From ce360f37f884f76512c3d806819267a214352970 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 26 Jan 2012 16:32:29 -0500
Subject: Don't try to bind on TLS failure

We have bind code that can handle the case where a server hasn't
come up yet. It needs to handle a real connection failure such
as the TLS hostname not matching. If we try to bind anyway we end
up with a segfault in openldap.

https://fedorahosted.org/freeipa/ticket/2301
---
 ipaserver/ipaldap.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ipaserver')

diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index 4dca60464..a6f2c9d1a 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject):
         try:
             bind_func(*args, **kwargs)
         except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-            if not timeout:
+            if not timeout or 'TLS' in e.args[0].get('info', ''):
+                # No connection to continue on if we have a TLS failure
+                # https://bugzilla.redhat.com/show_bug.cgi?id=784989
                 raise e
             try:
                 self.__wait_for_connection(timeout)
-- 
cgit