|
|
6d47df |
From be5513ba7d70cecba5aa7654b66c1aa4015f7de2 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
6d47df |
Date: Tue, 9 Oct 2018 17:13:36 -0400
|
|
|
6d47df |
Subject: [PATCH] Enable LDAP debug output in client to display TLS errors in
|
|
|
6d47df |
join
|
|
|
6d47df |
|
|
|
6d47df |
If ipa-join fails due to a TLS connection error when doing an
|
|
|
6d47df |
LDAP-based enroll then nothing is logged by default except an
|
|
|
6d47df |
Invalid Password error which is misleading (because the failure
|
|
|
6d47df |
occurs during the bind).
|
|
|
6d47df |
|
|
|
6d47df |
The only way that debugging would have been sufficient is if
|
|
|
6d47df |
the user passed --debug to ipa-client-install which is not great.
|
|
|
6d47df |
|
|
|
6d47df |
This log level is otherwise very quiet and only logs one or two
|
|
|
6d47df |
lines on errors which is perfect.
|
|
|
6d47df |
|
|
|
6d47df |
https://pagure.io/freeipa/issue/7728
|
|
|
6d47df |
|
|
|
6d47df |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
6d47df |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
client/ipa-join.c | 64 ++++++++++++++++++++++++++---------------------
|
|
|
6d47df |
1 file changed, 35 insertions(+), 29 deletions(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/client/ipa-join.c b/client/ipa-join.c
|
|
|
6d47df |
index 7f454f723d..750114896f 100644
|
|
|
6d47df |
--- a/client/ipa-join.c
|
|
|
6d47df |
+++ b/client/ipa-join.c
|
|
|
6d47df |
@@ -197,33 +197,31 @@ callRPC(char * user_agent,
|
|
|
6d47df |
|
|
|
6d47df |
/* The caller is responsible for unbinding the connection if ld is not NULL */
|
|
|
6d47df |
static LDAP *
|
|
|
6d47df |
-connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
|
|
|
6d47df |
+connect_ldap(const char *hostname, const char *binddn, const char *bindpw,
|
|
|
6d47df |
+ int *ret) {
|
|
|
6d47df |
LDAP *ld = NULL;
|
|
|
6d47df |
- int ret;
|
|
|
6d47df |
- int ldapdebug = 0;
|
|
|
6d47df |
- char *uri;
|
|
|
6d47df |
+ int ldapdebug = 2;
|
|
|
6d47df |
+ char *uri = NULL;
|
|
|
6d47df |
struct berval bindpw_bv;
|
|
|
6d47df |
|
|
|
6d47df |
- if (debug) {
|
|
|
6d47df |
- ldapdebug = 2;
|
|
|
6d47df |
- ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
|
|
|
6d47df |
- if (ret != LDAP_OPT_SUCCESS) {
|
|
|
6d47df |
- goto fail;
|
|
|
6d47df |
- }
|
|
|
6d47df |
+ *ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
|
|
|
6d47df |
+ if (*ret != LDAP_OPT_SUCCESS) {
|
|
|
6d47df |
+ goto fail;
|
|
|
6d47df |
}
|
|
|
6d47df |
|
|
|
6d47df |
- ret = asprintf(&uri, "ldaps://%s:636", hostname);
|
|
|
6d47df |
- if (ret == -1) {
|
|
|
6d47df |
+ *ret = asprintf(&uri, "ldaps://%s:636", hostname);
|
|
|
6d47df |
+ if (*ret == -1) {
|
|
|
6d47df |
fprintf(stderr, _("Out of memory!"));
|
|
|
6d47df |
+ *ret = LDAP_NO_MEMORY;
|
|
|
6d47df |
goto fail;
|
|
|
6d47df |
}
