dirmngr: Fix default port for our redefinition of ldaps.

* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8de9d54ac8)
This commit is contained in:
Werner Koch 2021-05-28 15:20:57 +02:00
parent 3e05f99e8d
commit 58e4c82512
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 43 additions and 31 deletions

View File

@ -571,15 +571,14 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
}
}
if (opt.debug)
log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s)\n",
host, port,
basedn_arg ? basedn_arg : "",
bindname ? "bindname=" : "",
bindname ? bindname : "",
password ? "," : "",
password ? "password=>not_shown<" : "",
use_ntds ? " auth=>current_user<":"");
if (opt.verbose)
log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s'\n",
host, port,
basedn_arg ? basedn_arg : "",
bindname ? bindname : "",
password ? "*****" : "",
use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain",
use_ntds ? ",ntds":"");
/* If the uri specifies a secure connection and we don't support
@ -596,6 +595,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
#ifdef HAVE_W32_SYSTEM
/* Note that host==NULL uses the default domain controller. */
npth_unprotect ();
ldap_conn = ldap_sslinit (host, port, (use_tls == 2));
npth_protect ();
@ -619,7 +619,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
npth_unprotect ();
lerr = ldap_initialize (&ldap_conn, tmpstr);
npth_protect ();
if (lerr || !ldap_conn)
if (lerr != LDAP_SUCCESS || !ldap_conn)
{
err = ldap_err_to_gpg_err (lerr);
log_error ("error initializing LDAP '%s': %s\n",
@ -655,7 +655,8 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
err = ldap_err_to_gpg_err (lerr);
goto out;
}
if (opt.verbose)
log_info ("ldap timeout set to %us\n", opt.ldaptimeout);
}
#endif
@ -704,8 +705,6 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
if (use_ntds)
{
if (opt.debug)
log_debug ("ldap: binding to current user via AD\n");
#ifdef HAVE_W32_SYSTEM
npth_unprotect ();
lerr = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE);
@ -718,16 +717,13 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
goto out;
}
#else
log_error ("ldap: no Active Directory support but 'ntds' requested\n");
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
goto out;
#endif
}
else if (bindname)
{
if (opt.debug)
log_debug ("LDAP bind to '%s', password '%s'\n",
bindname, password ? ">not_shown<" : ">none<");
npth_unprotect ();
lerr = ldap_simple_bind_s (ldap_conn, bindname, password);
npth_protect ();

View File

@ -1193,7 +1193,7 @@ cmd_ldapserver (assuan_context_t ctx, char *line)
server->host? server->host : "",
portstr,
server->user? server->user : "",
server->pass? "[not_shown]": "",
server->pass? "*****": "",
server->base? server->base : "",
server->starttls ? "starttls" :
server->ldap_over_tls ? "ldaptls" : "none",
@ -2119,6 +2119,7 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
gpg_error_t err;
uri_item_t item;
const char *s;
char *tmpstr = NULL;
*r_item = NULL;
@ -2164,7 +2165,6 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
#if USE_LDAP
if (!strncmp (uri, "ldap:", 5) && !(uri[5] == '/' && uri[6] == '/'))
{
char *tmpstr;
/* Special ldap scheme given. This differs from a valid ldap
* scheme in that no double slash follows.. Use http_parse_uri
* to put it as opaque value into parsed_uri. */
@ -2172,39 +2172,55 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
if (!tmpstr)
err = gpg_error_from_syserror ();
else
{
log_debug ("tmpstr='%s'\n", tmpstr);
err = http_parse_uri (&item->parsed_uri, tmpstr, 0);
xfree (tmpstr);
}
err = http_parse_uri (&item->parsed_uri, tmpstr, 0);
}
else if ((s=strchr (uri, ':')) && !(s[1] == '/' && s[2] == '/'))
{
char *tmpstr;
/* No valid scheme given. Use http_parse_uri to put the string
* as opaque value into parsed_uri. */
tmpstr = strconcat ("opaque:", uri, NULL);
if (!tmpstr)
err = gpg_error_from_syserror ();
else
{
log_debug ("tmpstr2='%s'\n", tmpstr);
err = http_parse_uri (&item->parsed_uri, tmpstr, 0);
xfree (tmpstr);
}
err = http_parse_uri (&item->parsed_uri, tmpstr, 0);
}
else if (ldap_uri_p (uri))
{
int fixup = 0;
/* Fixme: We should get rid of that parser and replace it with
* our generic (http) URI parser. */
/* If no port has been specified and the scheme ist ldaps we use
* our idea of the default port because the standard LDAP URL
* parser would use 636 here. This is because we redefined
* ldaps to mean starttls. */
#ifdef HAVE_W32_SYSTEM
if (!strcmp (uri, "ldap:///"))
fixup = 1;
else
#endif
if (!http_parse_uri (&item->parsed_uri,uri,HTTP_PARSE_NO_SCHEME_CHECK))
{
if (!item->parsed_uri->port
&& !strcmp (item->parsed_uri->scheme, "ldaps"))
fixup = 2;
http_release_parsed_uri (item->parsed_uri);
item->parsed_uri = NULL;
}
err = ldap_parse_uri (&item->parsed_uri, uri);
if (!err && fixup == 1)
item->parsed_uri->ad_current = 1;
else if (!err && fixup == 2)
item->parsed_uri->port = 389;
}
else
#endif
#endif /* USE_LDAP */
{
err = http_parse_uri (&item->parsed_uri, uri, HTTP_PARSE_NO_SCHEME_CHECK);
}
xfree (tmpstr);
if (err)
xfree (item);
else