: bind_func(*args, **kwargs) except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e: - if not timeout: + if not timeout or 'TLS' in e.args[0].get('info', ''): + # No connection to continue on if we have a TLS failure + # https://bugzilla.redhat.com/show_bug.cgi?id=784989 raise e try: self.__wait_for_connection(timeout) |