|
|
|
6d47df |
|
|
|
6d47df |
- ret = ipa_ldap_init(&ld, uri);
|
|
|
6d47df |
- if (ret != LDAP_SUCCESS) {
|
|
|
6d47df |
+ *ret = ipa_ldap_init(&ld, uri);
|
|
|
6d47df |
+ if (*ret != LDAP_SUCCESS) {
|
|
|
6d47df |
goto fail;
|
|
|
6d47df |
}
|
|
|
6d47df |
- ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
|
|
|
6d47df |
- if (ret != LDAP_SUCCESS) {
|
|
|
6d47df |
+ *ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
|
|
|
6d47df |
+ if (*ret != LDAP_SUCCESS) {
|
|
|
6d47df |
fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
|
|
|
6d47df |
goto fail;
|
|
|
6d47df |
}
|
|
|
6d47df |
@@ -238,15 +236,11 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
|
|
|
6d47df |
bindpw_bv.bv_len = 0;
|
|
|
6d47df |
}
|
|
|
6d47df |
|
|
|
6d47df |
- ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
|
|
|
6d47df |
- NULL, NULL, NULL);
|
|
|
6d47df |
-
|
|
|
6d47df |
- if (ret != LDAP_SUCCESS) {
|
|
|
6d47df |
- int err;
|
|
|
6d47df |
+ *ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
|
|
|
6d47df |
+ NULL, NULL, NULL);
|
|
|
6d47df |
|
|
|
6d47df |
- ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err;;
|
|
|
6d47df |
- if (debug)
|
|
|
6d47df |
- fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(err));
|
|
|
6d47df |
+ if (*ret != LDAP_SUCCESS) {
|
|
|
6d47df |
+ fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(*ret));
|
|
|
6d47df |
goto fail;
|
|
|
6d47df |
}
|
|
|
6d47df |
|
|
|
6d47df |
@@ -309,7 +303,7 @@ get_root_dn(const char *ipaserver, char **ldap_base)
|
|
|
6d47df |
struct berval **defvals;
|
|
|
6d47df |
int ret, rval = 0;
|
|
|
6d47df |
|
|
|
6d47df |
- ld = connect_ldap(ipaserver, NULL, NULL);
|
|
|
6d47df |
+ ld = connect_ldap(ipaserver, NULL, NULL, &ret;;
|
|
|
6d47df |
if (!ld) {
|
|
|
6d47df |
rval = 14;
|
|
|
6d47df |
goto done;
|
|
|
6d47df |
@@ -429,11 +423,23 @@ join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bin
|
|
|
6d47df |
rval = 3;
|
|
|
6d47df |
goto done;
|
|
|
6d47df |
}
|
|
|
6d47df |
- ld = connect_ldap(ipaserver, *binddn, bindpw);
|
|
|
6d47df |
+ ld = connect_ldap(ipaserver, *binddn, bindpw, &ret;;
|
|
|
6d47df |
if (!ld) {
|
|
|
6d47df |
- if (!quiet)
|
|
|
6d47df |
- fprintf(stderr, _("Incorrect password.\n"));
|
|
|
6d47df |
- rval = 15;
|
|
|
6d47df |
+ if (quiet)
|
|
|
6d47df |
+ goto done;
|
|
|
6d47df |
+
|
|
|
6d47df |
+ switch(ret) {
|
|
|
6d47df |
+ case LDAP_NO_MEMORY:
|
|
|
6d47df |
+ rval = 3;
|
|
|
6d47df |
+ break;
|
|
|
6d47df |
+ case LDAP_INVALID_CREDENTIALS: /* incorrect password */
|
|
|
6d47df |
+ case LDAP_INAPPROPRIATE_AUTH: /* no password set */
|
|
|
6d47df |
+ rval = 15;
|
|
|
6d47df |
+ break;
|
|
|
6d47df |
+ default: /* LDAP connection error catch-all */
|
|
|
6d47df |
+ rval = 14;
|
|
|
6d47df |
+ break;
|
|
|
6d47df |
+ }
|
|
|
6d47df |
goto done;
|
|
|
6d47df |
}
|
|
|
6d47df |
|