From 7c49273306522acceec8258412be3ed9ae22d89c Mon Sep 17 00:00:00 2001
From: Dan Nicholson <nicholson@endlessm.com>
Date: Mon, 19 Jun 2017 11:14:25 -0500
Subject: [PATCH] Re-initialize OpenLDAP TLS context during plugin
 initialization

When shinken-broker starts in the default daemon mode, it closes all
open files. If OpenLDAP is in use and the TLS implementation is GnuTLS,
then this may cause the random data source /dev/urandom to be closed.
This often results in the following error:

Warning : [webui] The mod auth-active-directory raise an exception:
{'info': "Error in the system's randomness device.",
'desc': "Can't contact LDAP server"}, I'm tagging it to restart later

In order to ensure the TLS context is valid for OpenLDAP, set the option
OPT_X_TLS_NEWCTX during plugin initialization. This will cause OpenLDAP
to re-initialize it's TLS context, which will cause GnuTLS to re-open
/dev/urandom.
---
 module/module.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/module/module.py b/module/module.py
index 72b7478..d954c2f 100644
--- a/module/module.py
+++ b/module/module.py
@@ -92,6 +92,13 @@ def __init__(self, modconf):
             'ad' : "(| (samaccountname=%s)(mail=%s))",
             'openldap' : "(| (uid=%s)(mail=%s))"
             }[self.mode]
+
+        # Re-initialize the TLS context for openldap to make sure the
+        # random file opened by the TLS implementation is valid. When
+        # shinken-broker is daemonized, it may have closed the random
+        # file.
+        if self.mode == 'openldap' and hasattr(ldap, 'OPT_X_TLS_NEWCTX'):
+            ldap.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
         
 
     # Try to connect if we got true parameter