diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-09-02 14:04:17 +0200 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-09-04 13:31:46 +0200 |
commit | 198908ec78b9a2dbdb802c3a094ec8f54b931d7a (patch) | |
tree | 47d1b1ab38a98c4d7136cb32b6fc5bfc5927b5bd /ipaserver/plugins/ldap2.py | |
parent | ecf796e9c021a3b06e670f0602e8a10dcfd6f1f1 (diff) | |
download | freeipa-198908ec78b9a2dbdb802c3a094ec8f54b931d7a.tar.gz freeipa-198908ec78b9a2dbdb802c3a094ec8f54b931d7a.tar.xz freeipa-198908ec78b9a2dbdb802c3a094ec8f54b931d7a.zip |
ldap: Make ldap2 connection management thread-safe again
This fixes the connection code in LDAPClient to not store the LDAP connection
in an attribute of the object, which in combination with ldap2's per-thread
connections lead to race conditions resulting in connection failures. ldap2
code was updated accordingly.
https://fedorahosted.org/freeipa/ticket/5268
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Diffstat (limited to 'ipaserver/plugins/ldap2.py')
-rw-r--r-- | ipaserver/plugins/ldap2.py | 33 |
1 files changed, 15 insertions, 18 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index acaf45fdd..abeb522f7 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -77,10 +77,7 @@ class ldap2(CrudBackend, LDAPClient): # do not set it pass - def _disconnect(self): - pass - - def __del__(self): + def close(self): if self.isconnected(): self.disconnect() @@ -120,10 +117,11 @@ class ldap2(CrudBackend, LDAPClient): if debug_level: _ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level) - LDAPClient._connect(self) - conn = self._conn + client = LDAPClient(self.ldap_uri, + force_schema_updates=self._force_schema_updates) + conn = client._conn - with self.error_handler(): + with client.error_handler(): minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN) maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX) # Always connect with at least an SSF of 56, confidentiality @@ -137,15 +135,15 @@ class ldap2(CrudBackend, LDAPClient): ldapi = self.ldap_uri.startswith('ldapi://') if bind_pw: - self.simple_bind(bind_dn, bind_pw, - server_controls=serverctrls, - client_controls=clientctrls) + client.simple_bind(bind_dn, bind_pw, + server_controls=serverctrls, + client_controls=clientctrls) elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi: try: pw_name = pwd.getpwuid(os.geteuid()).pw_name - self.external_bind(pw_name, - server_controls=serverctrls, - client_controls=clientctrls) + client.external_bind(pw_name, + server_controls=serverctrls, + client_controls=clientctrls) except errors.NotFound: if autobind == AUTOBIND_ENABLED: # autobind was required and failed, raise @@ -153,7 +151,7 @@ class ldap2(CrudBackend, LDAPClient): raise else: if ldapi: - with self.error_handler(): + with client.error_handler(): conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host) if ccache is None: os.environ.pop('KRB5CCNAME', None) @@ -162,8 +160,8 @@ class ldap2(CrudBackend, LDAPClient): principal = krb_utils.get_principal(ccache_name=ccache) - self.gssapi_bind(server_controls=serverctrls, - client_controls=clientctrls) + client.gssapi_bind(server_controls=serverctrls, + client_controls=clientctrls) setattr(context, 'principal', principal) return conn @@ -171,9 +169,8 @@ class ldap2(CrudBackend, LDAPClient): def destroy_connection(self): """Disconnect from LDAP server.""" try: - if self._conn is not None: + if self.conn is not None: self.unbind() - LDAPClient._disconnect(self) except errors.PublicError: # ignore when trying to unbind multiple times pass |