From b2559c22bf554aa4dd32f440184c68b7d68be5b7 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 24 Mar 2015 16:45:36 +0100
Subject: [PATCH] ldap: do not traceback on TLS error, but report it in the
 logs (fixes #6807)

---
 src/authentic2/backends/ldap_backend.py | 34 +++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py
index 0f8a7a7..d8747f6 100644
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@@ -125,18 +125,32 @@ def get_connection(block, credentials=()):
         for key, value in block['global_ldap_options'].iteritems():
             ldap.set_option(key, value)
         conn = ldap.initialize(url)
         for key, value in block['ldap_options']:
             conn.set_option(key, value)
         conn.set_option(ldap.OPT_REFERRALS, 1 if block['referrals'] else 0)
         try:
             if not url.startswith('ldaps://') and block['use_tls']:
-                conn.start_tls_s()
+                try:
+                    conn.start_tls_s()
+                except ldap.CONNECT_ERROR:
+                    log.error('connection to %r failed when activating TLS, did '
+                            'you forget to declare the TLS certificate in '
+                            '/etc/ldap/ldap.conf ?', url)
+                    continue
             conn.whoami_s()
+        except ldap.TIMEOUT:
+            log.error('connection to %r timed out', url)
+            continue
+        except ldap.CONNECT_ERROR:
+            log.error('connection to %r failed when activating TLS, did '
+                    'you forget to declare the TLS certificate in '
+                    '/etc/ldap/ldap.conf ?', url)
+            continue
         except ldap.SERVER_DOWN:
             if block['replicas']:
                 log.warning('ldap %r is down', url)
             else:
                 log.error('ldap %r is down', url)
             continue
         try:
             if credentials:
@@ -401,17 +415,27 @@ class LDAPBackend(object):
         utf8_username = username.encode('utf-8')
         utf8_password = password.encode('utf-8')
 
         for uri in block['url']:
             log.debug('try to bind user on %r', uri)
             conn = ldap.initialize(uri)
             conn.set_option(ldap.OPT_REFERRALS, 1 if block['referrals'] else 0)
             if not uri.startswith('ldaps://') and block['use_tls']:
-                conn.start_tls_s()
+                try:
+                    conn.start_tls_s()
+                except ldap.TIMEOUT:
+                    log.error('connection to %r timed out', uri)
+                    continue
+                except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
+                    log.error('connection to %r failed when activating TLS, did '
+                            'you forget to declare the TLS certificate in '
+                            '/etc/ldap/ldap.conf ? or maybe timeout are not long '
+                            'enough', uri)
+                    continue
             authz_ids = []
             user_basedn = block.get('user_basedn') or block['basedn']
 
             try:
                 # if necessary bind as admin
                 self.try_admin_bind(conn, block)
                 if block['user_dn_template']:
                     template = str(block['user_dn_template'])
@@ -474,16 +498,22 @@ class LDAPBackend(object):
                             break
                         continue
                 except ldap.NO_SUCH_OBJECT:
                     # should not happen as we just searched for this object !
                     log.error('user bind failed: authz_id not found %r', ', '.join(authz_ids))
                     if block['replicas']:
                         break
                 return self._return_user(authz_id, password, conn, block)
+            except ldap.CONNECT_ERROR:
+                log.error('connection to %r failed, did '
+                        'you forget to declare the TLS certificate in '
+                        '/etc/ldap/ldap.conf ?', uri)
+            except ldap.TIMEOUT:
+                log.error('connection to %r timed out', uri)
             except ldap.SERVER_DOWN:
                 log.error('ldap authentication error: %r is down', uri)
             finally:
                 del conn
         return None
 
     def get_user(self, user_id):
         pickle_dump = user_id.split('!', 1)[1]
-- 
1.9.1