From 233a3c6c48972b177e60d6ef4cecfacd3cf31659 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Feb 2013 16:25:07 -0500 Subject: Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired --- src/providers/ipa/ipa_auth.c | 24 +++++++++++++----------- src/providers/ipa/ipa_s2n_exop.c | 34 ++++++++++++++-------------------- 2 files changed, 27 insertions(+), 31 deletions(-) (limited to 'src/providers/ipa') diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index 2a033db9..5cb3d402 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -36,7 +36,6 @@ struct get_password_migration_flag_state { struct tevent_context *ev; struct sdap_id_op *sdap_op; struct sdap_id_ctx *sdap_id_ctx; - enum sdap_result result; struct fo_server *srv; char *ipa_realm; bool password_migration; @@ -68,7 +67,6 @@ static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, state->ev = ev; state->sdap_id_ctx = sdap_id_ctx; - state->result = SDAP_ERROR; state->srv = NULL; state->password_migration = false; state->ipa_realm = ipa_realm; @@ -393,26 +391,30 @@ static void ipa_auth_ldap_done(struct tevent_req *req) struct be_ctx *be_ctx = be_req_get_be_ctx(state->be_req); int ret; int dp_err = DP_ERR_FATAL; - enum sdap_result result; - ret = sdap_auth_recv(req, state, &result, NULL); + ret = sdap_auth_recv(req, state, NULL); talloc_zfree(req); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("auth_send request failed.\n")); - state->pd->pam_status = PAM_SYSTEM_ERR; - dp_err = DP_ERR_OK; - goto done; - } + switch (ret) { + case EOK: + break; + case ERR_AUTH_DENIED: + case ERR_AUTH_FAILED: + case ERR_PASSWORD_EXPIRED: /* TODO: do we need to handle expired passwords? */ - if (result != SDAP_AUTH_SUCCESS) { DEBUG(SSSDBG_MINOR_FAILURE, ("LDAP authentication failed, " "Password migration not possible.\n")); state->pd->pam_status = PAM_CRED_INSUFFICIENT; dp_err = DP_ERR_OK; goto done; + default: + DEBUG(SSSDBG_OP_FAILURE, ("auth_send request failed.\n")); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; + goto done; } + DEBUG(SSSDBG_TRACE_FUNC, ("LDAP authentication succeded, " "trying Kerberos authentication again.\n")); diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index bcf966cf..7e5d0c14 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -52,7 +52,6 @@ struct ipa_s2n_exop_state { struct sdap_op *op; - int result; char *retoid; struct berval *retdata; }; @@ -75,7 +74,6 @@ static struct tevent_req *ipa_s2n_exop_send(TALLOC_CTX *mem_ctx, if (!req) return NULL; state->sh = sh; - state->result = LDAP_OPERATIONS_ERROR; state->retoid = NULL; state->retdata = NULL; @@ -85,6 +83,7 @@ static struct tevent_req *ipa_s2n_exop_send(TALLOC_CTX *mem_ctx, bv, NULL, NULL, &msgid); if (ret == -1 || msgid == -1) { DEBUG(SSSDBG_CRIT_FAILURE, ("ldap_extended_operation failed\n")); + ret = ERR_NETWORK_IO; goto fail; } DEBUG(SSSDBG_TRACE_INTERNAL, ("ldap_extended_operation sent, msgid = %d\n", msgid)); @@ -94,13 +93,14 @@ static struct tevent_req *ipa_s2n_exop_send(TALLOC_CTX *mem_ctx, &state->op); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to set up operation!\n")); + ret = ERR_INTERNAL; goto fail; } return req; fail: - tevent_req_error(req, EIO); + tevent_req_error(req, ret); tevent_req_post(req, ev); return req; } @@ -116,6 +116,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op, char *errmsg = NULL; char *retoid = NULL; struct berval *retdata = NULL; + int result; if (error) { tevent_req_error(req, error); @@ -123,19 +124,19 @@ static void ipa_s2n_exop_done(struct sdap_op *op, } ret = ldap_parse_result(state->sh->ldap, reply->msg, - &state->result, &errmsg, NULL, NULL, + &result, &errmsg, NULL, NULL, NULL, 0); if (ret != LDAP_SUCCESS) { DEBUG(SSSDBG_OP_FAILURE, ("ldap_parse_result failed (%d)\n", state->op->msgid)); - ret = EIO; + ret = ERR_NETWORK_IO; goto done; } DEBUG(SSSDBG_TRACE_FUNC, ("ldap_extended_operation result: %s(%d), %s\n", - sss_ldap_err2string(state->result), state->result, errmsg)); + sss_ldap_err2string(result), result, errmsg)); - if (state->result != LDAP_SUCCESS) { - ret = EIO; + if (result != LDAP_SUCCESS) { + ret = ERR_NETWORK_IO; goto done; } @@ -143,7 +144,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op, &retoid, &retdata, 0); if (ret != LDAP_SUCCESS) { DEBUG(SSSDBG_OP_FAILURE, ("ldap_parse_extendend_result failed (%d)\n", ret)); - ret = EIO; + ret = ERR_NETWORK_IO; goto done; } @@ -183,21 +184,15 @@ done: } static int ipa_s2n_exop_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - enum sdap_result *result, char **retoid, - struct berval **retdata) + char **retoid, struct berval **retdata) { struct ipa_s2n_exop_state *state = tevent_req_data(req, struct ipa_s2n_exop_state); TEVENT_REQ_RETURN_ON_ERROR(req); - if (state->result == LDAP_SUCCESS) { - *result = SDAP_SUCCESS; - *retoid = talloc_steal(mem_ctx, state->retoid); - *retdata = talloc_steal(mem_ctx, state->retdata); - } else { - *result = SDAP_ERROR; - } + *retoid = talloc_steal(mem_ctx, state->retoid); + *retdata = talloc_steal(mem_ctx, state->retdata); return EOK; } @@ -583,7 +578,6 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) struct ipa_s2n_get_user_state *state = tevent_req_data(req, struct ipa_s2n_get_user_state); int ret; - enum sdap_result result; char *retoid = NULL; struct berval *retdata = NULL; struct resp_attrs *attrs = NULL; @@ -595,7 +589,7 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) char *realm; char *upn; - ret = ipa_s2n_exop_recv(subreq, state, &result, &retoid, &retdata); + ret = ipa_s2n_exop_recv(subreq, state, &retoid, &retdata); talloc_zfree(subreq); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("s2n exop request failed.\n")); -- cgit