summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-06-15 13:26:18 -0400
committerStephen Gallagher <sgallagh@redhat.com>2010-07-09 15:00:57 -0400
commit8571644422d36fac63d2e351936433f1fb8856c7 (patch)
treed1269bf4c8c6f66558bfd9be15b03e701ffe579f
parent5ee74e2b7c0cfc30f7209b2b81a34f4f4e15bad7 (diff)
downloadsssd-8571644422d36fac63d2e351936433f1fb8856c7.tar.gz
sssd-8571644422d36fac63d2e351936433f1fb8856c7.tar.bz2
sssd-8571644422d36fac63d2e351936433f1fb8856c7.zip
Add syslog messages for LDAP GSSAPI bind
We will now emit a level 0 debug message on keytab errors, and also write to the syslog (LOG_DAEMON)
-rw-r--r--src/providers/ldap/ldap_child.c60
1 files changed, 58 insertions, 2 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 19162e92..8ad0ad1f 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -142,6 +142,10 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krb5_error_code krberr;
krb5_timestamp kdc_time_offset;
int kdc_time_offset_usec;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry entry;
+ char *principal;
+ bool found;
int ret;
krberr = krb5_init_context(&context);
@@ -206,8 +210,57 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krberr = krb5_kt_default(context, &keytab);
}
if (krberr) {
- DEBUG(2, ("Failed to read keytab file: %s\n",
+ DEBUG(0, ("Failed to read keytab file: %s\n",
sss_krb5_get_error_message(context, krberr)));
+
+ ret = EFAULT;
+ goto done;
+ }
+
+ /* Verify the keytab */
+ krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (krberr) {
+ DEBUG(0, ("Cannot read keytab [%s].\n", keytab_name));
+
+ sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
+ "Unable to create GSSAPI-encrypted LDAP connection.",
+ keytab_name, krberr,
+ sss_krb5_get_error_message(context, krberr));
+
+ ret = EFAULT;
+ goto done;
+ }
+
+ found = false;
+ while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+ krb5_unparse_name(context, entry.principal, &principal);
+ if (strcmp(full_princ, principal) == 0) {
+ found = true;
+ }
+ free(principal);
+ krb5_free_keytab_entry_contents(context, &entry);
+
+ if (found) {
+ break;
+ }
+ }
+ krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (krberr) {
+ DEBUG(0, ("Could not close keytab.\n"));
+ sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
+ keytab_name);
+ ret = EFAULT;
+ goto done;
+ }
+
+ if (!found) {
+ DEBUG(0, ("Principal [%s] not found in keytab [%s]\n",
+ full_princ, keytab_name));
+ sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
+ "Principal [%s] was not found. "
+ "Unable to create GSSAPI-encrypted LDAP connection.",
+ keytab_name, full_princ);
+
ret = EFAULT;
goto done;
}
@@ -238,8 +291,11 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
keytab, 0, NULL, &options);
if (krberr) {
- DEBUG(2, ("Failed to init credentials: %s\n",
+ DEBUG(0, ("Failed to init credentials: %s\n",
sss_krb5_get_error_message(context, krberr)));
+ sss_log(SSS_LOG_ERR, "Failed to initialize credentials using keytab [%s]: %s. "
+ "Unable to create GSSAPI-encrypted LDAP connection.",
+ keytab_name, sss_krb5_get_error_message(context, krberr));
ret = EFAULT;
goto done;
}