Re-initialize OpenLDAP TLS context during plugin initialization

When shinken-broker starts in the default daemon mode, it closes all open files. If OpenLDAP is in use and the TLS implementation is GnuTLS, then this may cause the random data source /dev/urandom to be closed. This often results in the following error: Warning : [webui] The mod auth-active-directory raise an exception: {'info': "Error in the system's randomness device.", 'desc': "Can't contact LDAP server"}, I'm tagging it to restart later In order to ensure the TLS context is valid for OpenLDAP, set the option OPT_X_TLS_NEWCTX during plugin initialization. This will cause OpenLDAP to re-initialize it's TLS context, which will cause GnuTLS to re-open /dev/urandom.
shinken-monitoring · Jun 19, 2017 · 7c49273 · 7c49273
1 parent 1c37662
commit 7c49273
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/module/module.py b/module/module.py
@@ -92,6 +92,13 @@ def __init__(self, modconf):
             'ad' : "(| (samaccountname=%s)(mail=%s))",
             'openldap' : "(| (uid=%s)(mail=%s))"
             }[self.mode]
+
+        # Re-initialize the TLS context for openldap to make sure the
+        # random file opened by the TLS implementation is valid. When
+        # shinken-broker is daemonized, it may have closed the random
+        # file.
+        if self.mode == 'openldap' and hasattr(ldap, 'OPT_X_TLS_NEWCTX'):
+            ldap.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
 
 
     # Try to connect if we got true parameter