[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: starting of TLS not logged (ITS#3281)

Oops, I didn't notice that "(ITS#3281)" was missing in Subject.
Please reply to this message instead of the previous one.

Ulrich Windl writes:
> OpenLDAP does not log start of TLS, (...)

Here is a suggestion for a patch to CVS HEAD:


It needs review from someone who understands the statement

   if (send_ldap_response( op, rs ) == SLAP_CB_CONTINUE )

I took it from elsewhere in result.c without knowing what it does.

I've split the patch in two parts:

- Patch #1.

  Add missing Statslog() statements (loglevel stats/stats2):
  "TLS established" (in addition to STARTTLS and its RESULT,
  and with only "conn=" in front, not "op=").
  "EXT oid=..." for unsupported extended operations.
  "RESULT" for SASL bind, "RESULT oid=..." for extended response.
  "INTERM oid=..." for intermediate responses (loglevel stats2).

  That misses some significant connection events, so:

- Patch #2.

  In Statslog output "conn=xx fd=yy closed", append the reason in
  "()" unless client or server closed the connection after Unbind.
  Currently known reasons are "connection lost", "slapd shutdown",
  "idletimeout", "operations error", "TLS negotiation failure",
  "SASL layer install failure", "connection lost on write".

Still missing Statslog output from a number of failed requests,
e.g. unrecognized critical controls and bad base DNs.  That would
take more thorough Statslog revamping, so I'll get back to it

For sale: Parachute. Never opened, used once, slightly stained.