Correct bind error handling in rlm_ldap

author Olivier Beytrison <olivier@heliosnet.org>

Sat, 9 Mar 2013 17:55:49 +0000 (18:55 +0100)

committer Olivier Beytrison <olivier@heliosnet.org>

Sat, 9 Mar 2013 17:55:49 +0000 (18:55 +0100)
author Olivier Beytrison <olivier@heliosnet.org>
Sat, 9 Mar 2013 17:55:49 +0000 (18:55 +0100)
committer Olivier Beytrison <olivier@heliosnet.org>
Sat, 9 Mar 2013 17:55:49 +0000 (18:55 +0100)
diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c

index d3fddbfd41b0ed6d7b29b57a82b63ef9f940c0bc..8b4e2b0720d96cd712ef2a71c4cf886f6f7db101 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -429,47 +429,48 @@ retry:
         tv.tv_usec = 0;
  
         rcode = ldap_result(conn->handle, msg_id, 1, &tv, &result);
-       ldap_msgfree(result);
-       if (rcode <= 0) {
+       if (rcode > 0) {
+               rcode = ldap_parse_result(conn->handle,result,NULL,NULL,
+                                       NULL,NULL,NULL,1);
+       }
  get_error:
-               switch (process_ldap_errno(inst, &conn, "Bind"))
-               {
-                       case LDAP_PROC_SUCCESS:
-                               break;
-                       case LDAP_PROC_REJECT:
-                               module_rcode = RLM_MODULE_REJECT;
-                               goto error;
-                       case LDAP_PROC_ERROR:
-                               module_rcode = RLM_MODULE_FAIL;
+       switch (process_ldap_errno(inst, &conn, "Bind"))
+       {
+               case LDAP_PROC_SUCCESS:
+                       break;
+               case LDAP_PROC_REJECT:
+                       module_rcode = RLM_MODULE_REJECT;
+                       goto error;
+               case LDAP_PROC_ERROR:
+                       module_rcode = RLM_MODULE_FAIL;
  error:
  #ifdef HAVE_LDAP_INITIALIZE
-                               if (inst->is_url) {
-                                       radlog(L_ERR, "rlm_ldap (%s): bind "
-                                              "with %s to %s failed",
-                                              inst->xlat_name, user,
-                                              inst->server);
-                               } else
+                       if (inst->is_url) {
+                               radlog(L_ERR, "rlm_ldap (%s): bind "
+                                      "with %s to %s failed",
+                                      inst->xlat_name, user,
+                                      inst->server);
+                       } else
  #endif
-                               {
-                                       radlog(L_ERR, "rlm_ldap (%s): bind "
-                                              "with %s to %s:%d failed",
-                                              inst->xlat_name, user,
-                                              inst->server, inst->port);
-                               }
-       
-                               break;
-                       case LDAP_PROC_RETRY:
-                               if (retry) {
-                                       *pconn = fr_connection_reconnect(inst->pool, *pconn);
-                                       if (*pconn) goto retry;
-                               }
-                               
-                               module_rcode = RLM_MODULE_FAIL;
-                               break;
-                       default:
-                               rad_assert(0);
-               }       
-       }
+                       {
+                               radlog(L_ERR, "rlm_ldap (%s): bind "
+                                      "with %s to %s:%d failed",
+                                      inst->xlat_name, user,
+                                      inst->server, inst->port);
+                       }
+
+                       break;
+               case LDAP_PROC_RETRY:
+                       if (retry) {
+                               *pconn = fr_connection_reconnect(inst->pool, *pconn);
+                               if (*pconn) goto retry;
+                       }
+                       
+                       module_rcode = RLM_MODULE_FAIL;
+                       break;
+               default:
+                       rad_assert(0);
+       }       
  
         return module_rcode; /* caller closes the connection */
  }
@@ -1994,6 +1995,10 @@ static rlm_rcode_t ldap_authorize(void *instance, REQUEST * request)
                                                          vp->vp_strvalue,
                                                          TRUE);
                         if (module_rcode != RLM_MODULE_OK) {
+                               module_failure_msg(request,
+                                  "rlm_ldap (%s): eDirectory policy checking failed"
+                                       "for user %s", inst->xlat_name,request->username->vp_strvalue);
+                               module_rcode = RLM_MODULE_USERLOCK;
                                 goto free_result;
                         }
author	Olivier Beytrison <olivier@heliosnet.org>
	Sat, 9 Mar 2013 17:55:49 +0000 (18:55 +0100)
committer	Olivier Beytrison <olivier@heliosnet.org>
	Sat, 9 Mar 2013 17:55:49 +0000 (18:55 +0100)