On 9/8/22 19:57, ThomasReim wrote:
From: Thomas Reim <reimth@xxxxxxxxx> automounter only provides very limited debug information when binding using Cyrus SASL. LDAP based directory services currently all increase communication security, which makes it difficult for system administrators to find the root cause of failed authentication binds. Log Cyrus SASL binding parameters and result. Signed-off-by: Thomas Reim <reimth@xxxxxxxxx> --- modules/cyrus-sasl.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c index 3736d12..8984f0f 100644 --- a/modules/cyrus-sasl.c +++ b/modules/cyrus-sasl.c @@ -136,7 +136,7 @@ sasl_log_func(void *context, int level, const char *message) case SASL_LOG_DEBUG: case SASL_LOG_TRACE: case SASL_LOG_PASS: - debug(LOGOPT_DEBUG, "%s", message); + debug(LOGOPT_NONE, "%s", message); break; default: break; @@ -960,6 +960,26 @@ sasl_bind_mech(unsigned logopt, LDAP *ldap, struct lookup_context *ctxt, const c result = do_sasl_bind(logopt, ldap, conn, &clientout, &clientoutlen, chosen_mech, result); if (result == 0) { + /* Conversation was completed successfully by now */ + char *data; + sasl_ssf_t *ssf; + result = sasl_getprop(conn, SASL_USERNAME, (const void **)(char *) &data); + if (result == SASL_OK && data && *data) { + debug(logopt, "SASL username: %s", data); + } + result = ldap_get_option(ldap, LDAP_OPT_X_SASL_AUTHCID, &data); + if (result == LDAP_OPT_SUCCESS && data && *data) { + debug(logopt, "SASL authcid: %s", data); + } + result = ldap_get_option(ldap, LDAP_OPT_X_SASL_AUTHZID, &data); + if (result == LDAP_OPT_SUCCESS && data && *data) { + debug(logopt, "SASL authzid: %s", data); + } + ssf = NULL; + result = sasl_getprop(conn, SASL_SSF, (const void **)(char *) &ssf); + if (result == SASL_OK) { + debug(logopt, "SASL SSF: %lu", (unsigned long) *ssf); + }
Brackets, ;) Ian
ldap_memfree(host); debug(logopt, "sasl bind with mechanism %s succeeded", chosen_mech);