From d0c8188473a79f2bd087ba11b766ccf3f957a1f2 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 19 May 2025 09:44:44 -0300
Subject: [PATCH] ipa relese 4.9.13-17

- kdb: keeep ipadb_get_connection() from succeding with null LDAP context
  Resolves: RHEL-58435

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
 ...ng-with-null-LDAP-context_rhel#58435.patch | 84 +++++++++++++++++++
 ipa.spec                                      |  7 +-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 0039-kdb-keeep-ipadb_get_connection-from-succeding-with-null-LDAP-context_rhel#58435.patch

diff --git a/0039-kdb-keeep-ipadb_get_connection-from-succeding-with-null-LDAP-context_rhel#58435.patch b/0039-kdb-keeep-ipadb_get_connection-from-succeding-with-null-LDAP-context_rhel#58435.patch
new file mode 100644
index 0000000..f27247b
--- /dev/null
+++ b/0039-kdb-keeep-ipadb_get_connection-from-succeding-with-null-LDAP-context_rhel#58435.patch
@@ -0,0 +1,84 @@
+From ae37b3e6ed12bddb650bdce8e9729e81fef40840 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: May 08 2025 06:21:00 +0000
+Subject: kdb: keep ipadb_get_connection() from succeeding with null LDAP context
+
+
+The final call to ipadb_reinit_mspac() in ipadb_get_connection() is not
+considered essential for the function to succeed, as there might be
+cases where the required pieces of information to generate PACs are not
+yet configured in the database. However, in environments where 389ds is
+overwhelmed, the LDAP connection established at the beginning of
+ipadb_get_connection() might already be lost while executing
+ipadb_reinit_mspac().
+
+Connection errors were not distinguished from configuration errors,
+which could result in ipadb_get_connection() succeeding while the LDAP
+context is set to null, leading to a KDC crash on the next LDAP request.
+
+ipadb_get_connection() now explicitly checks the value of the LDAP
+context before returning.
+
+Fixes: https://pagure.io/freeipa/issue/9777
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index fcadb8e..98315a0 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -524,26 +524,43 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
+ 
+     /* get adtrust options using default refresh interval */
+     ret = ipadb_reinit_mspac(ipactx, false, &stmsg);
+-    if (ret && stmsg)
+-        krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
++    if (ret) {
++        if (stmsg) {
++            krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
++        }
++        /* Initialization of the MS-PAC generator is an optional dependency.
++         * Fail only if the connection was lost. */
++        if (!ipactx->lcontext) {
++            goto done;
++        }
++    }
+ 
+     ret = 0;
+ 
+ done:
+     ldap_msgfree(res);
+ 
++    /* LDAP context should never be null on success, but keep this test out of
++     * security to make sure we do not return an invalid context. */
++    if (ret == 0 && !ipactx->lcontext) {
++        krb5_klog_syslog(LOG_WARNING, "Internal malfunction: LDAP connection "
++                                      "process resulted in an invalid context "
++                                      "(please report this incident)");
++        ret = LDAP_SERVER_DOWN;
++    }
++
+     if (ret) {
++        /* Cleanup LDAP context if connection failed. */
+         if (ipactx->lcontext) {
+             ldap_unbind_ext_s(ipactx->lcontext, NULL, NULL);
+             ipactx->lcontext = NULL;
+         }
+-        if (ret == LDAP_SERVER_DOWN) {
+-            return ETIMEDOUT;
+-        }
+-        return EIO;
++
++        /* Replace LDAP error code by POSIX error code. */
++        ret = ret == LDAP_SERVER_DOWN ? ETIMEDOUT : EIO;
+     }
+ 
+-    return 0;
++    return ret;
+ }
+ 
+ static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,
+
diff --git a/ipa.spec b/ipa.spec
index f1620e7..c1ae4c4 100644
--- a/ipa.spec
+++ b/ipa.spec
@@ -190,7 +190,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        16%{?rc_version:.%rc_version}%{?dist}
+Release:        17%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -247,6 +247,7 @@ Patch0035:      0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#
 Patch0036:      0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch
 Patch0037:      0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch
 Patch0038:      0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch
+Patch0039:      0039-kdb-keeep-ipadb_get_connection-from-succeding-with-null-LDAP-context_rhel#58435.patch
 %if 0%{?rhel} >= 8
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@@ -1761,6 +1762,10 @@ fi
 %endif
 
 %changelog
+* Mon May 19 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-17
+- kdb: keeep ipadb_get_connection() from succeding with null LDAP context
+  Resolves: RHEL-58435
+
 * Mon Mar 31 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-16
 - Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire
   Resolves: RHEL-4941