From 75b3755648c9bb0c9a8f724bed654a9f0136144d Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 8 Mar 2012 13:29:04 +0100 Subject: Fix ipa-replica-manage TLS connection error New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up a winsync replication. We always receive a connection error stating that Peer's certificate is not recognized even though we pass a correct certificate. This patch fixes the way we set up TLS. The change is backwards compatible with older versions of openldap. https://fedorahosted.org/freeipa/ticket/2500 --- ipaserver/install/replication.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'ipaserver/install/replication.py') diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 7e89eeb4..c8c5bc13 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -755,9 +755,12 @@ class ReplicationManager(object): try: # Validate AD connection ad_conn = ldap.initialize('ldap://%s' % ipautil.format_netloc(ad_dc_name)) - #the next one is to workaround bugs arounf opendalp libs+NSS db - ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) + # the next one is to workaround bugs arounf opendalp libs+NSS db + # we need to first specify the OPT_X_TLS_CACERTFILE and _after_ + # that initialize the context to prevent TLS connection errors: + # https://bugzilla.redhat.com/show_bug.cgi?id=800787 ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert) + ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) ad_conn.start_tls_s() ad_conn.simple_bind_s(ad_binddn, ad_pwd) res = ad_conn.search_s("", ldap.SCOPE_BASE, '(objectClass=*)', -- cgit