diff options
| author | Werner Koch <wk@gnupg.org> | 2021-05-28 15:20:57 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2021-06-16 12:45:20 +0200 |
| commit | 58e4c82512a4b0828f78fc9f03dbcdbf77760b5c (patch) | |
| tree | 6156d864bfadfce46abbc2ea89f0f35e561f6866 | |
| parent | dirmngr: Use --ldaptimeout for OpenPGP LDAP keyservers. (diff) | |
| download | gnupg2-58e4c82512a4b0828f78fc9f03dbcdbf77760b5c.tar.xz gnupg2-58e4c82512a4b0828f78fc9f03dbcdbf77760b5c.zip | |
dirmngr: Fix default port for our redefinition of ldaps.
* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8de9d54ac83fa20cb52b847b643311841be4d6dc)
| -rw-r--r-- | dirmngr/ks-engine-ldap.c | 30 | ||||
| -rw-r--r-- | dirmngr/server.c | 44 |
2 files changed, 43 insertions, 31 deletions
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index 42b3a837f..72da786fc 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -571,15 +571,14 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, } } - if (opt.debug) - log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s)\n", - host, port, - basedn_arg ? basedn_arg : "", - bindname ? "bindname=" : "", - bindname ? bindname : "", - password ? "," : "", - password ? "password=>not_shown<" : "", - use_ntds ? " auth=>current_user<":""); + if (opt.verbose) + log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s'\n", + host, port, + basedn_arg ? basedn_arg : "", + bindname ? bindname : "", + password ? "*****" : "", + use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain", + use_ntds ? ",ntds":""); /* If the uri specifies a secure connection and we don't support @@ -596,6 +595,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, #ifdef HAVE_W32_SYSTEM + /* Note that host==NULL uses the default domain controller. */ npth_unprotect (); ldap_conn = ldap_sslinit (host, port, (use_tls == 2)); npth_protect (); @@ -619,7 +619,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, npth_unprotect (); lerr = ldap_initialize (&ldap_conn, tmpstr); npth_protect (); - if (lerr || !ldap_conn) + if (lerr != LDAP_SUCCESS || !ldap_conn) { err = ldap_err_to_gpg_err (lerr); log_error ("error initializing LDAP '%s': %s\n", @@ -655,7 +655,8 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, err = ldap_err_to_gpg_err (lerr); goto out; } - + if (opt.verbose) + log_info ("ldap timeout set to %us\n", opt.ldaptimeout); } #endif @@ -704,8 +705,6 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, if (use_ntds) { - if (opt.debug) - log_debug ("ldap: binding to current user via AD\n"); #ifdef HAVE_W32_SYSTEM npth_unprotect (); lerr = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE); @@ -718,16 +717,13 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, goto out; } #else + log_error ("ldap: no Active Directory support but 'ntds' requested\n"); err = gpg_error (GPG_ERR_NOT_SUPPORTED); goto out; #endif } else if (bindname) { - if (opt.debug) - log_debug ("LDAP bind to '%s', password '%s'\n", - bindname, password ? ">not_shown<" : ">none<"); - npth_unprotect (); lerr = ldap_simple_bind_s (ldap_conn, bindname, password); npth_protect (); diff --git a/dirmngr/server.c b/dirmngr/server.c index c5542fe6c..cd6cfa912 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1193,7 +1193,7 @@ cmd_ldapserver (assuan_context_t ctx, char *line) server->host? server->host : "", portstr, server->user? server->user : "", - server->pass? "[not_shown]": "", + server->pass? "*****": "", server->base? server->base : "", server->starttls ? "starttls" : server->ldap_over_tls ? "ldaptls" : "none", @@ -2119,6 +2119,7 @@ make_keyserver_item (const char *uri, uri_item_t *r_item) gpg_error_t err; uri_item_t item; const char *s; + char *tmpstr = NULL; *r_item = NULL; @@ -2164,7 +2165,6 @@ make_keyserver_item (const char *uri, uri_item_t *r_item) #if USE_LDAP if (!strncmp (uri, "ldap:", 5) && !(uri[5] == '/' && uri[6] == '/')) { - char *tmpstr; /* Special ldap scheme given. This differs from a valid ldap * scheme in that no double slash follows.. Use http_parse_uri * to put it as opaque value into parsed_uri. */ @@ -2172,39 +2172,55 @@ make_keyserver_item (const char *uri, uri_item_t *r_item) if (!tmpstr) err = gpg_error_from_syserror (); else - { - log_debug ("tmpstr='%s'\n", tmpstr); - err = http_parse_uri (&item->parsed_uri, tmpstr, 0); - xfree (tmpstr); - } + err = http_parse_uri (&item->parsed_uri, tmpstr, 0); } else if ((s=strchr (uri, ':')) && !(s[1] == '/' && s[2] == '/')) { - char *tmpstr; /* No valid scheme given. Use http_parse_uri to put the string * as opaque value into parsed_uri. */ tmpstr = strconcat ("opaque:", uri, NULL); if (!tmpstr) err = gpg_error_from_syserror (); else - { - log_debug ("tmpstr2='%s'\n", tmpstr); - err = http_parse_uri (&item->parsed_uri, tmpstr, 0); - xfree (tmpstr); - } + err = http_parse_uri (&item->parsed_uri, tmpstr, 0); } else if (ldap_uri_p (uri)) { + int fixup = 0; /* Fixme: We should get rid of that parser and replace it with * our generic (http) URI parser. */ + + /* If no port has been specified and the scheme ist ldaps we use + * our idea of the default port because the standard LDAP URL + * parser would use 636 here. This is because we redefined + * ldaps to mean starttls. */ +#ifdef HAVE_W32_SYSTEM + if (!strcmp (uri, "ldap:///")) + fixup = 1; + else +#endif + if (!http_parse_uri (&item->parsed_uri,uri,HTTP_PARSE_NO_SCHEME_CHECK)) + { + if (!item->parsed_uri->port + && !strcmp (item->parsed_uri->scheme, "ldaps")) + fixup = 2; + http_release_parsed_uri (item->parsed_uri); + item->parsed_uri = NULL; + } + err = ldap_parse_uri (&item->parsed_uri, uri); + if (!err && fixup == 1) + item->parsed_uri->ad_current = 1; + else if (!err && fixup == 2) + item->parsed_uri->port = 389; } else -#endif +#endif /* USE_LDAP */ { err = http_parse_uri (&item->parsed_uri, uri, HTTP_PARSE_NO_SCHEME_CHECK); } + xfree (tmpstr); if (err) xfree (item); else |