diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2008-12-02 15:29:31 +0000 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2008-12-02 15:29:31 +0000 |
| commit | da60a75c5fabda105b941751f6b0115ff734f3f9 (patch) | |
| tree | d994a5046bdba6d3297fc250d7a13bd5fb4ec116 | |
| parent | 76bb2234d64962399a6070651eede8f85f0d7f23 (diff) | |
| download | ds-da60a75c5fabda105b941751f6b0115ff734f3f9.tar.gz ds-da60a75c5fabda105b941751f6b0115ff734f3f9.tar.xz ds-da60a75c5fabda105b941751f6b0115ff734f3f9.zip | |
Resolves: bug 469261
Bug Description: Support server-to-server SASL - console chaining, server cleanup
Reviewed by: nkinder (Thanks!)
Fix Description: There are two sets of diffs here. The first set adds tls, gssapi, and digest to the chaining database (aka database link) panels in the console. I had to add support for revert to some of the code to make the Reset button work without having to retrieve the values from the server each time. We already store the original values locally in the _origModel - I added code to allow the use of that in the Reset button.
The second set of diffs is for the server.
1) I had to add support for "SIMPLE" for bindMechanism - this translates to LDAP_SASL_SIMPLE for the actual mechanism. This value is NULL, so I had to add handling for NULL values in the cb config code (slapi_ch_* work fine with NULL values).
2) Added some more debugging/tracing code
3) The server to server SSL code would only work if the server were configured to be an SSL server. But for the server to be an SSL client, it only needs NSS initialized and to have the CA cert. It also needs to configured some of the SSL settings and install the correct policy. I changed the server code to do this.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes
| -rw-r--r-- | ldap/servers/plugins/chainingdb/cb.h | 2 | ||||
| -rw-r--r-- | ldap/servers/plugins/chainingdb/cb_conn_stateless.c | 9 | ||||
| -rw-r--r-- | ldap/servers/plugins/chainingdb/cb_instance.c | 25 | ||||
| -rw-r--r-- | ldap/servers/plugins/replication/repl5_connection.c | 25 | ||||
| -rw-r--r-- | ldap/servers/plugins/replication/windows_connection.c | 27 | ||||
| -rw-r--r-- | ldap/servers/slapd/globals.c | 1 | ||||
| -rw-r--r-- | ldap/servers/slapd/libglobs.c | 3 | ||||
| -rw-r--r-- | ldap/servers/slapd/proto-slap.h | 3 | ||||
| -rw-r--r-- | ldap/servers/slapd/sasl_map.c | 4 | ||||
| -rw-r--r-- | ldap/servers/slapd/slap.h | 2 | ||||
| -rw-r--r-- | ldap/servers/slapd/slapi-private.h | 4 | ||||
| -rw-r--r-- | ldap/servers/slapd/ssl.c | 128 | ||||
| -rw-r--r-- | ldap/servers/slapd/util.c | 44 |
13 files changed, 84 insertions, 193 deletions
diff --git a/ldap/servers/plugins/chainingdb/cb.h b/ldap/servers/plugins/chainingdb/cb.h index a8e44985..209fdd37 100644 --- a/ldap/servers/plugins/chainingdb/cb.h +++ b/ldap/servers/plugins/chainingdb/cb.h @@ -168,6 +168,8 @@ #define CB_DEF_STARTTLS "off" /* CB_CONFIG_STARTTLS */ #define CB_DEF_BINDMECH LDAP_SASL_SIMPLE /* CB_CONFIG_BINDMECH */ +#define CB_SIMPLE_BINDMECH "SIMPLE" /* will be translated to LDAP_SASL_SIMPLE */ + typedef void *cb_config_get_fn_t(void *arg); typedef int cb_config_set_fn_t(void *arg, void *value, char *errorbuf, int phase, int apply); typedef struct _cb_instance_config_info { diff --git a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c index 41d7f243..617da9ed 100644 --- a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c +++ b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c @@ -318,15 +318,6 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s int version=LDAP_VERSION3; - /* check wether the security libraries are correctly initialized */ - if (secure && slapd_security_library_is_initialized() != 1) { - slapi_log_error( - SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM, - "SSL Not Initialized, Chaining Backend over SSL FAILED\n"); - rc = LDAP_CONNECT_ERROR; - goto unlock_and_return; - } - /* * we have not exceeded the maximum number of connections allowed, * so we initialize a new one and add it to the end of our list. diff --git a/ldap/servers/plugins/chainingdb/cb_instance.c b/ldap/servers/plugins/chainingdb/cb_instance.c index e430dca3..0e5dda25 100644 --- a/ldap/servers/plugins/chainingdb/cb_instance.c +++ b/ldap/servers/plugins/chainingdb/cb_instance.c @@ -1380,11 +1380,17 @@ static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int ( phase != CB_CONFIG_PHASE_STARTUP )) { /* Dynamic modif */ - charray_add(&inst->pool->waste_basket,inst->pool->mech); + if (inst->pool->mech) { + charray_add(&inst->pool->waste_basket,inst->pool->mech); + } rc=CB_REOPEN_CONN; } - inst->pool->mech=slapi_ch_strdup((char *) value); + if (value && !PL_strcasecmp((char *) value, CB_SIMPLE_BINDMECH)) { + inst->pool->mech=slapi_ch_strdup(LDAP_SASL_SIMPLE); + } else { + inst->pool->mech=slapi_ch_strdup((char *) value); + } PR_RWLock_Unlock(inst->rwl_config_lock); } return rc; @@ -1513,8 +1519,12 @@ void cb_instance_config_get(void *arg, cb_instance_config_info *config, char *bu /* Remember the get function for strings returns memory * that must be freed. */ tmp_string = (char *) config->config_get_fn(arg); - PR_snprintf(buf, CB_BUFSIZE, "%s", (char *) tmp_string); - slapi_ch_free((void **)&tmp_string); + if (tmp_string) { + PR_snprintf(buf, CB_BUFSIZE, "%s", (char *) tmp_string); + slapi_ch_free_string(&tmp_string); + } else { + buf[0] = '\0'; + } break; case CB_CONFIG_TYPE_ONOFF: if ((int) ((uintptr_t)config->config_get_fn(arg))) { @@ -1606,8 +1616,11 @@ int cb_instance_search_config_callback(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_E val.bv_val = buf; val.bv_len = strlen(buf); - if (val.bv_len) - slapi_entry_attr_replace(e, config->config_name, vals); + if (val.bv_len) { + slapi_entry_attr_replace(e, config->config_name, vals); + } else { + slapi_entry_attr_delete(e, config->config_name); + } } *returncode = LDAP_SUCCESS; diff --git a/ldap/servers/plugins/replication/repl5_connection.c b/ldap/servers/plugins/replication/repl5_connection.c index 03d61897..536849e7 100644 --- a/ldap/servers/plugins/replication/repl5_connection.c +++ b/ldap/servers/plugins/replication/repl5_connection.c @@ -949,30 +949,25 @@ conn_connect(Repl_Connection *conn) /* ugaston: if SSL has been selected in the replication agreement, SSL client * initialisation should be done before ever trying to open any connection at all. */ - if ((conn->transport_flags == TRANSPORT_FLAG_TLS) || - (conn->transport_flags == TRANSPORT_FLAG_SSL)) - { + if (conn->transport_flags == TRANSPORT_FLAG_TLS) { + secure = 2; + } else if (conn->transport_flags == TRANSPORT_FLAG_SSL) { + secure = 1; + } - /** Make sure the SSL Library has been initialized before anything else **/ - if(slapd_security_library_is_initialized() != 1) - { + if (secure > 0) { + if (!NSS_IsInitialized()) { slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: