Full_Name: Stephen Gallagher
Version: openldap-2.4.23
OS: Fedora 14 x86_64
URL: https://fedorahosted.org/sssd/ticket/699
Submission from: (NULL) (98.110.239.235)
We have this code in the SSSD (which uses the openldap shared libraries for LDAP
communication).
ret = ldap_install_tls(state->sh->ldap);
if (ret != LDAP_SUCCESS) {
optret = ldap_get_option(state->sh->ldap,
SDAP_DIAGNOSTIC_MESSAGE,
(void*)&tlserr);
if (optret == LDAP_SUCCESS) {
DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
ldap_err2string(ret),
tlserr));
sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
ldap_memfree(tlserr);
}
else {
DEBUG(3, ("ldap_install_tls failed: [%s]\n",
ldap_err2string(ret)));
sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
"Check for certificate issues.");
}
However, whenever there is an issue (such as an invalid/expired certificate) our
logs read:
(Fri Dec 3 14:13:33 2010) [sssd[be[LDAP]]] [sdap_connect_done] (3):
ldap_install_tls failed: [Connect error] [(null)]
This means that the ldap_get_option(SDAP_DIAGNOSTIC_MESSAGE) is returning
LDAP_SUCCESS, but the returned message is "(null)". This is not the same
behavior as with an LDAPS connection, where it will in fact return a message
indicating what certificate error was.
