[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6789) SDAP_DIAGNOSTIC_MESSAGE returns (null) for ldap_install_tls() failures

Full_Name: Stephen Gallagher
Version: openldap-2.4.23
OS: Fedora 14 x86_64
URL: https://fedorahosted.org/sssd/ticket/699
Submission from: (NULL) (

We have this code in the SSSD (which uses the openldap shared libraries for LDAP

    ret = ldap_install_tls(state->sh->ldap);
    if (ret != LDAP_SUCCESS) {

        optret = ldap_get_option(state->sh->ldap,
        if (optret == LDAP_SUCCESS) {
            DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
            sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
        else {
            DEBUG(3, ("ldap_install_tls failed: [%s]\n",
            sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
                                 "Check for certificate issues.");

However, whenever there is an issue (such as an invalid/expired certificate) our
logs read:

(Fri Dec  3 14:13:33 2010) [sssd[be[LDAP]]] [sdap_connect_done] (3):
ldap_install_tls failed: [Connect error] [(null)]

This means that the ldap_get_option(SDAP_DIAGNOSTIC_MESSAGE) is returning
LDAP_SUCCESS, but the returned message is "(null)". This is not the same
behavior as with an LDAPS connection, where it will in fact return a message
indicating what certificate error was.