Don't try to bind on TLS failure

We have bind code that can handle the case where a server hasn't come up yet. It needs to handle a real connection failure such as the TLS hostname not matching. If we try to bind anyway we end up with a segfault in openldap. https://fedorahosted.org/freeipa/ticket/2301
author: Rob Crittenden <rcritten@redhat.com> 2012-01-26 16:32:29 -0500
committer: Martin Kosek <mkosek@redhat.com> 2012-01-30 10:34:23 +0100
commit: 46a472ef20ae3b25a2e4c4f92b26127e73f8f7a4 (patch)
tree: 3fb57b27d5b9b45d572a55e35e06336866ac5795
parent: 6863b8fe409f6f267597955376e20df21cfd2dae (diff)
download: freeipa.git-46a472ef20ae3b25a2e4c4f92b26127e73f8f7a4.tar.gz
freeipa.git-46a472ef20ae3b25a2e4c4f92b26127e73f8f7a4.tar.xz
freeipa.git-46a472ef20ae3b25a2e4c4f92b26127e73f8f7a4.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index e2b74865..acaea266 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject):
         try:
             bind_func(*args, **kwargs)
         except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-            if not timeout:
+            if not timeout or 'TLS' in e.args[0].get('info', ''):
+                # No connection to continue on if we have a TLS failure
+                # https://bugzilla.redhat.com/show_bug.cgi?id=784989
                 raise e
             try:
                 self.__wait_for_connection(timeout)
author	Rob Crittenden <rcritten@redhat.com>	2012-01-26 16:32:29 -0500
committer	Martin Kosek <mkosek@redhat.com>	2012-01-30 10:34:23 +0100
commit	46a472ef20ae3b25a2e4c4f92b26127e73f8f7a4 (patch)
tree	3fb57b27d5b9b45d572a55e35e06336866ac5795
parent	6863b8fe409f6f267597955376e20df21cfd2dae (diff)
download	freeipa.git-46a472ef20ae3b25a2e4c4f92b26127e73f8f7a4.tar.gz freeipa.git-46a472ef20ae3b25a2e4c4f92b26127e73f8f7a4.tar.xz freeipa.git-46a472ef20ae3b25a2e4c4f92b26127e73f8f7a4.zip