Use ssl_err2string() in message on ldap_ssl_client_init() failure.

Displaying SSL reason code directly is not user-friendly.
2020-10-28 09:40:11 -06:00
parent 488aeff532
commit c8c7e1f607
4 changed files with 12 additions and 7 deletions
--- a/config.h.in
+++ b/config.h.in
@@ -466,6 +466,9 @@
 /* Define to 1 if you use LDAP for sudoers. */
 #undef HAVE_LDAP

+/* Define to 1 if you have the <ldapssl.h> header file. */
+#undef HAVE_LDAPSSL_H
+
 /* Define to 1 if you have the `ldapssl_init' function. */
 #undef HAVE_LDAPSSL_INIT

--- a/2
+++ b/2
@@ -26259,7 +26259,7 @@ done
 	    fi
 	fi
    fi
-    for ac_header in ldap_ssl.h mps/ldap_ssl.h
+    for ac_header in ldapssl.h ldap_ssl.h mps/ldap_ssl.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include <ldap.h>
--- a/configure.ac
+++ b/configure.ac
@@ -4159,7 +4159,7 @@ if test ${with_ldap-'no'} != "no"; then
 	    fi
 	fi
    fi
-    AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
+    AC_CHECK_HEADERS([ldapssl.h] [ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
    AC_CHECK_FUNCS([ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np])
    AC_CHECK_FUNCS([ldap_search_ext_s ldap_search_st], [break])

--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -46,7 +46,9 @@
 # include <lber.h>
 #endif
 #include <ldap.h>
-#if defined(HAVE_LDAP_SSL_H)
+#if defined(HAVE_LDAPSSL_H)
+# include <ldapssl.h>
+#elif defined(HAVE_LDAP_SSL_H)
 # include <ldap_ssl.h>
 #elif defined(HAVE_MPS_LDAP_SSL_H)
 # include <mps/ldap_ssl.h>
@@ -262,8 +264,8 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
 	ret = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
 	    0, &sslrc);
 	if (ret != LDAP_SUCCESS) {
-	    sudo_warnx("ldap_ssl_client_init(): %s (SSL reason code %d)",
-		ldap_err2string(ret), sslrc);
+	    sudo_warnx("ldap_ssl_client_init(): %s: %s",
+		ldap_err2string(ret), ssl_err2string(sslrc));
 	    goto done;
 	}
 	DPRINTF2("ldap_ssl_init(%s, %d, NULL)", host, port);
@@ -1680,8 +1682,8 @@ sudo_ldap_open(struct sudo_nss *nss)
 	rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
 	    0, &sslrc);
 	if (rc != LDAP_SUCCESS) {
-	    sudo_warnx("ldap_ssl_client_init(): %s (SSL reason code %d)",
-		ldap_err2string(rc), sslrc);
+	    sudo_warnx("ldap_ssl_client_init(): %s: %s",
+		ldap_err2string(rc), ssl_err2string(sslrc));
 	    goto done;
 	}
 	rc = ldap_start_tls_s_np(ld, NULL);