#53 Add more LDAP logging to help with troubleshooting
Merged 3 months ago by abbra. Opened 3 months ago by mreynolds.
mreynolds/slapi-nis add_more_logging  into  master

file modified
+2 -2
@@ -33,7 +33,7 @@ 

   * statement from your version and license this file solely under the GPL without

   * exception.

   *

-  * Copyright (C) 2005 Red Hat, Inc.

+  * Copyright (C) 2005-2023 Red Hat, Inc.

   * All rights reserved.

   * END COPYRIGHT BLOCK **/

  
@@ -302,7 +302,7 @@ 

  

  	/* Log the diagnostic information for the administrator. */

  	slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id,

- 			"%s\n", errmsg);

+ 			"backend_sch_do_pam_auth - %s\n", errmsg);

  	if (errmsg != NULL) {

  		PR_smprintf_free(errmsg);

  	}

file modified
+24 -3
@@ -1,5 +1,5 @@ 

  /*

-  * Copyright 2008,2009,2010,2011,2012,2013,2014 Red Hat, Inc.

+  * Copyright 2008-2023 Red Hat, Inc.

   *

   * This Program is free software; you can redistribute it and/or modify

   * it under the terms of the GNU General Public License as published by
@@ -2113,6 +2113,12 @@ 

  	wrap_inc_call_level();

  	if (map_rdlock() == 0) {

  		if (backend_check_scope_pb(pb)) {

+ 			char *target = NULL;

+ 			slapi_pblock_get(pb, SLAPI_TARGET_DN, &target);

+ 			slapi_log_error(SLAPI_LOG_PLUGIN, "backend_compare_cb",

+ 			                "Bind DN (%s) not found in map cache. "

+ 			                "Returning unwilling to perform\n",

+ 			                target ? target : "bind DN not found");

  			slapi_send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM,

  					       NULL, NULL, 0, NULL);

  			ret = -1;
@@ -2554,6 +2560,9 @@ 

  backend_bind_cb_pam(Slapi_PBlock *pb, const char *username, char *ndn)

  {

  	slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);

+ 	slapi_log_error(SLAPI_LOG_PLUGIN, "backend_bind_cb_pam",

+ 		"Not using PAM, must return invalid credentials for: %s (%s)\n",

+ 		username, ndn);

  	return LDAP_INVALID_CREDENTIALS;

  }

  #endif
@@ -2588,9 +2597,9 @@ 

  	 *    changes in a Kerberos principal would cause cascading effect on

  	 *    some of entries belonging to a slapi-nis map cache.

  	 * 2. If bind target DN exists in LDAP store, its map cache entry

- 	 *    will have orginal entry DN recorded. Enforcing SLAPI_BIND_TARGET_SDN

+ 	 *    will have original entry DN recorded. Enforcing SLAPI_BIND_TARGET_SDN

  	 *    to it will force other plugins to handle authentication request against

- 	 *    the original because slapi-nis' map cache entry doesn't have paswords

+ 	 *    the original because slapi-nis' map cache entry doesn't have passwords

  	 *    recorded. To make it working, slapi-nis should be registered with higher

  	 *    plugin ordering priority than other plugins.

  	 * 3. If bind target DN is not found in the map cache, bind request is rejected.
@@ -2648,6 +2657,12 @@ 

  done_with_lock:

  		wrap_dec_call_level();

  		if (backend_check_scope_pb(pb)) {

+ 			char *target = NULL;

+ 			slapi_pblock_get(pb, SLAPI_TARGET_DN, &target);

+ 			slapi_log_error(SLAPI_LOG_PLUGIN, "backend_bind_cb",

+ 			                "Bind DN (%s) not found in map cache. "

+ 			                "Returning invalid credentials\n",

+ 			                target ? target : "bind DN not found");

  			slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,

  					       NULL, NULL, 0, NULL);

  			ret = -1;
@@ -2855,6 +2870,12 @@ 

  	wrap_inc_call_level();

  	if (map_rdlock() == 0) {

  		if (backend_check_scope_pb(pb)) {

+ 			char *target = NULL;

+ 			slapi_pblock_get(pb, SLAPI_TARGET_DN, &target);

+ 			slapi_log_error(SLAPI_LOG_PLUGIN, "backend_compare_cb",

+ 			                "Bind DN (%s) not found in map cache. "

+ 			                "Returning unwilling to perform\n",

+ 			                target ? target : "bind DN not found");

  			slapi_send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM,

  					       NULL, NULL, 0, NULL);

  			ret = -1;

no initial comment

Thank you.
The only comment I have is for the copyright changes -- typically there would be 'copyright <date range>' if multiple years were covered, not an up to date one. E.g. 'Copyright 2008-2023 ...'.

Otherwise, it looks good.

rebased onto 465cf02

3 months ago

Thank you.
The only comment I have is for the copyright changes -- typically there would be 'copyright <date range>' if multiple years were covered, not an up to date one. E.g. 'Copyright 2008-2023 ...'.

Fixed!

Pull-Request has been merged by abbra

3 months ago
Metadata