ipa relese 4.9.13-17
- kdb: keeep ipadb_get_connection() from succeding with null LDAP context Resolves: RHEL-58435 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Rafael Guterres Jeffman
parent
9b0db8834c
commit
d0c8188473
@ -0,0 +1,84 @@
|
||||
From ae37b3e6ed12bddb650bdce8e9729e81fef40840 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: May 08 2025 06:21:00 +0000
|
||||
Subject: kdb: keep ipadb_get_connection() from succeeding with null LDAP context
|
||||
|
||||
|
||||
The final call to ipadb_reinit_mspac() in ipadb_get_connection() is not
|
||||
considered essential for the function to succeed, as there might be
|
||||
cases where the required pieces of information to generate PACs are not
|
||||
yet configured in the database. However, in environments where 389ds is
|
||||
overwhelmed, the LDAP connection established at the beginning of
|
||||
ipadb_get_connection() might already be lost while executing
|
||||
ipadb_reinit_mspac().
|
||||
|
||||
Connection errors were not distinguished from configuration errors,
|
||||
which could result in ipadb_get_connection() succeeding while the LDAP
|
||||
context is set to null, leading to a KDC crash on the next LDAP request.
|
||||
|
||||
ipadb_get_connection() now explicitly checks the value of the LDAP
|
||||
context before returning.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9777
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
||||
index fcadb8e..98315a0 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
||||
@@ -524,26 +524,43 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
|
||||
|
||||
/* get adtrust options using default refresh interval */
|
||||
ret = ipadb_reinit_mspac(ipactx, false, &stmsg);
|
||||
- if (ret && stmsg)
|
||||
- krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
|
||||
+ if (ret) {
|
||||
+ if (stmsg) {
|
||||
+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
|
||||
+ }
|
||||
+ /* Initialization of the MS-PAC generator is an optional dependency.
|
||||
+ * Fail only if the connection was lost. */
|
||||
+ if (!ipactx->lcontext) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
ret = 0;
|
||||
|
||||
done:
|
||||
ldap_msgfree(res);
|
||||
|
||||
+ /* LDAP context should never be null on success, but keep this test out of
|
||||
+ * security to make sure we do not return an invalid context. */
|
||||
+ if (ret == 0 && !ipactx->lcontext) {
|
||||
+ krb5_klog_syslog(LOG_WARNING, "Internal malfunction: LDAP connection "
|
||||
+ "process resulted in an invalid context "
|
||||
+ "(please report this incident)");
|
||||
+ ret = LDAP_SERVER_DOWN;
|
||||
+ }
|
||||
+
|
||||
if (ret) {
|
||||
+ /* Cleanup LDAP context if connection failed. */
|
||||
if (ipactx->lcontext) {
|
||||
ldap_unbind_ext_s(ipactx->lcontext, NULL, NULL);
|
||||
ipactx->lcontext = NULL;
|
||||
}
|
||||
- if (ret == LDAP_SERVER_DOWN) {
|
||||
- return ETIMEDOUT;
|
||||
- }
|
||||
- return EIO;
|
||||
+
|
||||
+ /* Replace LDAP error code by POSIX error code. */
|
||||
+ ret = ret == LDAP_SERVER_DOWN ? ETIMEDOUT : EIO;
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,
|
||||
|
||||
7
ipa.spec
7
ipa.spec
@ -190,7 +190,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 16%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 17%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -247,6 +247,7 @@ Patch0035: 0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#
|
||||
Patch0036: 0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch
|
||||
Patch0037: 0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch
|
||||
Patch0038: 0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch
|
||||
Patch0039: 0039-kdb-keeep-ipadb_get_connection-from-succeding-with-null-LDAP-context_rhel#58435.patch
|
||||
%if 0%{?rhel} >= 8
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||
@ -1761,6 +1762,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon May 19 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-17
|
||||
- kdb: keeep ipadb_get_connection() from succeding with null LDAP context
|
||||
Resolves: RHEL-58435
|
||||
|
||||
* Mon Mar 31 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-16
|
||||
- Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire
|
||||
Resolves: RHEL-4941
|
||||
|
||||
Loading…
Reference in New Issue
Block a user