diff options
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_child.c | 60 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.c | 18 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 6 |
3 files changed, 81 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 3369d7098..a2e658395 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -136,6 +136,10 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_creds my_creds; krb5_get_init_creds_opt options; krb5_error_code krberr; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + char *principal; + bool found; int ret; krberr = krb5_init_context(&context); @@ -200,8 +204,57 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krberr = krb5_kt_default(context, &keytab); } if (krberr) { - DEBUG(2, ("Failed to read keytab file: %s\n", + DEBUG(0, ("Failed to read keytab file: %s\n", sss_krb5_get_error_message(context, krberr))); + + ret = EFAULT; + goto done; + } + + /* Verify the keytab */ + krberr = krb5_kt_start_seq_get(context, keytab, &cursor); + if (krberr) { + DEBUG(0, ("Cannot read keytab [%s].\n", keytab_name)); + + sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. " + "Unable to create GSSAPI-encrypted LDAP connection.", + keytab_name, krberr, + sss_krb5_get_error_message(context, krberr)); + + ret = EFAULT; + goto done; + } + + found = false; + while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ + krb5_unparse_name(context, entry.principal, &principal); + if (strcmp(full_princ, principal) == 0) { + found = true; + } + free(principal); + krb5_free_keytab_entry_contents(context, &entry); + + if (found) { + break; + } + } + krberr = krb5_kt_end_seq_get(context, keytab, &cursor); + if (krberr) { + DEBUG(0, ("Could not close keytab.\n")); + sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].", + keytab_name); + ret = EFAULT; + goto done; + } + + if (!found) { + DEBUG(0, ("Principal [%s] not found in keytab [%s]\n", + full_princ, keytab_name)); + sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: " + "Principal [%s] was not found. " + "Unable to create GSSAPI-encrypted LDAP connection.", + keytab_name, full_princ); + ret = EFAULT; goto done; } @@ -232,8 +285,11 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, keytab, 0, NULL, &options); if (krberr) { - DEBUG(2, ("Failed to init credentials: %s\n", + DEBUG(0, ("Failed to init credentials: %s\n", sss_krb5_get_error_message(context, krberr))); + sss_log(SSS_LOG_ERR, "Failed to initialize credentials using keytab [%s]: %s. " + "Unable to create GSSAPI-encrypted LDAP connection.", + keytab_name, sss_krb5_get_error_message(context, krberr)); ret = EFAULT; goto done; } diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 18f2bc0c5..fee3c11d0 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -764,7 +764,9 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, { struct tevent_req *req = NULL; struct sdap_get_generic_state *state = NULL; + char *errmsg; int lret; + int optret; int ret; int msgid; @@ -805,7 +807,21 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, DEBUG(3, ("ldap_search_ext failed: %s\n", ldap_err2string(lret))); if (lret == LDAP_SERVER_DOWN) { ret = ETIMEDOUT; - } else { + optret = ldap_get_option(state->sh->ldap, + SDAP_DIAGNOSTIC_MESSAGE, + (void*)&errmsg); + if (optret == LDAP_SUCCESS) { + DEBUG(3, ("Connection error: %s\n", errmsg)); + sss_log(SSS_LOG_ERR, "LDAP connection error: %s", errmsg); + ldap_memfree(errmsg); + } + else { + sss_log(SSS_LOG_ERR, "LDAP connection error, %s", + ldap_err2string(lret)); + } + } + + else { ret = EIO; } goto fail; diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index fd1cc8c72..69baf1a34 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -153,11 +153,14 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx, DEBUG(3, ("ldap_start_tls failed: [%s] [%s]\n", ldap_err2string(lret), errmsg)); + sss_log(SSS_LOG_ERR, "Could not start TLS. %s", errmsg); ldap_memfree(errmsg); } else { DEBUG(3, ("ldap_start_tls failed: [%s]\n", ldap_err2string(lret))); + sss_log(SSS_LOG_ERR, "Could not start TLS. " + "Check for certificate issues."); } goto fail; } @@ -236,11 +239,14 @@ static void sdap_connect_done(struct sdap_op *op, DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n", ldap_err2string(ret), tlserr)); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr); ldap_memfree(tlserr); } else { DEBUG(3, ("ldap_install_tls failed: [%s]\n", ldap_err2string(ret))); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. " + "Check for certificate issues."); } state->result = ret; |