From be5513ba7d70cecba5aa7654b66c1aa4015f7de2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 9 Oct 2018 17:13:36 -0400
Subject: [PATCH] Enable LDAP debug output in client to display TLS errors in
join
If ipa-join fails due to a TLS connection error when doing an
LDAP-based enroll then nothing is logged by default except an
Invalid Password error which is misleading (because the failure
occurs during the bind).
The only way that debugging would have been sufficient is if
the user passed --debug to ipa-client-install which is not great.
This log level is otherwise very quiet and only logs one or two
lines on errors which is perfect.
https://pagure.io/freeipa/issue/7728
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
client/ipa-join.c | 64 ++++++++++++++++++++++++++---------------------
1 file changed, 35 insertions(+), 29 deletions(-)
diff --git a/client/ipa-join.c b/client/ipa-join.c
index 7f454f723d..750114896f 100644
--- a/client/ipa-join.c
+++ b/client/ipa-join.c
@@ -197,33 +197,31 @@ callRPC(char * user_agent,
/* The caller is responsible for unbinding the connection if ld is not NULL */
static LDAP *
-connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
+connect_ldap(const char *hostname, const char *binddn, const char *bindpw,
+ int *ret) {
LDAP *ld = NULL;
- int ret;
- int ldapdebug = 0;
- char *uri;
+ int ldapdebug = 2;
+ char *uri = NULL;
struct berval bindpw_bv;
- if (debug) {
- ldapdebug = 2;
- ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
- if (ret != LDAP_OPT_SUCCESS) {
- goto fail;
- }
+ *ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
+ if (*ret != LDAP_OPT_SUCCESS) {
+ goto fail;
}
- ret = asprintf(&uri, "ldaps://%s:636", hostname);
- if (ret == -1) {
+ *ret = asprintf(&uri, "ldaps://%s:636", hostname);
+ if (*ret == -1) {
fprintf(stderr, _("Out of memory!"));
+ *ret = LDAP_NO_MEMORY;
goto fail;
}
- ret = ipa_ldap_init(&ld, uri);
- if (ret != LDAP_SUCCESS) {
+ *ret = ipa_ldap_init(&ld, uri);
+ if (*ret != LDAP_SUCCESS) {
goto fail;
}
- ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
- if (ret != LDAP_SUCCESS) {
+ *ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
+ if (*ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
goto fail;
}
@@ -238,15 +236,11 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
bindpw_bv.bv_len = 0;
}
- ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
- NULL, NULL, NULL);
-
- if (ret != LDAP_SUCCESS) {
- int err;
+ *ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
+ NULL, NULL, NULL);
- ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err);
- if (debug)
- fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(err));
+ if (*ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(*ret));
goto fail;
}
@@ -309,7 +303,7 @@ get_root_dn(const char *ipaserver, char **ldap_base)
struct berval **defvals;
int ret, rval = 0;
- ld = connect_ldap(ipaserver, NULL, NULL);
+ ld = connect_ldap(ipaserver, NULL, NULL, &ret);
if (!ld) {
rval = 14;
goto done;
@@ -429,11 +423,23 @@ join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bin
rval = 3;
goto done;
}
- ld = connect_ldap(ipaserver, *binddn, bindpw);
+ ld = connect_ldap(ipaserver, *binddn, bindpw, &ret);
if (!ld) {
- if (!quiet)
- fprintf(stderr, _("Incorrect password.\n"));
- rval = 15;
+ if (quiet)
+ goto done;
+
+ switch(ret) {
+ case LDAP_NO_MEMORY:
+ rval = 3;
+ break;
+ case LDAP_INVALID_CREDENTIALS: /* incorrect password */
+ case LDAP_INAPPROPRIATE_AUTH: /* no password set */
+ rval = 15;
+ break;
+ default: /* LDAP connection error catch-all */
+ rval = 14;
+ break;
+ }
goto done;
}