Fix ipa-replica-manage TLS connection error

New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up a winsync replication. We always receive a connection error stating that Peer's certificate is not recognized even though we pass a correct certificate. This patch fixes the way we set up TLS. The change is backwards compatible with older versions of openldap. https://fedorahosted.org/freeipa/ticket/2500
2024-12-28 18:01:23 -06:00 · 2012-03-08 13:29:04 +01:00 · 2012-03-08 13:29:04 +01:00 · 75b3755648
commit 75b3755648
parent f5e5bf8f82
1 changed files with 5 additions and 2 deletions
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@ -755,9 +755,12 @@ class ReplicationManager(object):
        try:
            # Validate AD connection
            ad_conn = ldap.initialize('ldap://%s' % ipautil.format_netloc(ad_dc_name))
-            #the next one is to workaround bugs arounf opendalp libs+NSS db
-            ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+            # the next one is to workaround bugs arounf opendalp libs+NSS db
+            # we need to first specify the OPT_X_TLS_CACERTFILE and _after_
+            # that initialize the context to prevent TLS connection errors:
+            # https://bugzilla.redhat.com/show_bug.cgi?id=800787
            ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert)
+            ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
            ad_conn.start_tls_s()
            ad_conn.simple_bind_s(ad_binddn, ad_pwd)
            res = ad_conn.search_s("", ldap.SCOPE_BASE, '(objectClass=*)',