Re: [PATCH 2/4] autofs-5.1.8 - improve debug logging of SASL binds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Thomas Reim <reimth@xxxxxxxxx>

automounter only provides very limited debug information when binding
using Cyrus SASL. LDAP based directory services currently all increase
communication security, which makes it difficult for system administrators
to find the root cause of failed authentication binds.

Log Cyrus SASL binding parameters and result.

Signed-off-by: Thomas Reim <reimth@xxxxxxxxx>
---
 modules/cyrus-sasl.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c
index ae046e0..4806734 100644
--- a/modules/cyrus-sasl.c
+++ b/modules/cyrus-sasl.c
@@ -136,7 +136,7 @@ sasl_log_func(void *context, int level, const char *message)
 	case SASL_LOG_DEBUG:
 	case SASL_LOG_TRACE:
 	case SASL_LOG_PASS:
-		debug(LOGOPT_DEBUG, "%s", message);
+		debug(LOGOPT_NONE, "%s", message);
 		break;
 	default:
 		break;
@@ -745,10 +745,11 @@ sasl_conn_t *
 sasl_bind_mech(unsigned logopt, LDAP *ldap, struct lookup_context *ctxt, const char *mech)
 {
 	sasl_conn_t *conn;
-	char *tmp, *host = NULL;
+	char *tmp, *host, *data = NULL;
 	const char *clientout;
 	unsigned int clientoutlen;
 	const char *chosen_mech;
+	sasl_ssf_t *ssf;
 	int result;
 
 	if (!strncmp(mech, "GSSAPI", 6)) {
@@ -812,6 +813,20 @@ sasl_bind_mech(unsigned logopt, LDAP *ldap, struct lookup_context *ctxt, const c
 	result = do_sasl_bind(logopt, ldap, conn,
 			 &clientout, &clientoutlen, chosen_mech, result);
 	if (result == 0) {
+		/* Conversation was completed successfully by now */
+		result = sasl_getprop(conn, SASL_USERNAME, (const void **)(char *) &data);
+		if (result == SASL_OK && data && *data)
+			debug(logopt, "SASL username: %s", data);
+		result = ldap_get_option(ldap, LDAP_OPT_X_SASL_AUTHCID, &data);
+		if (result == LDAP_OPT_SUCCESS && data && *data)
+			debug(logopt, "SASL authcid: %s", data);
+		result = ldap_get_option(ldap, LDAP_OPT_X_SASL_AUTHZID, &data);
+		if (result == LDAP_OPT_SUCCESS && data && *data)
+			debug(logopt, "SASL authzid: %s", data);
+		ssf = NULL;
+		result = sasl_getprop(conn, SASL_SSF, (const void **)(char *) &ssf);
+		if (result == SASL_OK)
+			debug(logopt, "SASL SSF: %lu", (unsigned long) *ssf);
 		ldap_memfree(host);
 		debug(logopt, "sasl bind with mechanism %s succeeded",
 		      chosen_mech);
-- 
2.37.1




[Index of Archives]     [Linux Filesystem Development]     [Linux Ext4]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux