Learn more about these different git repos.
Other Git URLs
When an attempt is made to configure sssd to point at secure LDAP, the connection fails with the error message below:
[sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error
This error message is too vague to be of any use, as it appears that this message is returned for every possible SSL error, from common name mismatches to untrusted certificates to who knows what else.
This code needs to be properly completed so that the underlying error message from the library is returned and logged. It should not be necessary to bring sssd up on a debugger or run it through ssldump to pick apart what sssd might be doing.
(Just to explicitly state: this bug is about the error message, it is NOT about whatever the underlying cause that triggered the error message, that is a separate problem).
The error message comes from ldap_err2string(), I'm not sure how do you propose we get more information?
Closing since this is handled by ldap_err2string. Please reopen if you have a better suggestion on more verbose error reporting.
resolution: => invalid status: new => closed
Having slammed headlong into this bug yet again, more digging reveals that sssd has an LDAP diagnostics mechanism for SSL messages described at http://fossies.org/linux/sssd/src/util/sss_ldap.h.
It appears that sssd is not using this mechanism consistently.
Fields changed
resolution: invalid => status: closed => reopened
The following patch should fix this issue:
(Unfortunately git-master of sssd refuses to get past ./configure on either MacOSX or Fedora23, so this is untested, but it will show you how error handling is done in sssd)
diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c index 7fdaadb..3fd932a 100644 --- a/src/util/sss_ldap.c +++ b/src/util/sss_ldap.c @@ -200,8 +200,10 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq) struct tevent_req); struct sss_ldap_init_state *state = tevent_req_data(req, struct sss_ldap_init_state); + char *tlserr; int ret; int lret; + int optret; ret = sssd_async_socket_init_recv(subreq, &state->sd); talloc_zfree(subreq); @@ -228,8 +230,22 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq) if (lret == LDAP_LOCAL_ERROR) { DEBUG(SSSDBG_FUNC_DATA, "TLS/SSL already in place.\n"); } else { - DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: %s\n", - sss_ldap_err2string(lret)); + + optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap, + &tlserr); + if (optret == LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: [%s] [%s]\n", + sss_ldap_err2string(lret), + tlserr); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr); + } + else { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: [%s]\n", + sss_ldap_err2string(lret)); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. " + "Check for certificate issues."); + } + ret = EIO; goto fail; }
_comment0: The following patch should fix this issue:
diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c index 7fdaadb..3fd932a 100644 --- a/src/util/sss_ldap.c +++ b/src/util/sss_ldap.c @@ -200,8 +200,10 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req subreq) struct tevent_req); struct sss_ldap_init_state state = tevent_req_data(req, struct sss_ldap_init_state); + char *tlserr; int ret; int lret; + int optret;
ret = sssd_async_socket_init_recv(subreq, &state->sd); talloc_zfree(subreq);
@@ -228,8 +230,22 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq) if (lret == LDAP_LOCAL_ERROR) { DEBUG(SSSDBG_FUNC_DATA, "TLS/SSL already in place.\n"); } else { - DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: %s\n", - sss_ldap_err2string(lret)); + + optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap, + &tlserr); + if (optret == LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: [%s] [%s]\n", + sss_ldap_err2string(lret), + tlserr); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr); + } + else { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: [%s]\n", + sss_ldap_err2string(lret)); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. " + "Check for certificate issues."); + } + ret = EIO; goto fail; } => 1464275142532332
keywords: => patch summary: Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error => [Patch] Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error
Thank you very much for the patch, I will build you a test package with the patch included so you can test it in your environment.
And I'd like to apologize for closing the issue earlier, seems you were right!
I did some minor changes in the patch and pushed it to my github repo: https://github.com/jhrozek/sssd/tree/tlserrmsg
I also started a F-23 test build, let me know if you need another release.
About the configure errors, I would expect them on OSX, we don't support that OS. But F-23 should work fine, can you paste your errors?
Here is the test build: http://koji.fedoraproject.org/koji/taskinfo?taskID=14261915
Doing a normal ./configure, which ends as follows:
configure: creating ./config.status config.status: creating Makefile config.status: creating contrib/sssd.spec config.status: creating src/examples/rwtab config.status: creating src/doxy.config config.status: creating contrib/sssd-pcsc.rules config.status: creating src/sysv/sssd config.status: creating src/sysv/gentoo/sssd config.status: creating src/sysv/SUSE/sssd config.status: error: cannot find input file: `po/Makefile.in.in'
(My target environment was Ubuntu v14.04, but that needed a slightly different patch, was keen to get it working on git master)
_comment0: Doing a normal ./configure, which ends as follows:
(My target environment was Ubuntu v14.04, but that needed a slightly different patch, was keen to get it working on git master) => 1464278304835922
rhbz: => todo
Hi again,
for building sssd, I normally use https://fedorahosted.org/sssd/wiki/Contribute#BuildingSSSD and at least here on F-22 all works fine. If you agree, I would like to send the patch to sssd-devel for peer-review, can you re-attach it in the git format or even as a branch on github with your attribution?
[PATCH] Add underlying diagnostic message for SSL errors. 0001-Add-underlying-diagnostic-message-for-SSL-errors.patch
Attachment added as requested.
Thank you, I fixed some style issues in the patch and sent it to sssd-devel for review: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/thread/AWC72VWJZTUOU7JDSBDB2E4CCP3G2AUU/
resolution: => fixed status: reopened => closed
milestone: NEEDS_TRIAGE => SSSD 1.14 alpha
rhbz: todo => 0
Metadata Update from @minfrin: - Issue set to the milestone: SSSD 1.14 alpha
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4046
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.