rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0020-Enable_LDAP_debug_output_in_client_to_display_TLS_errors_in_join_rhbz#1658316.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   19f9ccfa7f9982db9f0ac13ae775ca6b56fe22c5
  2.   SOURCES
  3.   0020-Enable_LDAP_debug_output_in_client_to_display_TLS_errors_in_join_rhbz#1658316.patch
Blob History Raw
b01884 
From be5513ba7d70cecba5aa7654b66c1aa4015f7de2 Mon Sep 17 00:00:00 2001
b01884 
From: Rob Crittenden <rcritten@redhat.com>
b01884 
Date: Tue, 9 Oct 2018 17:13:36 -0400
b01884 
Subject: [PATCH] Enable LDAP debug output in client to display TLS errors in
b01884 
 join
b01884
b01884 
If ipa-join fails due to a TLS connection error when doing an
b01884 
LDAP-based enroll then nothing is logged by default except an
b01884 
Invalid Password error which is misleading (because the failure
b01884 
occurs during the bind).
b01884
b01884 
The only way that debugging would have been sufficient is if
b01884 
the user passed --debug to ipa-client-install which is not great.
b01884
b01884 
This log level is otherwise very quiet and only logs one or two
b01884 
lines on errors which is perfect.
b01884
b01884 
https://pagure.io/freeipa/issue/7728
b01884
b01884 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
b01884 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
b01884 
---
b01884 
 client/ipa-join.c | 64 ++++++++++++++++++++++++++---------------------
b01884 
 1 file changed, 35 insertions(+), 29 deletions(-)
b01884
b01884 
diff --git a/client/ipa-join.c b/client/ipa-join.c
b01884 
index 7f454f723d..750114896f 100644
b01884 
--- a/client/ipa-join.c
b01884 
+++ b/client/ipa-join.c
b01884 
@@ -197,33 +197,31 @@ callRPC(char * user_agent,
b01884
b01884 
 /* The caller is responsible for unbinding the connection if ld is not NULL */
b01884 
 static LDAP *
b01884 
-connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
b01884 
+connect_ldap(const char *hostname, const char *binddn, const char *bindpw,
b01884 
+             int *ret) {
b01884 
     LDAP *ld = NULL;
b01884 
-    int ret;
b01884 
-    int ldapdebug = 0;
b01884 
-    char *uri;
b01884 
+    int ldapdebug = 2;
b01884 
+    char *uri = NULL;
b01884 
     struct berval bindpw_bv;
b01884
b01884 
-    if (debug) {
b01884 
-        ldapdebug = 2;
b01884 
-        ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
b01884 
-        if (ret != LDAP_OPT_SUCCESS) {
b01884 
-            goto fail;
b01884 
-        }
b01884 
+    *ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
b01884 
+    if (*ret != LDAP_OPT_SUCCESS) {
b01884 
+        goto fail;
b01884 
     }
b01884
b01884 
-    ret = asprintf(&uri, "ldaps://%s:636", hostname);
b01884 
-    if (ret == -1) {
b01884 
+    *ret = asprintf(&uri, "ldaps://%s:636", hostname);
b01884 
+    if (*ret == -1) {
b01884 
         fprintf(stderr, _("Out of memory!"));
b01884 
+        *ret = LDAP_NO_MEMORY;
b01884 
         goto fail;
b01884 
     }
b01884
b01884 
-    ret = ipa_ldap_init(&ld, uri);
b01884 
-    if (ret != LDAP_SUCCESS) {
b01884 
+    *ret = ipa_ldap_init(&ld, uri);
b01884 
+    if (*ret != LDAP_SUCCESS) {
b01884 
         goto fail;
b01884 
     }
b01884 
-    ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
b01884 
-    if (ret != LDAP_SUCCESS) {
b01884 
+    *ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
b01884 
+    if (*ret != LDAP_SUCCESS) {
b01884 
         fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
b01884 
         goto fail;
b01884 
     }
b01884 
@@ -238,15 +236,11 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
b01884 
         bindpw_bv.bv_len = 0;
b01884 
     }
b01884
b01884 
-    ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
b01884 
-                           NULL, NULL, NULL);
b01884 
-
b01884 
-    if (ret != LDAP_SUCCESS) {
b01884 
-        int err;
b01884 
+    *ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
b01884 
+                            NULL, NULL, NULL);
b01884
b01884 
-        ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err;;
b01884 
-        if (debug)
b01884 
-            fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(err));
b01884 
+    if (*ret != LDAP_SUCCESS) {
b01884 
+        fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(*ret));
b01884 
         goto fail;
b01884 
     }
b01884
b01884 
@@ -309,7 +303,7 @@ get_root_dn(const char *ipaserver, char **ldap_base)
b01884 
     struct berval **defvals;
b01884 
     int ret, rval = 0;
b01884
b01884 
-    ld = connect_ldap(ipaserver, NULL, NULL);
b01884 
+    ld = connect_ldap(ipaserver, NULL, NULL, &ret;;
b01884 
     if (!ld) {
b01884 
         rval = 14;
b01884 
         goto done;
b01884 
@@ -429,11 +423,23 @@ join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bin
b01884 
         rval = 3;
b01884 
         goto done;
b01884 
     }
b01884 
-    ld = connect_ldap(ipaserver, *binddn, bindpw);
b01884 
+    ld = connect_ldap(ipaserver, *binddn, bindpw, &ret;;
b01884 
     if (!ld) {
b01884 
-        if (!quiet)
b01884 
-            fprintf(stderr, _("Incorrect password.\n"));
b01884 
-        rval = 15;
b01884 
+        if (quiet)
b01884 
+            goto done;
b01884 
+
b01884 
+        switch(ret) {
b01884 
+            case LDAP_NO_MEMORY:
b01884 
+                rval = 3;
b01884 
+                break;
b01884 
+            case LDAP_INVALID_CREDENTIALS: /* incorrect password */
b01884 
+            case LDAP_INAPPROPRIATE_AUTH: /* no password set */
b01884 
+                rval = 15;
b01884 
+                break;
b01884 
+            default: /* LDAP connection error catch-all */
b01884 
+                rval = 14;
b01884 
+                break;
b01884 
+        }
b01884 
         goto done;
b01884 
     }
b01884

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation