Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitcf1238c

Browse files
committed
Log diagnostic messages if errors occur during LDAP auth.
Diagnostic messages seem likely to help users diagnose rootcauses more easily, so let's report them as errdetail.Author: Thomas MunroReviewed-By: Ashutosh Bapat, Christoph Berg, Alvaro Herrera, Peter EisentrautDiscussion:https://postgr.es/m/CAEepm=2_dA-SYpFdmNVwvKsEBXOUj=K4ooKovHmvj6jnMdt8dw@mail.gmail.com
1 parent1feff99 commitcf1238c

File tree

2 files changed

+51
-8
lines changed

2 files changed

+51
-8
lines changed

‎src/backend/libpq/auth.c

Lines changed: 41 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2305,6 +2305,8 @@ CheckBSDAuth(Port *port, char *user)
23052305
*/
23062306
#ifdefUSE_LDAP
23072307

2308+
staticinterrdetail_for_ldap(LDAP*ldap);
2309+
23082310
/*
23092311
* Initialize a connection to the LDAP server, including setting up
23102312
* TLS if requested.
@@ -2332,7 +2334,9 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23322334
if ((r=ldap_set_option(*ldap,LDAP_OPT_PROTOCOL_VERSION,&ldapversion))!=LDAP_SUCCESS)
23332335
{
23342336
ereport(LOG,
2335-
(errmsg("could not set LDAP protocol version: %s",ldap_err2string(r))));
2337+
(errmsg("could not set LDAP protocol version: %s",
2338+
ldap_err2string(r)),
2339+
errdetail_for_ldap(*ldap)));
23362340
ldap_unbind(*ldap);
23372341
returnSTATUS_ERROR;
23382342
}
@@ -2385,7 +2389,9 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23852389
#endif
23862390
{
23872391
ereport(LOG,
2388-
(errmsg("could not start LDAP TLS session: %s",ldap_err2string(r))));
2392+
(errmsg("could not start LDAP TLS session: %s",
2393+
ldap_err2string(r)),
2394+
errdetail_for_ldap(*ldap)));
23892395
ldap_unbind(*ldap);
23902396
returnSTATUS_ERROR;
23912397
}
@@ -2508,7 +2514,9 @@ CheckLDAPAuth(Port *port)
25082514
{
25092515
ereport(LOG,
25102516
(errmsg("could not perform initial LDAP bind for ldapbinddn \"%s\" on server \"%s\": %s",
2511-
port->hba->ldapbinddn,port->hba->ldapserver,ldap_err2string(r))));
2517+
port->hba->ldapbinddn,port->hba->ldapserver,
2518+
ldap_err2string(r)),
2519+
errdetail_for_ldap(ldap)));
25122520
ldap_unbind(ldap);
25132521
pfree(passwd);
25142522
returnSTATUS_ERROR;
@@ -2534,7 +2542,8 @@ CheckLDAPAuth(Port *port)
25342542
{
25352543
ereport(LOG,
25362544
(errmsg("could not search LDAP for filter \"%s\" on server \"%s\": %s",
2537-
filter,port->hba->ldapserver,ldap_err2string(r))));
2545+
filter,port->hba->ldapserver,ldap_err2string(r)),
2546+
errdetail_for_ldap(ldap)));
25382547
ldap_unbind(ldap);
25392548
pfree(passwd);
25402549
pfree(filter);
@@ -2573,7 +2582,9 @@ CheckLDAPAuth(Port *port)
25732582
(void)ldap_get_option(ldap,LDAP_OPT_ERROR_NUMBER,&error);
25742583
ereport(LOG,
25752584
(errmsg("could not get dn for the first entry matching \"%s\" on server \"%s\": %s",
2576-
filter,port->hba->ldapserver,ldap_err2string(error))));
2585+
filter,port->hba->ldapserver,
2586+
ldap_err2string(error)),
2587+
errdetail_for_ldap(ldap)));
25772588
ldap_unbind(ldap);
25782589
pfree(passwd);
25792590
pfree(filter);
@@ -2618,23 +2629,46 @@ CheckLDAPAuth(Port *port)
26182629
port->hba->ldapsuffix ?port->hba->ldapsuffix :"");
26192630

26202631
r=ldap_simple_bind_s(ldap,fulluser,passwd);
2621-
ldap_unbind(ldap);
26222632

26232633
if (r!=LDAP_SUCCESS)
26242634
{
26252635
ereport(LOG,
26262636
(errmsg("LDAP login failed for user \"%s\" on server \"%s\": %s",
2627-
fulluser,port->hba->ldapserver,ldap_err2string(r))));
2637+
fulluser,port->hba->ldapserver,ldap_err2string(r)),
2638+
errdetail_for_ldap(ldap)));
2639+
ldap_unbind(ldap);
26282640
pfree(passwd);
26292641
pfree(fulluser);
26302642
returnSTATUS_ERROR;
26312643
}
26322644

2645+
ldap_unbind(ldap);
26332646
pfree(passwd);
26342647
pfree(fulluser);
26352648

26362649
returnSTATUS_OK;
26372650
}
2651+
2652+
/*
2653+
* Add a detail error message text to the current error if one can be
2654+
* constructed from the LDAP 'diagnostic message'.
2655+
*/
2656+
staticint
2657+
errdetail_for_ldap(LDAP*ldap)
2658+
{
2659+
char*message;
2660+
intrc;
2661+
2662+
rc=ldap_get_option(ldap,LDAP_OPT_DIAGNOSTIC_MESSAGE,&message);
2663+
if (rc==LDAP_SUCCESS&&message!=NULL)
2664+
{
2665+
errdetail("LDAP diagnostics: %s",message);
2666+
ldap_memfree(message);
2667+
}
2668+
2669+
return0;
2670+
}
2671+
26382672
#endif/* USE_LDAP */
26392673

26402674

‎src/test/ldap/t/001_auth.pl

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
use warnings;
33
use TestLib;
44
use PostgresNode;
5-
use Test::Moretests=>14;
5+
use Test::Moretests=>15;
66

77
my ($slapd,$ldap_bin_dir,$ldap_schema_dir);
88

@@ -175,3 +175,12 @@ sub test_access
175175

176176
$ENV{"PGPASSWORD"} ='secret1';
177177
test_access($node,'test1', 0,'combined LDAP URL and search filter');
178+
179+
note"diagnostic message";
180+
181+
unlink($node->data_dir .'/pg_hba.conf');
182+
$node->append_conf('pg_hba.conf',qq{local all all ldap ldapserver=$ldap_server ldapport=$ldap_port ldapprefix="uid=" ldapsuffix=",dc=example,dc=net" ldaptls=1});
183+
$node->reload;
184+
185+
$ENV{"PGPASSWORD"} ='secret1';
186+
test_access($node,'test1', 2,'any attempt fails due to unsupported TLS');

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp