Re-initialize OpenLDAP TLS context during plugin initialization #17
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dbnicholson
force-pushed
the
openldap-reinit-tls
branch
from
21f4a28
to
7c49273
Compare
When shinken-broker starts in the default daemon mode, it closes all
open files. If OpenLDAP is in use and the TLS implementation is GnuTLS,
then this may cause the random data source /dev/urandom to be closed.
This often results in the following error:
Warning : [webui] The mod auth-active-directory raise an exception:
{'info': "Error in the system's randomness device.",
'desc': "Can't contact LDAP server"}, I'm tagging it to restart later
In order to ensure the TLS context is valid for OpenLDAP, set the option
OPT_X_TLS_NEWCTX during plugin initialization. This will cause OpenLDAP
to re-initialize it's TLS context, which will cause GnuTLS to re-open
/dev/urandom.
|
Any thoughts on this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When shinken-broker starts in the default daemon mode, it closes all
open files. If OpenLDAP is in use and the TLS implementation is GnuTLS,
then this may cause the random data source /dev/urandom to be closed.
This often results in the following error:
Warning : [webui] The mod auth-active-directory raise an exception:
{'info': "Error in the system's randomness device.",
'desc': "Can't contact LDAP server"}, I'm tagging it to restart later
In order to ensure the TLS context is valid for OpenLDAP, set the option
OPT_X_TLS_NEWCTX during plugin initialization. This will cause OpenLDAP
to re-initialize it's TLS context, which will cause GnuTLS to re-open
/dev/urandom.