Retry or failover when using TLS

If a connection failed during TLS initialization, a BackendError was raised which exited the loop of retrying or moving on to the next provided server. Instead raise the underlying ldap exception. Closes-Bug: 2060325 Change-Id: If28001a810800a5c91a6a2fe63e3ba3f92fdc049
2023-05-05 07:54:39 -07:00 · 2023-05-05 07:54:39 -07:00 · a995c04d33
commit a995c04d33
parent f8fb5fcfce
2 changed files with 41 additions and 6 deletions
--- a/ldappool/init.py
+++ b/ldappool/init.py
@ -212,12 +212,7 @@ class ConnectionManager(object):
    def _bind(self, conn, bind, passwd):
        # let's bind
        if self.use_tls:
-            try:
-                conn.start_tls_s()
-            except Exception:
-                raise BackendError('Could not activate TLS on established '
-                                   'connection with %s' % self.uri,
-                                   backend=conn)
+            conn.start_tls_s()

        if bind is not None:
            conn.simple_bind_s(bind, passwd)
--- a/ldappool/tests/test_ldapconnection.py
+++ b/ldappool/tests/test_ldapconnection.py
@ -96,11 +96,25 @@ def _bind_fails_invalid_credentials_failover(self, who='', cred='', **kw):
        raise ldap.INVALID_CREDENTIALS('LDAP connection invalid')


+def _bind_fails_tls_failover(self, who='', cred='', **kw):
+    # Raise backend error unless the URI is 'ldap://GOOD'
+    if self._uri == 'ldap://GOOD':
+        self.connected = True
+        self.who = who
+        self.cred = cred
+        return 1
+    else:
+        raise ldappool.BackendError
+
+
 def _start_tls_s(self):
+    # Raise a server down error if the URI is 'ldap://BAD'
    if self.start_tls_already_called_flag:
        raise ldap.LOCAL_ERROR
    else:
        self.start_tls_already_called_flag = True
+    if self._uri == 'ldap://BAD':
+        raise ldap.SERVER_DOWN('LDAP connection invalid')


 class TestLDAPConnection(unittest.TestCase):
@ -323,3 +337,29 @@ class TestLDAPConnection(unittest.TestCase):
            pass
        else:
            raise AssertionError()
+
+    def test_simple_bind_fails_tls_failover(self):
+        unbinds = []
+
+        def _unbind(self):
+            unbinds.append(1)
+
+        # the binding to any server other than 'ldap://GOOD' fails
+        # with ldap.SERVER_DOWN
+        ldappool.StateConnector.simple_bind_s = _bind_fails_tls_failover
+        ldappool.StateConnector.unbind_s = _unbind
+        uri = 'ldap://BAD,ldap://GOOD'
+        dn = 'uid=adminuser,ou=logins,dc=mozilla'
+        passwd = 'adminuser'
+        cm = ldappool.ConnectionManager(uri, dn, passwd, use_pool=True,
+                                        size=2, use_tls=True)
+        self.assertEqual(len(cm), 0)
+
+        try:
+            with cm.connection('dn', 'pass') as conn:
+                # Ensure we failed over to the second URI
+                self.assertTrue(conn.active)
+                self.assertEqual(conn._uri, 'ldap://GOOD')
+                pass
+        except Exception:
+            raise AssertionError()