From ae37b3e6ed12bddb650bdce8e9729e81fef40840 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: May 08 2025 06:21:00 +0000
Subject: kdb: keep ipadb_get_connection() from succeeding with null LDAP context


The final call to ipadb_reinit_mspac() in ipadb_get_connection() is not
considered essential for the function to succeed, as there might be
cases where the required pieces of information to generate PACs are not
yet configured in the database. However, in environments where 389ds is
overwhelmed, the LDAP connection established at the beginning of
ipadb_get_connection() might already be lost while executing
ipadb_reinit_mspac().

Connection errors were not distinguished from configuration errors,
which could result in ipadb_get_connection() succeeding while the LDAP
context is set to null, leading to a KDC crash on the next LDAP request.

ipadb_get_connection() now explicitly checks the value of the LDAP
context before returning.

Fixes: https://pagure.io/freeipa/issue/9777
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>

---

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index fcadb8e..98315a0 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -524,26 +524,43 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
 
     /* get adtrust options using default refresh interval */
     ret = ipadb_reinit_mspac(ipactx, false, &stmsg);
-    if (ret && stmsg)
-        krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
+    if (ret) {
+        if (stmsg) {
+            krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
+        }
+        /* Initialization of the MS-PAC generator is an optional dependency.
+         * Fail only if the connection was lost. */
+        if (!ipactx->lcontext) {
+            goto done;
+        }
+    }
 
     ret = 0;
 
 done:
     ldap_msgfree(res);
 
+    /* LDAP context should never be null on success, but keep this test out of
+     * security to make sure we do not return an invalid context. */
+    if (ret == 0 && !ipactx->lcontext) {
+        krb5_klog_syslog(LOG_WARNING, "Internal malfunction: LDAP connection "
+                                      "process resulted in an invalid context "
+                                      "(please report this incident)");
+        ret = LDAP_SERVER_DOWN;
+    }
+
     if (ret) {
+        /* Cleanup LDAP context if connection failed. */
         if (ipactx->lcontext) {
             ldap_unbind_ext_s(ipactx->lcontext, NULL, NULL);
             ipactx->lcontext = NULL;
         }
-        if (ret == LDAP_SERVER_DOWN) {
-            return ETIMEDOUT;
-        }
-        return EIO;
+
+        /* Replace LDAP error code by POSIX error code. */
+        ret = ret == LDAP_SERVER_DOWN ? ETIMEDOUT : EIO;
     }
 
-    return 0;
+    return ret;
 }
 
 static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,