autofs-5.1.8 - improve debug logging of SASL binds From: Thomas Reim automounter only provides very limited debug information when binding using Cyrus SASL. LDAP based directory services currently all increase communication security, which makes it difficult for system administrators to find the root cause of failed authentication binds. Log Cyrus SASL binding parameters and result. Signed-off-by: Thomas Reim Signed-off-by: Ian Kent --- CHANGELOG | 1 + modules/cyrus-sasl.c | 26 ++++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b2517f6a..bf8fa2d0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -34,6 +34,7 @@ - let OpenLDAP handle SASL binding. - configure: LDAP function checks ignore implicit declarations. - improve debug logging of LDAP binds. +- improve debug logging of SASL binds. 19/10/2021 autofs-5.1.8 - add xdr_exports(). diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c index 11e3f76a..6a95ef0c 100644 --- a/modules/cyrus-sasl.c +++ b/modules/cyrus-sasl.c @@ -136,7 +136,7 @@ sasl_log_func(void *context, int level, const char *message) case SASL_LOG_DEBUG: case SASL_LOG_TRACE: case SASL_LOG_PASS: - debug(LOGOPT_DEBUG, "%s", message); + debug(LOGOPT_NONE, "%s", message); break; default: break; @@ -894,10 +894,11 @@ sasl_conn_t * sasl_bind_mech(unsigned logopt, LDAP *ldap, struct lookup_context *ctxt, const char *mech) { sasl_conn_t *conn; - char *tmp, *host = NULL; + char *tmp, *host, *data; const char *clientout; unsigned int clientoutlen; const char *chosen_mech; + sasl_ssf_t *ssf; int result; if (!strncmp(mech, "GSSAPI", 6)) { @@ -961,6 +962,27 @@ sasl_bind_mech(unsigned logopt, LDAP *ldap, struct lookup_context *ctxt, const c result = do_sasl_bind(logopt, ldap, conn, &clientout, &clientoutlen, chosen_mech, result); if (result == 0) { + /* Conversation was completed successfully by now */ + data = NULL; + result = sasl_getprop(conn, SASL_USERNAME, (const void **)(char *) &data); + if (result == SASL_OK && data && *data) + debug(logopt, "SASL username: %s", data); + + data = NULL; + result = ldap_get_option(ldap, LDAP_OPT_X_SASL_AUTHCID, &data); + if (result == LDAP_OPT_SUCCESS && data && *data) + debug(logopt, "SASL authcid: %s", data); + + data = NULL; + result = ldap_get_option(ldap, LDAP_OPT_X_SASL_AUTHZID, &data); + if (result == LDAP_OPT_SUCCESS && data && *data) + debug(logopt, "SASL authzid: %s", data); + + ssf = NULL; + result = sasl_getprop(conn, SASL_SSF, (const void **)(char *) &ssf); + if (result == SASL_OK) + debug(logopt, "SASL SSF: %lu", (unsigned long) *ssf); + ldap_memfree(host); debug(logopt, "sasl bind with mechanism %s succeeded", chosen_mech);