OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/6789
Full headers

From: sgallagh@redhat.com
Subject: SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures
Compose comment
Download message
State:
0 replies:
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 14 Jan 2011 12:17:32 +0000
From: sgallagh@redhat.com
To: openldap-its@OpenLDAP.org
Subject: SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures
Full_Name: Stephen Gallagher
Version: openldap-2.4.23
OS: Fedora 14 x86_64
URL: https://fedorahosted.org/sssd/ticket/699
Submission from: (NULL) (98.110.239.235)


We have this code in the SSSD (which uses the openldap shared libraries for LDAP
communication).


    ret = ldap_install_tls(state->sh->ldap);
    if (ret != LDAP_SUCCESS) {

        optret = ldap_get_option(state->sh->ldap,
                                 SDAP_DIAGNOSTIC_MESSAGE,
                                 (void*)&tlserr);
        if (optret == LDAP_SUCCESS) {
            DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
                      ldap_err2string(ret),
                      tlserr));
            sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
            ldap_memfree(tlserr);
        }
        else {
            DEBUG(3, ("ldap_install_tls failed: [%s]\n",
                      ldap_err2string(ret)));
            sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
                                 "Check for certificate issues.");
        }


However, whenever there is an issue (such as an invalid/expired certificate) our
logs read:

(Fri Dec  3 14:13:33 2010) [sssd[be[LDAP]]] [sdap_connect_done] (3):
ldap_install_tls failed: [Connect error] [(null)]

This means that the ldap_get_option(SDAP_DIAGNOSTIC_MESSAGE) is returning
LDAP_SUCCESS, but the returned message is "(null)". This is not the same
behavior as with an LDAPS connection, where it will in fact return a message
indicating what certificate error was.

Followup 1

Download message
Date: Fri, 14 Jan 2011 08:23:18 -0500
From: Stephen Gallagher <sgallagh@redhat.com>
To: openldap-its@openldap.org
Subject: (ITS#6789)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just determined that this didn't occur on openldap-2.4.21, (on that
version, we properly get a lot of useful information about why the
connection failed).

This leads me to believe that this issue is likely related to the recent
switch to Mozilla NSS for crypto support.
- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0wTkYACgkQeiVVYja6o6OFTQCeK7qYIw3754PfDolxkcld/D/B
CpoAn0ubzxgg3ekr7Ik1SydV9NkS36ln
=r+Ff
-----END PGP SIGNATURE-----



Followup 2

Download message
Date: Tue, 18 Jan 2011 09:15:56 -0700
From: Rich Megginson <rmeggins@redhat.com>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls()
 failures
The problem is that NSS does not provide an error code to descriptive 
error string mapping.  It needs to be added.  Can the Subject of this 
bug be changed to something like
LDAP_OPT_DIAGNOSTIC_MESSAGE should return descriptive message when using 
MozNSS for TLS



Followup 3

Download message
Date: Wed, 13 Apr 2011 10:20:34 -0400
From: Stephen Gallagher <sgallagh@redhat.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#6789)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has there been any progress on this issue? It causes a lot of headaches
trying to debug connection issues in SSSD.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2lsTIACgkQeiVVYja6o6Nh7wCdF5Sn/IsMpNH9gB8WA9A7tEgB
ctUAoKPTUIL1rfZPnArrNBmAxQ/VuEq7
=DxDR
-----END PGP SIGNATURE-----



Followup 4

Download message
Date: Fri, 15 Apr 2011 10:03:05 -0600
From: Rich Megginson <rmeggins@redhat.com>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls()
 failures
When https://bugzilla.mozilla.org/show_bug.cgi?id=172051 is fixed, error 
messages will magically appear.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org