Commit da576373 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

add authz stats logging

parent 10c0afaf
......@@ -9,7 +9,8 @@ OpenLDAP 2.1.9 Engineering
Fixed slapd referral/alias normalization bug
Fixed slapd logging bugs (ITS#2170)
Fixed slapd rootdse entry_free bug (ITS#2172)
Added "allow update_anon" feature (ITS#2155)
Added slapd allow update_anon feature (ITS#2155)
Added slapd authz stats logging feature (ITS#2165)
Removed lint
Build Environment
Add subordinate referral test
......
......@@ -58,6 +58,14 @@ do_bind(
*/
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if ( conn->c_sasl_bind_in_progress ) be = conn->c_authz_backend;
/* log authorization identity demotion */
if ( conn->c_dn.bv_len ) {
Statslog( LDAP_DEBUG_STATS,
"conn=%lu op=%lu AUTHZ anonymous mech=implicit ssf=0",
op->o_connid, op->o_opid, 0, 0, 0 );
}
connection2anonymous( conn );
if ( conn->c_sasl_bind_in_progress ) conn->c_authz_backend = be;
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
......@@ -315,6 +323,12 @@ do_bind(
LBER_SB_OPT_SET_MAX_INCOMING, &max );
}
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
"conn=%lu op=%lu AUTHZ dn=\"%s\" mech=%s ssf=%d\n",
op->o_connid, op->o_opid,
conn->c_dn.bv_val, conn->c_authmech.bv_val, ssf );
#ifdef NEW_LOGGING
LDAP_LOG( OPERATION, DETAIL1,
"do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n",
......@@ -546,6 +560,12 @@ do_bind(
LBER_SB_OPT_SET_MAX_INCOMING, &max );
}
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
"conn=%lu op=%lu AUTHZ dn=\"%s\" mech=simple ssf=0\n",
op->o_connid, op->o_opid,
conn->c_dn.bv_val, conn->c_authmech.bv_val, 0 );
#ifdef NEW_LOGGING
LDAP_LOG( OPERATION, DETAIL1,
"do_bind: v%d bind: \"%s\" to \"%s\" \n",
......
/* $OpenLDAP$ */
/*
* Copyright 1999-2002 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted only
* as authorized by the OpenLDAP Public License. A copy of this
* license is available at http://www.OpenLDAP.org/license.html or
* in file LICENSE in the top-level directory of the distribution.
*/
#include "portable.h"
#include <stdio.h>
#include <ac/socket.h>
#include <ldap_pvt.h>
#include "slap.h"
#ifdef HAVE_TLS
int
starttls_extop (
Connection *conn,
Operation *op,
const char * reqoid,
struct berval * reqdata,
char ** rspoid,
struct berval ** rspdata,
LDAPControl ***rspctrls,
const char ** text,
BerVarray * refs )
{
void *ctx;
int rc;
if ( reqdata != NULL ) {
/* no request data should be provided */
*text = "no request data expected";
return LDAP_PROTOCOL_ERROR;
}
/* acquire connection lock */
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
/* can't start TLS if it is already started */
if (conn->c_is_tls != 0) {
*text = "TLS already started";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
/* can't start TLS if there are other op's around */
if (( !LDAP_STAILQ_EMPTY(&conn->c_ops) &&
(LDAP_STAILQ_FIRST(&conn->c_ops) != op ||
LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
( !LDAP_STAILQ_EMPTY(&conn->c_pending_ops) ))
{
*text = "cannot start TLS when operations are outstanding";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
( conn->c_dn.bv_len != 0 ) )
{
Statslog( LDAP_DEBUG_STATS,
"conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0",
op->o_connid, op->o_opid, 0, 0, 0 );
/* force to anonymous */
connection2anonymous( conn );
}
if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
( conn->c_dn.bv_len != 0 ) )
{
*text = "cannot start TLS after authentication";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
/* fail if TLS could not be initialized */
if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
|| ctx == NULL)
{
if (default_referral != NULL) {
/* caller will put the referral in the result */
rc = LDAP_REFERRAL;
goto done;
}
*text = "Could not initialize TLS";
rc = LDAP_UNAVAILABLE;
goto done;
}
conn->c_is_tls = 1;
conn->c_needs_tls_accept = 1;
rc = LDAP_SUCCESS;
done:
/* give up connection lock */
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
/*
* RACE CONDITION: we give up lock before sending result
* Should be resolved by reworking connection state, not
* by moving send here (so as to ensure proper TLS sequencing)
*/
return rc;
}
#endif /* HAVE_TLS */
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment