diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-09-14 15:07:10 +1200 |
---|---|---|
committer | Douglas Bagnall <dbagnall@samba.org> | 2017-09-20 02:25:30 +0200 |
commit | dd53be2756b7b9d446e9fd8549e71177b6c9d356 (patch) | |
tree | 74aba7421e6339459a3570f2b9337940f10e02ac /source4/ldap_server | |
parent | c1e41d489d8b199ad1f7f1546ae50461cda0fbce (diff) | |
download | samba-dd53be2756b7b9d446e9fd8549e71177b6c9d356.tar.gz |
ldap_server: Plumb ldb error string from a failed connect to ldapsrv_terminate_connection()
However, do not plumb it to the client-seen error string, as it could contain server paths.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Diffstat (limited to 'source4/ldap_server')
-rw-r--r-- | source4/ldap_server/ldap_backend.c | 24 | ||||
-rw-r--r-- | source4/ldap_server/ldap_bind.c | 34 | ||||
-rw-r--r-- | source4/ldap_server/ldap_server.c | 10 |
3 files changed, 42 insertions, 26 deletions
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index d4e9030b319..95c7ee7a7f1 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -180,15 +180,17 @@ static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err, /* connect to the sam database */ -NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn) +int ldapsrv_backend_Init(struct ldapsrv_connection *conn, + char **errstring) { - conn->ldb = samdb_connect(conn, - conn->connection->event.ctx, - conn->lp_ctx, - conn->session_info, - conn->global_catalog ? LDB_FLG_RDONLY : 0); - if (conn->ldb == NULL) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; + int ret = samdb_connect_url(conn, + conn->connection->event.ctx, + conn->lp_ctx, + conn->session_info, + conn->global_catalog ? LDB_FLG_RDONLY : 0, + "sam.ldb", &conn->ldb, errstring); + if (ret != LDB_SUCCESS) { + return ret; } if (conn->server_credentials) { @@ -205,11 +207,11 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn) char *sasl_name = talloc_strdup(conn, ops[i]->sasl_name); if (!sasl_name) { - return NT_STATUS_NO_MEMORY; + return LDB_ERR_OPERATIONS_ERROR; } sasl_mechs = talloc_realloc(conn, sasl_mechs, char *, j + 2); if (!sasl_mechs) { - return NT_STATUS_NO_MEMORY; + return LDB_ERR_OPERATIONS_ERROR; } sasl_mechs[j] = sasl_name; talloc_steal(sasl_mechs, sasl_name); @@ -230,7 +232,7 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn) ldb_set_opaque(conn->ldb, "remoteAddress", conn->connection->remote_address); - return NT_STATUS_OK; + return LDB_SUCCESS; } struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, uint8_t type) diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 21cbb7bc74b..7694ff4aab5 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -237,6 +237,7 @@ static void ldapsrv_BindSimple_done(struct tevent_req *subreq) call, &session_info); if (NT_STATUS_IS_OK(status)) { + char *ldb_errstring = NULL; result = LDAP_SUCCESS; errstr = NULL; @@ -248,11 +249,16 @@ static void ldapsrv_BindSimple_done(struct tevent_req *subreq) /* don't leak the old LDB */ talloc_unlink(call->conn, call->conn->ldb); - status = ldapsrv_backend_Init(call->conn); - - if (!NT_STATUS_IS_OK(status)) { - result = LDAP_OPERATIONS_ERROR; - errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status)); + result = ldapsrv_backend_Init(call->conn, &ldb_errstring); + + if (result != LDB_SUCCESS) { + /* Only put the detailed error in DEBUG() */ + DBG_ERR("ldapsrv_backend_Init failed: %s: %s", + ldb_errstring, ldb_strerror(result)); + errstr = talloc_strdup(reply, + "Simple Bind: Failed to advise " + "ldb new credentials"); + result = LDB_ERR_OPERATIONS_ERROR; } } else { status = nt_status_squash(status); @@ -475,6 +481,7 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq) NTSTATUS status; int result; const char *errstr = NULL; + char *ldb_errstring = NULL; DATA_BLOB output = data_blob_null; status = gensec_update_recv(subreq, call, &output); @@ -582,15 +589,16 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq) call->conn->authz_logged = true; - status = ldapsrv_backend_Init(conn); + result = ldapsrv_backend_Init(call->conn, &ldb_errstring); - if (!NT_STATUS_IS_OK(status)) { - result = LDAP_OPERATIONS_ERROR; - errstr = talloc_asprintf(reply, - "SASL:[%s]: Failed to advise samdb of new credentials: %s", - req->creds.SASL.mechanism, - nt_errstr(status)); - goto do_reply; + if (result != LDB_SUCCESS) { + /* Only put the detailed error in DEBUG() */ + DBG_ERR("ldapsrv_backend_Init failed: %s: %s", + ldb_errstring, ldb_strerror(result)); + errstr = talloc_strdup(reply, + "SASL Bind: Failed to advise " + "ldb new credentials"); + result = LDB_ERR_OPERATIONS_ERROR; } if (context != NULL) { diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index d9f24e0817c..7730ff981ca 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -293,6 +293,7 @@ static void ldapsrv_accept(struct stream_connection *c, int ret; struct tevent_req *subreq; struct timeval endtime; + char *errstring = NULL; conn = talloc_zero(c, struct ldapsrv_connection); if (!conn) { @@ -361,8 +362,13 @@ static void ldapsrv_accept(struct stream_connection *c, conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx); } - if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) { - ldapsrv_terminate_connection(conn, "backend Init failed"); + ret = ldapsrv_backend_Init(conn, &errstring); + if (ret != LDB_SUCCESS) { + char *reason = talloc_asprintf(conn, + "LDB backend for LDAP Init " + "failed: %s: %s", + errstring, ldb_strerror(ret)); + ldapsrv_terminate_connection(conn, reason); return; } |