Logged in as guest
Viewing Incoming/6789 Full headers
Major security issue: yes no
Notes: MozNSS, not ours Notification:
Date: Fri, 14 Jan 2011 12:17:32 +0000 From: sgallagh@redhat.com To: openldap-its@OpenLDAP.org Subject: SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures
Full_Name: Stephen Gallagher Version: openldap-2.4.23 OS: Fedora 14 x86_64 URL: https://fedorahosted.org/sssd/ticket/699 Submission from: (NULL) (98.110.239.235) We have this code in the SSSD (which uses the openldap shared libraries for LDAP communication). ret = ldap_install_tls(state->sh->ldap); if (ret != LDAP_SUCCESS) { optret = ldap_get_option(state->sh->ldap, SDAP_DIAGNOSTIC_MESSAGE, (void*)&tlserr); if (optret == LDAP_SUCCESS) { DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n", ldap_err2string(ret), tlserr)); sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr); ldap_memfree(tlserr); } else { DEBUG(3, ("ldap_install_tls failed: [%s]\n", ldap_err2string(ret))); sss_log(SSS_LOG_ERR, "Could not start TLS encryption. " "Check for certificate issues."); } However, whenever there is an issue (such as an invalid/expired certificate) our logs read: (Fri Dec 3 14:13:33 2010) [sssd[be[LDAP]]] [sdap_connect_done] (3): ldap_install_tls failed: [Connect error] [(null)] This means that the ldap_get_option(SDAP_DIAGNOSTIC_MESSAGE) is returning LDAP_SUCCESS, but the returned message is "(null)". This is not the same behavior as with an LDAPS connection, where it will in fact return a message indicating what certificate error was.
Date: Fri, 14 Jan 2011 08:23:18 -0500 From: Stephen Gallagher <sgallagh@redhat.com> To: openldap-its@openldap.org Subject: (ITS#6789)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just determined that this didn't occur on openldap-2.4.21, (on that version, we properly get a lot of useful information about why the connection failed). This leads me to believe that this issue is likely related to the recent switch to Mozilla NSS for crypto support. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wTkYACgkQeiVVYja6o6OFTQCeK7qYIw3754PfDolxkcld/D/B CpoAn0ubzxgg3ekr7Ik1SydV9NkS36ln =r+Ff -----END PGP SIGNATURE-----
Date: Tue, 18 Jan 2011 09:15:56 -0700 From: Rich Megginson <rmeggins@redhat.com> To: openldap-its@OpenLDAP.org Subject: Re: (ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures
The problem is that NSS does not provide an error code to descriptive error string mapping. It needs to be added. Can the Subject of this bug be changed to something like LDAP_OPT_DIAGNOSTIC_MESSAGE should return descriptive message when using MozNSS for TLS
Date: Wed, 13 Apr 2011 10:20:34 -0400 From: Stephen Gallagher <sgallagh@redhat.com> To: openldap-its@openldap.org Subject: Re: (ITS#6789)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has there been any progress on this issue? It causes a lot of headaches trying to debug connection issues in SSSD. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2lsTIACgkQeiVVYja6o6Nh7wCdF5Sn/IsMpNH9gB8WA9A7tEgB ctUAoKPTUIL1rfZPnArrNBmAxQ/VuEq7 =DxDR -----END PGP SIGNATURE-----
Date: Fri, 15 Apr 2011 10:03:05 -0600 From: Rich Megginson <rmeggins@redhat.com> To: openldap-its@OpenLDAP.org Subject: Re: (ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures
When https://bugzilla.mozilla.org/show_bug.cgi?id=172051 is fixed, error messages will magically appear.
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