SSL Not Initialized, Replication over SSL FAILED\n", - agmt_get_long_name(conn->agmt)); + "%s: SSL Not Initialized, Replication over SSL FAILED\n", + agmt_get_long_name(conn->agmt)); conn->last_ldap_error = LDAP_INAPPROPRIATE_AUTH; conn->last_operation = CONN_INIT; ber_bvfree(creds); creds = NULL; return CONN_SSL_NOT_ENABLED; - } else if (conn->transport_flags == TRANSPORT_FLAG_SSL) - { - secure = 1; - } else - { - secure = 2; /* 2 means starttls security */ } } - + if (return_value == CONN_OPERATION_SUCCESS) { int io_timeout_ms; /* Now we initialize the LDAP Structure and set options */ diff --git a/ldap/servers/plugins/replication/windows_connection.c b/ldap/servers/plugins/replication/windows_connection.c index ffcc8bec..5db07b02 100644 --- a/ldap/servers/plugins/replication/windows_connection.c +++ b/ldap/servers/plugins/replication/windows_connection.c @@ -1193,30 +1193,25 @@ windows_conn_connect(Repl_Connection *conn) /* ugaston: if SSL has been selected in the replication agreement, SSL client * initialisation should be done before ever trying to open any connection at all. */ - if ((conn->transport_flags == TRANSPORT_FLAG_TLS) || - (conn->transport_flags == TRANSPORT_FLAG_SSL)) - { - - /** Make sure the SSL Library has been initialized before anything else **/ - if(slapd_security_library_is_initialized() != 1) - { + if (conn->transport_flags == TRANSPORT_FLAG_TLS) { + secure = 2; + } else if (conn->transport_flags == TRANSPORT_FLAG_SSL) { + secure = 1; + } + + if (secure > 0) { + if (!NSS_IsInitialized()) { slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: SSL Not Initialized, Replication over SSL FAILED\n", - agmt_get_long_name(conn->agmt)); + "%s: SSL Not Initialized, Replication over SSL FAILED\n", + agmt_get_long_name(conn->agmt)); conn->last_ldap_error = LDAP_INAPPROPRIATE_AUTH; conn->last_operation = CONN_INIT; ber_bvfree(creds); creds = NULL; return CONN_SSL_NOT_ENABLED; - } else if (conn->transport_flags == TRANSPORT_FLAG_SSL) - { - secure = 1; - } else - { - secure = 2; /* 2 means starttls security */ } } - + if (return_value == CONN_OPERATION_SUCCESS) { int io_timeout_ms; /* Now we initialize the LDAP Structure and set options */ diff --git a/ldap/servers/slapd/globals.c b/ldap/servers/slapd/globals.c index 3be43127..e49aa889 100644 --- a/ldap/servers/slapd/globals.c +++ b/ldap/servers/slapd/globals.c @@ -165,7 +165,6 @@ set_entry_points() sep->sep_ps_wakeup_all = (caddr_t)ps_wakeup_all; sep->sep_ps_service = (caddr_t)ps_service_persistent_searches; sep->sep_disconnect_server = (caddr_t)disconnect_server; - sep->sep_slapd_SSL_client_init = (caddr_t)slapd_SSL_client_init; sep->sep_slapd_ssl_init = (caddr_t)slapd_ssl_init; sep->sep_slapd_ssl_init2 = (caddr_t)slapd_ssl_init2; set_dll_entry_points( sep ); diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index dac93464..84d3a95c 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -1036,9 +1036,6 @@ get_entry_point( int ep_name, caddr_t *ep_addr ) case ENTRY_POINT_DISCONNECT_SERVER: *ep_addr = sep->sep_disconnect_server; break; - case ENTRY_POINT_SLAPD_SSL_CLIENT_INIT: - *ep_addr = sep->sep_slapd_SSL_client_init; - break; case ENTRY_POINT_SLAPD_SSL_INIT: *ep_addr = sep->sep_slapd_ssl_init; break; diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 6f8a3da6..e088f7d1 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -899,9 +899,6 @@ void