[Freeipa-devel] [PATCH] 732 don't ignore nss_shutdown errors

Thu, 17 Feb 2011 20:21:41 -0800

Right before rc1 I discovered a problem in ipa-replica-prepare. It was crashign when trying to generate the SSL certificates. The first time it failed on nss_shutdown() claiming that NSS wasn't initialized. The second time because some object was still in use.
I tracked this down to a change that enables replication. This happens using an SSL connection to the server. I'm thinking this is some interaction the openldap NSS connection. 

The fix is to use an ldapi connection instead.

ticket 965

rob

>From 02c91465d361c88cc901e5f97e0c9ef1f1e4656e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 17 Feb 2011 22:53:53 -0500
Subject: [PATCH] Fix NSS initialization errors during ipa-replica-prepare

When enabling replication we make an SSL connection. I think the way
this goes is python-ldap -> openldap -> NSS. It may be a problem in
the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any
case if we use ldapi instead the problem goes away.

Back out the temporary code to ignore nss_shutdown errors.

ticket 965
---
 ipapython/nsslib.py              |    6 +-----
 ipaserver/install/replication.py |    2 +-
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index fad65a3..129f1a0 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -126,11 +126,7 @@ class NSSConnection(httplib.HTTPConnection):
         if nss.nss_is_initialized():
             # close any open NSS database and use the new one
             ssl.clear_session_cache()
-            try:
-                nss.nss_shutdown()
-            except NSPRError, e:
-                # FIXME: errors shouldn't be raised here
-                logging.debug('nss_shutdown: %s', str(e))
+            nss.nss_shutdown()
         nss.nss_init(dbdir)
         ssl.set_domestic_policy()
         nss.set_password_callback(self.password_callback)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 0bf0e21..8158197 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -60,7 +60,7 @@ def enable_replication_version_checking(hostname, realm, dirman_passwd):
     enabled then enable it and restart 389-ds. If it is enabled
     the do nothing.
     """
-    conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
+    conn = ipaldap.IPAdmin(hostname, realm=realm, ldapi=True)
     if dirman_passwd:
         conn.do_simple_bind(bindpw=dirman_passwd)
     else:
-- 
1.7.3.4


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel





















					Reply via email to