[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures

To: openldap-its@OpenLDAP.org
Subject: (ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures
From: sgallagh@redhat.com
Date: Fri, 14 Jan 2011 12:17:32 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Stephen Gallagher
Version: openldap-2.4.23
OS: Fedora 14 x86_64
URL: https://fedorahosted.org/sssd/ticket/699
Submission from: (NULL) (98.110.239.235)


We have this code in the SSSD (which uses the openldap shared libraries for LDAP
communication).


    ret = ldap_install_tls(state->sh->ldap);
    if (ret != LDAP_SUCCESS) {

        optret = ldap_get_option(state->sh->ldap,
                                 SDAP_DIAGNOSTIC_MESSAGE,
                                 (void*)&tlserr);
        if (optret == LDAP_SUCCESS) {
            DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
                      ldap_err2string(ret),
                      tlserr));
            sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
            ldap_memfree(tlserr);
        }
        else {
            DEBUG(3, ("ldap_install_tls failed: [%s]\n",
                      ldap_err2string(ret)));
            sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
                                 "Check for certificate issues.");
        }


However, whenever there is an issue (such as an invalid/expired certificate) our
logs read:

(Fri Dec  3 14:13:33 2010) [sssd[be[LDAP]]] [sdap_connect_done] (3):
ldap_install_tls failed: [Connect error] [(null)]

This means that the ldap_get_option(SDAP_DIAGNOSTIC_MESSAGE) is returning
LDAP_SUCCESS, but the returned message is "(null)". This is not the same
behavior as with an LDAPS connection, where it will in fact return a message
indicating what certificate error was.

Prev by Date: (ITS#6788) Only one reference when ldap_open_internal_connection
Next by Date: (ITS#6789)
Index(es):
- Chronological
- Thread