#3005 [Patch] Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error
Closed: Fixed None Opened 2 years ago by minfrin.

When an attempt is made to configure sssd to point at secure LDAP, the connection fails with the error message below:

[sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error

This error message is too vague to be of any use, as it appears that this message is returned for every possible SSL error, from common name mismatches to untrusted certificates to who knows what else.

This code needs to be properly completed so that the underlying error message from the library is returned and logged. It should not be necessary to bring sssd up on a debugger or run it through ssldump to pick apart what sssd might be doing.

(Just to explicitly state: this bug is about the error message, it is NOT about whatever the underlying cause that triggered the error message, that is a separate problem).


The error message comes from ldap_err2string(), I'm not sure how do you propose we get more information?

Closing since this is handled by ldap_err2string. Please reopen if you have a better suggestion on more verbose error reporting.

resolution: => invalid
status: new => closed

Having slammed headlong into this bug yet again, more digging reveals that sssd has an LDAP diagnostics mechanism for SSL messages described at http://fossies.org/linux/sssd/src/util/sss_ldap.h.

It appears that sssd is not using this mechanism consistently.

Fields changed

resolution: invalid =>
status: closed => reopened

The following patch should fix this issue:

(Unfortunately git-master of sssd refuses to get past ./configure on either MacOSX or Fedora23, so this is untested, but it will show you how error handling is done in sssd)

diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c
index 7fdaadb..3fd932a 100644
--- a/src/util/sss_ldap.c
+++ b/src/util/sss_ldap.c
@@ -200,8 +200,10 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
                                                       struct tevent_req);
     struct sss_ldap_init_state *state = tevent_req_data(req,
                                                     struct sss_ldap_init_state);
+    char *tlserr;
     int ret;
     int lret;
+    int optret;

     ret = sssd_async_socket_init_recv(subreq, &state->sd);
     talloc_zfree(subreq);
@@ -228,8 +230,22 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
             if (lret == LDAP_LOCAL_ERROR) {
                 DEBUG(SSSDBG_FUNC_DATA, "TLS/SSL already in place.\n");
             } else {
-                DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: %s\n",
-                          sss_ldap_err2string(lret));
+
+                optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap,
+                                             &tlserr);
+                if (optret == LDAP_SUCCESS) {
+                    DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: [%s] [%s]\n",
+                              sss_ldap_err2string(lret),
+                              tlserr);
+                    sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
+                }
+                else {
+                    DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: [%s]\n",
+                              sss_ldap_err2string(lret));
+                    sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
+                                         "Check for certificate issues.");
+                }
+
                 ret = EIO;
                 goto fail;
             }

_comment0: The following patch should fix this issue:

(Unfortunately git-master of sssd refuses to get past ./configure on either MacOSX or Fedora23, so this is untested, but it will show you how error handling is done in sssd)

diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c
index 7fdaadb..3fd932a 100644
--- a/src/util/sss_ldap.c
+++ b/src/util/sss_ldap.c
@@ -200,8 +200,10 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req subreq)
struct tevent_req);
struct sss_ldap_init_state
state = tevent_req_data(req,
struct sss_ldap_init_state);
+ char *tlserr;
int ret;
int lret;
+ int optret;

 ret = sssd_async_socket_init_recv(subreq, &state->sd);
 talloc_zfree(subreq);

@@ -228,8 +230,22 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
if (lret == LDAP_LOCAL_ERROR) {
DEBUG(SSSDBG_FUNC_DATA, "TLS/SSL already in place.\n");
} else {
- DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: %s\n",
- sss_ldap_err2string(lret));
+
+ optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap,
+ &tlserr);
+ if (optret == LDAP_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: [%s] [%s]\n",
+ sss_ldap_err2string(lret),
+ tlserr);
+ sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
+ }
+ else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_install_tls failed: [%s]\n",
+ sss_ldap_err2string(lret));
+ sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
+ "Check for certificate issues.");
+ }
+
ret = EIO;
goto fail;
}
=> 1464275142532332

Fields changed

keywords: => patch
summary: Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error => [Patch] Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error

Thank you very much for the patch, I will build you a test package with the patch included so you can test it in your environment.

And I'd like to apologize for closing the issue earlier, seems you were right!

I did some minor changes in the patch and pushed it to my github repo:
https://github.com/jhrozek/sssd/tree/tlserrmsg

I also started a F-23 test build, let me know if you need another release.

About the configure errors, I would expect them on OSX, we don't support that OS. But F-23 should work fine, can you paste your errors?

Doing a normal ./configure, which ends as follows:

configure: creating ./config.status
config.status: creating Makefile
config.status: creating contrib/sssd.spec
config.status: creating src/examples/rwtab
config.status: creating src/doxy.config
config.status: creating contrib/sssd-pcsc.rules
config.status: creating src/sysv/sssd
config.status: creating src/sysv/gentoo/sssd
config.status: creating src/sysv/SUSE/sssd
config.status: error: cannot find input file: `po/Makefile.in.in'

(My target environment was Ubuntu v14.04, but that needed a slightly different patch, was keen to get it working on git master)

_comment0: Doing a normal ./configure, which ends as follows:

configure: creating ./config.status
config.status: creating Makefile
config.status: creating contrib/sssd.spec
config.status: creating src/examples/rwtab
config.status: creating src/doxy.config
config.status: creating contrib/sssd-pcsc.rules
config.status: creating src/sysv/sssd
config.status: creating src/sysv/gentoo/sssd
config.status: creating src/sysv/SUSE/sssd
config.status: error: cannot find input file: `po/Makefile.in.in'

(My target environment was Ubuntu v14.04, but that needed a slightly different patch, was keen to get it working on git master) => 1464278304835922

Fields changed

rhbz: => todo

Hi again,

for building sssd, I normally use https://fedorahosted.org/sssd/wiki/Contribute#BuildingSSSD
and at least here on F-22 all works fine. If you agree, I would like to send the patch to sssd-devel for peer-review, can you re-attach it in the git format or even as a branch on github with your attribution?

Attachment added as requested.

resolution: => fixed
status: reopened => closed

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 alpha

Fields changed

rhbz: todo => 0

Metadata Update from @minfrin:
- Issue set to the milestone: SSSD 1.14 alpha

2 years ago

Login to comment on this ticket.

Metadata