Blame SOURCES/0020-Enable_LDAP_debug_output_in_client_to_display_TLS_errors_in_join_rhbz#1658316.patch

6d47df
From be5513ba7d70cecba5aa7654b66c1aa4015f7de2 Mon Sep 17 00:00:00 2001
6d47df
From: Rob Crittenden <rcritten@redhat.com>
6d47df
Date: Tue, 9 Oct 2018 17:13:36 -0400
6d47df
Subject: [PATCH] Enable LDAP debug output in client to display TLS errors in
6d47df
 join
6d47df
6d47df
If ipa-join fails due to a TLS connection error when doing an
6d47df
LDAP-based enroll then nothing is logged by default except an
6d47df
Invalid Password error which is misleading (because the failure
6d47df
occurs during the bind).
6d47df
6d47df
The only way that debugging would have been sufficient is if
6d47df
the user passed --debug to ipa-client-install which is not great.
6d47df
6d47df
This log level is otherwise very quiet and only logs one or two
6d47df
lines on errors which is perfect.
6d47df
6d47df
https://pagure.io/freeipa/issue/7728
6d47df
6d47df
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
6d47df
Reviewed-By: Christian Heimes <cheimes@redhat.com>
6d47df
---
6d47df
 client/ipa-join.c | 64 ++++++++++++++++++++++++++---------------------
6d47df
 1 file changed, 35 insertions(+), 29 deletions(-)
6d47df
6d47df
diff --git a/client/ipa-join.c b/client/ipa-join.c
6d47df
index 7f454f723d..750114896f 100644
6d47df
--- a/client/ipa-join.c
6d47df
+++ b/client/ipa-join.c
6d47df
@@ -197,33 +197,31 @@ callRPC(char * user_agent,
6d47df
 
6d47df
 /* The caller is responsible for unbinding the connection if ld is not NULL */
6d47df
 static LDAP *
6d47df
-connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
6d47df
+connect_ldap(const char *hostname, const char *binddn, const char *bindpw,
6d47df
+             int *ret) {
6d47df
     LDAP *ld = NULL;
6d47df
-    int ret;
6d47df
-    int ldapdebug = 0;
6d47df
-    char *uri;
6d47df
+    int ldapdebug = 2;
6d47df
+    char *uri = NULL;
6d47df
     struct berval bindpw_bv;
6d47df
 
6d47df
-    if (debug) {
6d47df
-        ldapdebug = 2;
6d47df
-        ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
6d47df
-        if (ret != LDAP_OPT_SUCCESS) {
6d47df
-            goto fail;
6d47df
-        }
6d47df
+    *ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
6d47df
+    if (*ret != LDAP_OPT_SUCCESS) {
6d47df
+        goto fail;
6d47df
     }
6d47df
 
6d47df
-    ret = asprintf(&uri, "ldaps://%s:636", hostname);
6d47df
-    if (ret == -1) {
6d47df
+    *ret = asprintf(&uri, "ldaps://%s:636", hostname);
6d47df
+    if (*ret == -1) {
6d47df
         fprintf(stderr, _("Out of memory!"));
6d47df
+        *ret = LDAP_NO_MEMORY;
6d47df
         goto fail;
6d47df
     }
6d47df
 
6d47df
-    ret = ipa_ldap_init(&ld, uri);
6d47df
-    if (ret != LDAP_SUCCESS) {
6d47df
+    *ret = ipa_ldap_init(&ld, uri);
6d47df
+    if (*ret != LDAP_SUCCESS) {
6d47df
         goto fail;
6d47df
     }
6d47df
-    ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
6d47df
-    if (ret != LDAP_SUCCESS) {
6d47df
+    *ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
6d47df
+    if (*ret != LDAP_SUCCESS) {
6d47df
         fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
6d47df
         goto fail;
6d47df
     }
6d47df
@@ -238,15 +236,11 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
6d47df
         bindpw_bv.bv_len = 0;
6d47df
     }
6d47df
 
6d47df
-    ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
6d47df
-                           NULL, NULL, NULL);
6d47df
-
6d47df
-    if (ret != LDAP_SUCCESS) {
6d47df
-        int err;
6d47df
+    *ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
6d47df
+                            NULL, NULL, NULL);
6d47df
 
6d47df
-        ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err;;
6d47df
-        if (debug)
6d47df
-            fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(err));
6d47df
+    if (*ret != LDAP_SUCCESS) {
6d47df
+        fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(*ret));
6d47df
         goto fail;
6d47df
     }
6d47df
 
6d47df
@@ -309,7 +303,7 @@ get_root_dn(const char *ipaserver, char **ldap_base)
6d47df
     struct berval **defvals;
6d47df
     int ret, rval = 0;
6d47df
 
6d47df
-    ld = connect_ldap(ipaserver, NULL, NULL);
6d47df
+    ld = connect_ldap(ipaserver, NULL, NULL, &ret;;
6d47df
     if (!ld) {
6d47df
         rval = 14;
6d47df
         goto done;
6d47df
@@ -429,11 +423,23 @@ join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bin
6d47df
         rval = 3;
6d47df
         goto done;
6d47df
     }
6d47df
-    ld = connect_ldap(ipaserver, *binddn, bindpw);
6d47df
+    ld = connect_ldap(ipaserver, *binddn, bindpw, &ret;;
6d47df
     if (!ld) {
6d47df
-        if (!quiet)
6d47df
-            fprintf(stderr, _("Incorrect password.\n"));
6d47df
-        rval = 15;
6d47df
+        if (quiet)
6d47df
+            goto done;
6d47df
+
6d47df
+        switch(ret) {
6d47df
+            case LDAP_NO_MEMORY:
6d47df
+                rval = 3;
6d47df
+                break;
6d47df
+            case LDAP_INVALID_CREDENTIALS: /* incorrect password */
6d47df
+            case LDAP_INAPPROPRIATE_AUTH: /* no password set */
6d47df
+                rval = 15;
6d47df
+                break;
6d47df
+            default: /* LDAP connection error catch-all */
6d47df
+                rval = 14;
6d47df
+                break;
6d47df
+        }
6d47df
         goto done;
6d47df
     }
6d47df