diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2010-06-15 13:26:18 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-07-09 15:00:57 -0400 |
commit | 8571644422d36fac63d2e351936433f1fb8856c7 (patch) | |
tree | d1269bf4c8c6f66558bfd9be15b03e701ffe579f /src | |
parent | 5ee74e2b7c0cfc30f7209b2b81a34f4f4e15bad7 (diff) | |
download | sssd-8571644422d36fac63d2e351936433f1fb8856c7.tar.gz sssd-8571644422d36fac63d2e351936433f1fb8856c7.tar.bz2 sssd-8571644422d36fac63d2e351936433f1fb8856c7.zip |
Add syslog messages for LDAP GSSAPI bind
We will now emit a level 0 debug message on keytab errors, and
also write to the syslog (LOG_DAEMON)
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ldap/ldap_child.c | 60 |
1 files changed, 58 insertions, 2 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 19162e92..8ad0ad1f 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -142,6 +142,10 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_error_code krberr; krb5_timestamp kdc_time_offset; int kdc_time_offset_usec; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + char *principal; + bool found; int ret; krberr = krb5_init_context(&context); @@ -206,8 +210,57 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krberr = krb5_kt_default(context, &keytab); } if (krberr) { - DEBUG(2, ("Failed to read keytab file: %s\n", + DEBUG(0, ("Failed to read keytab file: %s\n", sss_krb5_get_error_message(context, krberr))); + + ret = EFAULT; + goto done; + } + + /* Verify the keytab */ + krberr = krb5_kt_start_seq_get(context, keytab, &cursor); + if (krberr) { + DEBUG(0, ("Cannot read keytab [%s].\n", keytab_name)); + + sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. " + "Unable to create GSSAPI-encrypted LDAP connection.", + keytab_name, krberr, + sss_krb5_get_error_message(context, krberr)); + + ret = EFAULT; + goto done; + } + + found = false; + while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ + krb5_unparse_name(context, entry.principal, &principal); + if (strcmp(full_princ, principal) == 0) { + found = true; + } + free(principal); + krb5_free_keytab_entry_contents(context, &entry); + + if (found) { + break; + } + } + krberr = krb5_kt_end_seq_get(context, keytab, &cursor); + if (krberr) { + DEBUG(0, ("Could not close keytab.\n")); + sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].", + keytab_name); + ret = EFAULT; + goto done; + } + + if (!found) { + DEBUG(0, ("Principal [%s] not found in keytab [%s]\n", + full_princ, keytab_name)); + sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: " + "Principal [%s] was not found. " + "Unable to create GSSAPI-encrypted LDAP connection.", + keytab_name, full_princ); + ret = EFAULT; goto done; } @@ -238,8 +291,11 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, keytab, 0, NULL, &options); if (krberr) { - DEBUG(2, ("Failed to init credentials: %s\n", + DEBUG(0, ("Failed to init credentials: %s\n", sss_krb5_get_error_message(context, krberr))); + sss_log(SSS_LOG_ERR, "Failed to initialize credentials using keytab [%s]: %s. " + "Unable to create GSSAPI-encrypted LDAP connection.", + keytab_name, sss_krb5_get_error_message(context, krberr)); ret = EFAULT; goto done; } |