do_search( Slapi_PBlock *pb ); /* * ssl.c */ -int slapd_SSL_client_init(); -int slapd_SSL_client_bind_s( LDAP* ld, char* DN, char* pw, int use_SSL, int LDAPv); -int slapd_sasl_ext_client_bind( LDAP* ld, int **msgid); int slapd_nss_init(int init_ssl, int config_available); int slapd_ssl_init(); int slapd_ssl_init2(PRFileDesc **fd, int startTLS); diff --git a/ldap/servers/slapd/sasl_map.c b/ldap/servers/slapd/sasl_map.c index 9011c6e0..4e614c1f 100644 --- a/ldap/servers/slapd/sasl_map.c +++ b/ldap/servers/slapd/sasl_map.c @@ -320,6 +320,7 @@ sasl_map_read_config_startup(sasl_map_private *priv) sasl_map_data *dp = NULL; for (map_entry = map_entry_list; *map_entry && !ret; map_entry++) { + LDAPDebug( LDAP_DEBUG_CONFIG, "sasl_map_read_config_startup - proceesing [%s]\n", *map_entry, 0, 0 ); getConfigEntry( *map_entry, &entry ); if ( entry == NULL ) { continue; @@ -331,6 +332,8 @@ sasl_map_read_config_startup(sasl_map_private *priv) ret = sasl_map_insert_list_entry(priv,dp); if (ret) { LDAPDebug( LDAP_DEBUG_ANY, "sasl_map_read_config_startup failed to insert entry\n", 0, 0, 0 ); + } else { + LDAPDebug( LDAP_DEBUG_CONFIG, "sasl_map_read_config_startup - processed [%s]\n", *map_entry, 0, 0 ); } } freeConfigEntry( &entry ); @@ -513,6 +516,7 @@ sasl_map_domap(char *sasl_user, char *sasl_realm, char **ldap_search_base, char while (this_map) { int matched = 0; /* If one matches, then make the search params */ + LDAPDebug( LDAP_DEBUG_TRACE, "sasl_map_domap - trying map [%s]\n", this_map->name, 0, 0 ); matched = sasl_map_check(this_map, sasl_user_and_realm, ldap_search_base, ldap_search_filter); if (1 == matched) { ret = 1; diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 41448819..7a4cb2e0 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1601,7 +1601,6 @@ typedef void (*ps_wakeup_all_fn_ptr)( void ); typedef void (*ps_service_fn_ptr)(Slapi_Entry *, Slapi_Entry *, int, int ); typedef char *(*get_config_dn_fn_ptr)(); typedef void (*get_disconnect_server_fn_ptr)(Connection *conn, PRUint64 opconnid, int opid, PRErrorCode reason, PRInt32 error ); -typedef int (*slapd_SSL_client_init_fn_ptr)( void ); typedef int (*modify_config_dse_fn_ptr)( Slapi_PBlock *pb ); typedef int (*slapd_ssl_init_fn_ptr)( void ); typedef int (*slapd_ssl_init_fn_ptr2)( PRFileDesc **s, int StartTLS); @@ -1614,7 +1613,6 @@ typedef struct _slapdEntryPoints { caddr_t sep_ps_wakeup_all; caddr_t sep_ps_service; caddr_t sep_disconnect_server; - caddr_t sep_slapd_SSL_client_init; caddr_t sep_slapd_ssl_init; caddr_t sep_slapd_ssl_init2; } slapdEntryPoints; diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h index eaab8d7a..75e8a99d 100644 --- a/ldap/servers/slapd/slapi-private.h +++ b/ldap/servers/slapd/slapi-private.h @@ -1108,11 +1108,7 @@ time_t read_genTime(struct berval* from); time_t parse_genTime(char* from); /* Client SSL code */ -int slapd_SSL_client_init( void ); int slapd_security_library_is_initialized( void ); -int slapd_SSL_client_bind_s(LDAP* ld, char* DN, char* pw, int use_SSL, int LDAPv); -int slapd_sasl_ext_client_bind(LDAP* ld, int **msgid); -int slapd_Client_auth(LDAP* ld); char* slapd_get_tmp_dir( void ); /* Misc crrrrrrap */ diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index abb127f9..0b895987 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -459,6 +459,14 @@ slapd_nss_init(int init_ssl, int config_available) rv = -1; } + if(SSLPLCY_Install() != PR_SUCCESS) { + errorCode = PR_GetError(); + slapd_SSL_warn("Security Initialization: Unable to set SSL export policy (" + SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + errorCode, slapd_pr_strerror(errorCode)); + return -1; + } + /****** end of NSS Initialization ******/ slapi_ch_free_string(&certdir); @@ -622,15 +630,6 @@ slapd_ssl_init() { } freeConfigEntry( &entry ); - if(SSLPLCY_Install() != PR_SUCCESS) { - errorCode = PR_GetError(); - slapd_SSL_warn("Security Initialization: Unable to set SSL export policy (" - SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - errorCode, slapd_pr_strerror(errorCode)); - return -1; - } - - /* ugaston- Cipher preferences must be set before any sslSocket is created * for such sockets to take preferences into account. */ @@ -1041,12 +1040,6 @@ We already do pr_init, we don't need pr_setconcurrency, we already do nss_init a */ int -slapd_SSL_client_init() -{ - return 0; -} - -int slapd_SSL_client_auth (LDAP* ld) { int rc = 0; @@ -1205,111 +1198,6 @@ slapd_SSL_client_auth (LDAP* ld) return rc; } -int -slapd_simple_client_bind_s(LDAP* ld, char* DN, char* pw, int LDAPv) -{ - int rc; - PRErrorCode errorCode; - - ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *) &LDAPv); - rc = ldap_simple_bind_s (ld, DN, pw); - if (rc != 0) { - errorCode = PR_GetError(); - slapd_SSL_warn("ldap_simple_bind_s(%s, %s) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - DN, pw, rc, errorCode, slapd_pr_strerror(errorCode)); - } - LDAPDebug (LDAP_DEBUG_TRACE, "slapd_simple_client_bind_s(%s, %i) %i\n", DN, LDAPv, rc); - return rc; -} - -int -slapd_SSL_client_bind_s (LDAP* ld, char* DN, char* pw, int use_SSL, int LDAPv) -{ - int rc; - struct berval noCred = {0, 0}; - - if (!use_SSL || LDAPv == LDAP_VERSION2) { - rc = slapd_simple_client_bind_s(ld, DN, pw, LDAPv); - } else { - - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_SSL_client_bind_s: Trying SSL Client Authentication\n", - 0, 0, 0); - - rc = slapd_SSL_client_auth(ld); - - if(rc != 0) - { - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_SSL_client_bind_s: SSL Client Auth Failed during replication Bind\n", - 0, 0, 0); - return rc; - } - - rc = ldap_sasl_bind_s (ld, "", LDAP_SASL_EXTERNAL, &noCred, - NULL /* LDAPControl **serverctrls */, - NULL /* LDAPControl **clientctrls */, - NULL /* struct berval **servercredp */); - - } - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_SSL_client_bind_s(%i,%i) %i\n", use_SSL, LDAPv, rc); - return rc; -} - -int -slapd_sasl_ext_client_bind (LDAP* ld, int **msgid) -{ - int rc; - PRErrorCode errorCode; - struct berval noCred = {0, 0}; - - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_sasl_ext_client_bind: Trying SSL Client Authentication\n", - 0, 0, 0); - - rc = slapd_SSL_client_auth(ld); - if(rc != 0) - { - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_sasl_ext_client_bind: SSL Client Auth Failed during replication Bind\n", - 0, 0, 0); - return rc; - } - - rc = ldap_sasl_bind (ld, "", LDAP_SASL_EXTERNAL, &noCred, - NULL, - NULL, - *msgid); - if (rc != 0) { - errorCode = PR_GetError(); - slapd_SSL_warn("ldap_sasl_bind(\"\",LDAP_SASL_EXTERNAL) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - rc, errorCode, slapd_pr_strerror(errorCode)); - } - - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_sasl_ext_client_bind %i\n", rc, 0, 0); - - return rc; -} - - -int slapd_Client_auth(LDAP* ld) -{ - int