[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures
- From: sgallagh@redhat.com
- Date: Fri, 14 Jan 2011 12:17:32 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Stephen Gallagher
Version: openldap-2.4.23
OS: Fedora 14 x86_64
URL: https://fedorahosted.org/sssd/ticket/699
Submission from: (NULL) (98.110.239.235)
We have this code in the SSSD (which uses the openldap shared libraries for LDAP
communication).
ret = ldap_install_tls(state->sh->ldap);
if (ret != LDAP_SUCCESS) {
optret = ldap_get_option(state->sh->ldap,
SDAP_DIAGNOSTIC_MESSAGE,
(void*)&tlserr);
if (optret == LDAP_SUCCESS) {
DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
ldap_err2string(ret),
tlserr));
sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
ldap_memfree(tlserr);
}
else {
DEBUG(3, ("ldap_install_tls failed: [%s]\n",
ldap_err2string(ret)));
sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
"Check for certificate issues.");
}
However, whenever there is an issue (such as an invalid/expired certificate) our
logs read:
(Fri Dec 3 14:13:33 2010) [sssd[be[LDAP]]] [sdap_connect_done] (3):
ldap_install_tls failed: [Connect error] [(null)]
This means that the ldap_get_option(SDAP_DIAGNOSTIC_MESSAGE) is returning
LDAP_SUCCESS, but the returned message is "(null)". This is not the same
behavior as with an LDAPS connection, where it will in fact return a message
indicating what certificate error was.