[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8140) ssf is hard coded to log as zero, even if it is non-zero
Full_Name: Quanah Gibson-Mount
Version: RE24
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.52.177)
bind.c hard codes the output of the ssf= line in some of the stats logging to be
zero, even if the connection actually has a higher ssf. For example:
May 11 02:28:06 ldap01 slapd[33839]: conn=153267 fd=86 TLS established
tls_ssf=256 ssf=256 tls_proto=TLSv1 tls_cipher=AES256-SHA
May 11 02:28:06 ldap01 slapd[33839]: conn=153266 op=1 BIND
dn="uid=zimbra,cn=admins,cn=zimbra" method=128
May 11 02:28:06 ldap01 slapd[33839]: conn=153266 op=1 BIND
dn="uid=zimbra,cn=admins,cn=zimbra" mech=SIMPLE ssf=0%%0
May 11 02:28:06 ldap01 slapd[33839]: conn=153266 op=1 RESULT tag=97 err=0 text=
Note how we have mech=SIMPLE, ssf=0
Since we ran startTLS, and it was established, we clearly do NOT have an ssf of
zero. the ssf=0 bit is *hard coded* in bind.c in the fe_op_bind_success
function:
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
"%s BIND dn=\"%s\" mech=%s ssf=0\n",
op->o_log_prefix,
op->o_conn->c_dn.bv_val, op->orb_mech.bv_val, 0, 0 );
There's a similar block in do_bind for anonymous binds as well:
if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
/* log authorization identity demotion */
Statslog( LDAP_DEBUG_STATS,
"%s BIND anonymous mech=implicit ssf=0\n",
op->o_log_prefix, 0, 0, 0, 0 );
}
It likely should be changed to use:
op->o_conn->c_ssf