dirmngr: Fix default port for our redefinition of ldaps.

* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps. Move a tmpstr out of the blocks. * dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics. -- Signed-off-by: Werner Koch <wk@gnupg.org> (cherry picked from commit 8de9d54ac8)
2025-07-03 22:56:33 +02:00 · 2021-05-28 15:20:57 +02:00 · 2021-05-28 15:20:57 +02:00 · 58e4c82512
commit 58e4c82512
parent 3e05f99e8d
2 changed files with 43 additions and 31 deletions
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@ -571,15 +571,14 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
        }
    }

-  if (opt.debug)
-    log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s)\n",
-               host, port,
-               basedn_arg ? basedn_arg : "",
-               bindname ? "bindname=" : "",
-               bindname ? bindname : "",
-               password ? "," : "",
-               password ? "password=>not_shown<" : "",
-               use_ntds ? " auth=>current_user<":"");
+  if (opt.verbose)
+    log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s'\n",
+              host, port,
+              basedn_arg ? basedn_arg : "",
+              bindname ? bindname : "",
+              password ? "*****" : "",
+              use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain",
+              use_ntds ? ",ntds":"");


  /* If the uri specifies a secure connection and we don't support
@ -596,6 +595,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,


 #ifdef HAVE_W32_SYSTEM
+  /* Note that host==NULL uses the default domain controller.  */
  npth_unprotect ();
  ldap_conn = ldap_sslinit (host, port, (use_tls == 2));
  npth_protect ();
@ -619,7 +619,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
  npth_unprotect ();
  lerr = ldap_initialize (&ldap_conn, tmpstr);
  npth_protect ();
-  if (lerr || !ldap_conn)
+  if (lerr != LDAP_SUCCESS || !ldap_conn)
    {
      err = ldap_err_to_gpg_err (lerr);
      log_error ("error initializing LDAP '%s': %s\n",
@ -655,7 +655,8 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
          err = ldap_err_to_gpg_err (lerr);
          goto out;
        }
-
+      if (opt.verbose)
+        log_info ("ldap timeout set to %us\n", opt.ldaptimeout);
    }
 #endif

@ -704,8 +705,6 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,

  if (use_ntds)
    {
-      if (opt.debug)
-        log_debug ("ldap: binding to current user via AD\n");
 #ifdef HAVE_W32_SYSTEM
      npth_unprotect ();
      lerr = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE);
@ -718,16 +717,13 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
 	  goto out;
 	}
 #else
+      log_error ("ldap: no Active Directory support but 'ntds' requested\n");
      err = gpg_error (GPG_ERR_NOT_SUPPORTED);
      goto out;
 #endif
    }
  else if (bindname)
    {
-      if (opt.debug)
-        log_debug ("LDAP bind to '%s', password '%s'\n",
-                   bindname, password ? ">not_shown<" : ">none<");
-
      npth_unprotect ();
      lerr = ldap_simple_bind_s (ldap_conn, bindname, password);
      npth_protect ();