#8352 RPC API crashes when a user is disabled while a session exists
Closed: fixed 2 years ago by abbra. Opened 2 years ago by abompard.


When I open a session with the JSON RPC API as user foobar (login/password, not kerberos), and then disable the foobar user in FreeIPA, the session is not invalidated but subsequent calls to the API with that session cause crashes. I get the following traceback in httpd/error.log

mod_wsgi (pid=1696): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1076, in error_handler
  File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1248, in gssapi_bind
    '', auth_tokens, server_controls, client_controls)
  File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 465, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib64/python3.7/site-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.UNWILLING_TO_PERFORM: {'desc': 'Server is unwilling to perform', 'info': 'Account inactivated. Contact system administrator.'}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/ipa/wsgi.py", line 59, in application
    return api.Backend.wsgi_dispatch(environ, start_response)
  File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 266, in __call__
    return self.route(environ, start_response)
  File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 278, in route
    return app(environ, start_response)
  File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 858, in __call__
  File "/usr/lib/python3.7/site-packages/ipalib/backend.py", line 128, in create_context
  File "/usr/lib/python3.7/site-packages/ipalib/backend.py", line 69, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python3.7/site-packages/ipaserver/plugins/ldap2.py", line 199, in create_connection
  File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1248, in gssapi_bind
    '', auth_tokens, server_controls, client_controls)
  File "/usr/lib64/python3.7/contextlib.py", line 130, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1138, in error_handler
    raise errors.DatabaseError(desc=desc, info=info)
ipalib.errors.DatabaseError: Server is unwilling to perform: Account inactivated. Contact system administrator.

The RPC client thus only gets Apache's 500 page, which is not JSON and does not give a hint of what was going one.

Expected behavior

For example, the session could be invalidated and the user would have to login again, or an explicit "User is disabled" message could be returned.


$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package ipa-server is not installed
package ipa-client is not installed

I can reproduce the issue easily.

Metadata Update from @cheimes:
- Issue assigned to cheimes
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8.7
- Issue tagged with: bug

2 years ago

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4749

2 years ago


  • d79a7a9 Handle DatabaseError in RPC-Server connect()


  • 1062caa Handle DatabaseError in RPC-Server connect()


  • 24c85b8 Handle DatabaseError in RPC-Server connect()

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.