Don't call start_tls_s() twice
pyldap's start_tls_s function calls ldap_start_tls_s[1] which, if called twice, returns LDAP_LOCAL_ERROR which causes a LDAP queries to fail with the traceback: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 258, in _create_connector self._bind(conn, bind, passwd) File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 227, in _bind conn.start_tls_s() File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 1095, in start_tls_s res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 1071, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 780, in start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 263, in _ldap_call result = func(*args,**kwargs) LOCAL_ERROR: {'desc': u'Local error'} This means that currently keystone's [ldap]/use_pool and [ldap]/use_tls options are incompatible. This patch fixes the problem by removing the unnecessary call. [1] https://linux.die.net/man/3/ldap_start_tls_s Change-Id: I6baff12bcbd3b110e62f4bcdfb97c561d7ee5fe9
This commit is contained in:
parent
0016814c3d
commit
53565dfd97
|
@ -221,7 +221,6 @@ class ConnectionManager(object):
|
||||||
raise BackendError('Could not activate TLS on established '
|
raise BackendError('Could not activate TLS on established '
|
||||||
'connection with %s' % self.uri,
|
'connection with %s' % self.uri,
|
||||||
backend=conn)
|
backend=conn)
|
||||||
conn.start_tls_s()
|
|
||||||
|
|
||||||
if bind is not None:
|
if bind is not None:
|
||||||
conn.simple_bind_s(bind, passwd)
|
conn.simple_bind_s(bind, passwd)
|
||||||
|
|
|
@ -55,14 +55,25 @@ def _bind_fails2(self, who='', cred='', **kw):
|
||||||
raise ldap.SERVER_DOWN('LDAP connection invalid')
|
raise ldap.SERVER_DOWN('LDAP connection invalid')
|
||||||
|
|
||||||
|
|
||||||
|
def _start_tls_s(self):
|
||||||
|
if self.start_tls_already_called_flag:
|
||||||
|
raise ldap.LOCAL_ERROR
|
||||||
|
else:
|
||||||
|
self.start_tls_already_called_flag = True
|
||||||
|
|
||||||
|
|
||||||
class TestLDAPConnection(unittest.TestCase):
|
class TestLDAPConnection(unittest.TestCase):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
self.old = ldappool.StateConnector.simple_bind_s
|
self.old = ldappool.StateConnector.simple_bind_s
|
||||||
ldappool.StateConnector.simple_bind_s = _bind
|
ldappool.StateConnector.simple_bind_s = _bind
|
||||||
|
self.old_start_tls_s = ldappool.StateConnector.start_tls_s
|
||||||
|
ldappool.StateConnector.start_tls_s = _start_tls_s
|
||||||
|
ldappool.StateConnector.start_tls_already_called_flag = False
|
||||||
|
|
||||||
def tearDown(self):
|
def tearDown(self):
|
||||||
ldappool.StateConnector.simple_bind_s = self.old
|
ldappool.StateConnector.simple_bind_s = self.old
|
||||||
|
ldappool.StateConnector.start_tls_s = self.old_start_tls_s
|
||||||
|
|
||||||
def test_connection(self):
|
def test_connection(self):
|
||||||
uri = ''
|
uri = ''
|
||||||
|
@ -115,6 +126,15 @@ class TestLDAPConnection(unittest.TestCase):
|
||||||
self.assertFalse(cm._pool[0].active)
|
self.assertFalse(cm._pool[0].active)
|
||||||
self.assertFalse(cm._pool[1].active)
|
self.assertFalse(cm._pool[1].active)
|
||||||
|
|
||||||
|
def test_tls_connection(self):
|
||||||
|
uri = ''
|
||||||
|
dn = 'uid=adminuser,ou=logins,dc=mozilla'
|
||||||
|
passwd = 'adminuser'
|
||||||
|
cm = ldappool.ConnectionManager(uri, dn, passwd, use_pool=True,
|
||||||
|
size=2, use_tls=True)
|
||||||
|
with cm.connection():
|
||||||
|
pass
|
||||||
|
|
||||||
def test_simple_bind_fails(self):
|
def test_simple_bind_fails(self):
|
||||||
unbinds = []
|
unbinds = []
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue