76fd9fb78f
- Resolves: RHEL-95010 [RFE] Give warning when adding user with UID out of any ID range - Resolves: RHEL-93890 Include latest fixes in python3-ipatests package - Resolves: RHEL-93887 ipa idrange-add --help should be more clear about required options - Resolves: RHEL-93483 Unable to modify IPA config; --ipaconfigstring="" causes internal error - Resolves: RHEL-88834 kdb: ipadb_get_connection() succeeds but returns null LDAP context - Resolves: RHEL-68800 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change'
88 lines
3.2 KiB
Diff
88 lines
3.2 KiB
Diff
From 5d893c9c3b8d384873f40d2524b1ebf0f34fb452 Mon Sep 17 00:00:00 2001
|
|
From: Julien Rische <jrische@redhat.com>
|
|
Date: Mon, 28 Apr 2025 18:01:39 +0200
|
|
Subject: [PATCH] kdb: keep ipadb_get_connection() from succeeding with null
|
|
LDAP context
|
|
|
|
The final call to ipadb_reinit_mspac() in ipadb_get_connection() is not
|
|
considered essential for the function to succeed, as there might be
|
|
cases where the required pieces of information to generate PACs are not
|
|
yet configured in the database. However, in environments where 389ds is
|
|
overwhelmed, the LDAP connection established at the beginning of
|
|
ipadb_get_connection() might already be lost while executing
|
|
ipadb_reinit_mspac().
|
|
|
|
Connection errors were not distinguished from configuration errors,
|
|
which could result in ipadb_get_connection() succeeding while the LDAP
|
|
context is set to null, leading to a KDC crash on the next LDAP request.
|
|
|
|
ipadb_get_connection() now explicitly checks the value of the LDAP
|
|
context before returning.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9777
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb.c | 31 ++++++++++++++++++++++++-------
|
|
1 file changed, 24 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
index 903e19e83bbe383b878a3b9261dd501f96058d51..531ee223e1d5157c87a5c31dfe44b9cfa8dcc554 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
@@ -530,26 +530,43 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
|
|
|
|
/* get adtrust options using default refresh interval */
|
|
ret = ipadb_reinit_mspac(ipactx, false, &stmsg);
|
|
- if (ret && stmsg)
|
|
- krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
|
|
+ if (ret) {
|
|
+ if (stmsg) {
|
|
+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg);
|
|
+ }
|
|
+ /* Initialization of the MS-PAC generator is an optional dependency.
|
|
+ * Fail only if the connection was lost. */
|
|
+ if (!ipactx->lcontext) {
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
|
|
ret = 0;
|
|
|
|
done:
|
|
ldap_msgfree(res);
|
|
|
|
+ /* LDAP context should never be null on success, but keep this test out of
|
|
+ * security to make sure we do not return an invalid context. */
|
|
+ if (ret == 0 && !ipactx->lcontext) {
|
|
+ krb5_klog_syslog(LOG_WARNING, "Internal malfunction: LDAP connection "
|
|
+ "process resulted in an invalid context "
|
|
+ "(please report this incident)");
|
|
+ ret = LDAP_SERVER_DOWN;
|
|
+ }
|
|
+
|
|
if (ret) {
|
|
+ /* Cleanup LDAP context if connection failed. */
|
|
if (ipactx->lcontext) {
|
|
ldap_unbind_ext_s(ipactx->lcontext, NULL, NULL);
|
|
ipactx->lcontext = NULL;
|
|
}
|
|
- if (ret == LDAP_SERVER_DOWN) {
|
|
- return ETIMEDOUT;
|
|
- }
|
|
- return EIO;
|
|
+
|
|
+ /* Replace LDAP error code by POSIX error code. */
|
|
+ ret = ret == LDAP_SERVER_DOWN ? ETIMEDOUT : EIO;
|
|
}
|
|
|
|
- return 0;
|
|
+ return ret;
|
|
}
|
|
|
|
static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,
|
|
--
|
|
2.49.0
|
|
|