rc=0; - - rc = slapd_SSL_client_auth (ld); - - return rc; -} - - /* Function for keeping track of the SSL initialization status: * - returns 1: when slapd_ssl_init has been executed */ diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c index 43f93cb1..aaf27d07 100644 --- a/ldap/servers/slapd/util.c +++ b/ldap/servers/slapd/util.c @@ -961,6 +961,7 @@ slapi_ldap_init_ext( */ if (secure > 0) { int ssl_strength = 0; + LDAP *myld = NULL; if (config_get_ssl_check_hostname()) { /* check hostname against name in certificate */ @@ -970,24 +971,23 @@ slapi_ldap_init_ext( ssl_strength = LDAPSSL_AUTH_CERT; } - /* Can only use ldapssl_set_strength on and LDAP* already - initialized for SSL - this is not the case when using - startTLS, so we use NULL to set the default for all - new connections */ + /* we can only use the set functions below with a real + LDAP* if it has already gone through ldapssl_init - + so, use NULL if using starttls */ if (secure == 1) { - rc = ldapssl_set_strength(ld, ssl_strength); - } else { - rc = ldapssl_set_strength(NULL, ssl_strength); + myld = ld; } - if (rc != 0) { + if ((rc = ldapssl_set_strength(myld, ssl_strength)) || + (rc = ldapssl_set_option(myld, SSL_ENABLE_SSL2, PR_FALSE)) || + (rc = ldapssl_set_option(myld, SSL_ENABLE_SSL3, PR_TRUE)) || + (rc = ldapssl_set_option(myld, SSL_ENABLE_TLS, PR_TRUE))) { int prerr = PR_GetError(); slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext", - "failed: unable to set SSL strength to %d (" + "failed: unable to set SSL options (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - ssl_strength, prerr, - slapd_pr_strerror(prerr)); + prerr, slapd_pr_strerror(prerr)); } if (secure == 1) { @@ -1023,6 +1023,11 @@ slapi_ldap_init_ext( ldap_controls_free(clientctrls); /* free the copy */ } + slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_init_ext", + "Success: set up conn to [%s:%d]%s\n", + hostname, port, + (secure == 2) ? " using startTLS" : + ((secure == 1) ? " using SSL" : "")); done: ldap_free_urldesc(ludp); @@ -1092,7 +1097,10 @@ slapi_ldap_bind( "auth - error %d - make sure the server is " "correctly configured for SSL/TLS\n", rc); goto done; - } + } else { + slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind", + "Set up conn to use client auth\n"); + } bvcreds.bv_val = NULL; /* ignore username and passed in creds */ bvcreds.bv_len = 0; /* for external auth */ bindid = NULL; @@ -1110,6 +1118,8 @@ slapi_ldap_bind( rc, ldap_err2string(rc)); goto done; } + slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind", + "startTLS started on connection\n"); } /* The connection has been set up - now do the actual bind, depending on @@ -1118,14 +1128,20 @@ slapi_ldap_bind( !strcmp(mech, LDAP_SASL_EXTERNAL)) { int mymsgid = 0; + slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind", + "attempting %s bind with id [%s] creds [%s]\n", + mech ? mech : "SIMPLE", + bindid, creds); if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls, NULL /* clientctrls */, &mymsgid))) { slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", "Error: could not send bind request for id " - "[%s] mech [%s]: error %d (%s)\n", + "[%s] mech [%s]: error %d (%s) %d (%s) %d (%s)\n", bindid ? bindid : "(anon)", mech ? mech : "SIMPLE", - rc, ldap_err2string(rc)); + rc, ldap_err2string(rc), + PR_GetError(), slapd_pr_strerror(PR_GetError()), + errno, slapd_system_strerror(errno)); goto done; } |