When I open a session with the JSON RPC API as user foobar (login/password, not kerberos), and then disable the foobar user in FreeIPA, the session is not invalidated but subsequent calls to the API with that session cause crashes. I get the following traceback in httpd/error.log
mod_wsgi (pid=1696): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1076, in error_handler yield File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1248, in gssapi_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 465, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.7/site-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'desc': 'Server is unwilling to perform', 'info': 'Account inactivated. Contact system administrator.'} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/share/ipa/wsgi.py", line 59, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 266, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 278, in route return app(environ, start_response) File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 858, in __call__ self.create_context(ccache=ccache_name) File "/usr/lib/python3.7/site-packages/ipalib/backend.py", line 128, in create_context time_limit=None) File "/usr/lib/python3.7/site-packages/ipalib/backend.py", line 69, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python3.7/site-packages/ipaserver/plugins/ldap2.py", line 199, in create_connection client_controls=clientctrls) File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1248, in gssapi_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python3.7/contextlib.py", line 130, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1138, in error_handler raise errors.DatabaseError(desc=desc, info=info) ipalib.errors.DatabaseError: Server is unwilling to perform: Account inactivated. Contact system administrator.
The RPC client thus only gets Apache's 500 page, which is not JSON and does not give a hint of what was going one.
For example, the session could be invalidated and the user would have to login again, or an explicit "User is disabled" message could be returned.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.8.6-1.fc31.x86_64 freeipa-client-4.8.6-1.fc31.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.2.11-1.fc31.x86_64 pki-ca-10.8.3-1.fc31.noarch krb5-server-1.17-45.fc31.x86_64
I can reproduce the issue easily.
Metadata Update from @cheimes: - Issue assigned to cheimes - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.8.7 - Issue tagged with: bug
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4749
master:
ipa-4-8:
ipa-4-6:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.