Don't try to bind on TLS failure

We have bind code that can handle the case where a server hasn't come up yet. It needs to handle a real connection failure such as the TLS hostname not matching. If we try to bind anyway we end up with a segfault in openldap. https://fedorahosted.org/freeipa/ticket/2301
2025-02-25 18:55:28 -06:00 · 2012-01-26 16:32:29 -05:00 · 2012-01-26 16:32:29 -05:00 · ce360f37f8
commit ce360f37f8
parent 0b9279a30a
1 changed files with 3 additions and 1 deletions
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@ -346,7 +346,9 @@ class IPAdmin(IPAEntryLDAPObject):
        try:
            bind_func(*args, **kwargs)
        except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-            if not timeout:
+            if not timeout or 'TLS' in e.args[0].get('info', ''):
+                # No connection to continue on if we have a TLS failure
+                # https://bugzilla.redhat.com/show_bug.cgi?id=784989
                raise e
            try:
                self.__wait_for_connection(timeout)