mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-12-24 00:29:35 -05:00
better logging of privileged connections (more to come; might be unstable for a bit)
This commit is contained in:
Pierangelo Masarati
parent
148cc2f2fc
commit
bdec7702d7
8 changed files with 103 additions and 37 deletions
|
|
@ -64,8 +64,8 @@ enum {
|
|||
typedef struct ldapconn_t {
|
||||
Connection *lc_conn;
|
||||
#define LDAP_BACK_CONN2PRIV(lc) ((unsigned long)(lc)->lc_conn)
|
||||
#define LDAP_BACK_PCONN_ISPRIV(lc) ((void *)(lc)->lc_conn >= (void *)LDAP_BACK_PCONN_FIRST \
|
||||
&& (void *)(lc)->lc_conn < (void *)LDAP_BACK_PCONN_LAST)
|
||||
#define LDAP_BACK_PCONN_ISPRIV(lc) (((void *)(lc)->lc_conn) >= ((void *)LDAP_BACK_PCONN_FIRST) \
|
||||
&& ((void *)(lc)->lc_conn) < ((void *)LDAP_BACK_PCONN_LAST))
|
||||
#define LDAP_BACK_PCONN_ISROOTDN(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \
|
||||
&& (LDAP_BACK_CONN2PRIV((lc)) < LDAP_BACK_PCONN_ANON))
|
||||
#define LDAP_BACK_PCONN_ISANON(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \
|
||||
|
|
@ -75,8 +75,6 @@ typedef struct ldapconn_t {
|
|||
&& (LDAP_BACK_CONN2PRIV((lc)) >= LDAP_BACK_PCONN_BIND))
|
||||
#define LDAP_BACK_PCONN_ISTLS(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \
|
||||
&& (LDAP_BACK_CONN2PRIV((lc)) & LDAP_BACK_PCONN_TLS))
|
||||
#define LDAP_BACK_PCONN_ID(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) ? \
|
||||
( -1 - (long)(lc)->lc_conn ) : (lc)->lc_conn->c_connid )
|
||||
#ifdef HAVE_TLS
|
||||
#define LDAP_BACK_PCONN_ROOTDN_SET(lc, op) \
|
||||
((lc)->lc_conn = (void *)((op)->o_conn->c_is_tls ? (void *) LDAP_BACK_PCONN_ROOTDN_TLS : (void *) LDAP_BACK_PCONN_ROOTDN))
|
||||
|
|
|
|||
|
|
@ -303,9 +303,10 @@ retry_lock:;
|
|||
if ( LDAP_BACK_SINGLECONN( li ) ) {
|
||||
while ( ( tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, ldap_back_conn_cmp ) ) != NULL )
|
||||
{
|
||||
assert( !LDAP_BACK_PCONN_ISPRIV( lc ) );
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"=>ldap_back_bind: destroying conn %ld (refcnt=%u)\n",
|
||||
LDAP_BACK_PCONN_ID( lc ), lc->lc_refcnt, 0 );
|
||||
"=>ldap_back_bind: destroying conn %lu (refcnt=%u)\n",
|
||||
lc->lc_conn->c_connid, lc->lc_refcnt, 0 );
|
||||
|
||||
if ( tmplc->lc_refcnt != 0 ) {
|
||||
/* taint it */
|
||||
|
|
@ -2714,3 +2715,41 @@ ldap_back_controls_free( Operation *op, SlapReply *rs, LDAPControl ***pctrls )
|
|||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
ldap_back_conn2str( ldapconn_t *lc, char *buf, ber_len_t buflen )
|
||||
{
|
||||
static struct berval conns[] = {
|
||||
BER_BVC("ROOTDN"),
|
||||
BER_BVC("ROOTDN-TLS"),
|
||||
BER_BVC("ANON"),
|
||||
BER_BVC("ANON-TLS"),
|
||||
BER_BVC("BIND"),
|
||||
BER_BVC("BIND-TLS"),
|
||||
BER_BVNULL
|
||||
};
|
||||
|
||||
int len = 0;
|
||||
|
||||
if ( LDAP_BACK_PCONN_ISPRIV( lc ) ) {
|
||||
long cid;
|
||||
struct berval *bv;
|
||||
|
||||
cid = (long)lc->lc_conn;
|
||||
assert( cid >= LDAP_BACK_PCONN_FIRST && cid < LDAP_BACK_PCONN_LAST );
|
||||
|
||||
bv = &conns[ cid ];
|
||||
|
||||
if ( bv->bv_len >= buflen ) {
|
||||
return bv->bv_len + 1;
|
||||
}
|
||||
|
||||
len = bv->bv_len;
|
||||
lutil_strncopy( buf, bv->bv_val, bv->bv_len + 1 );
|
||||
|
||||
} else {
|
||||
len = snprintf( buf, buflen, "%lu", lc->lc_conn->c_connid );
|
||||
}
|
||||
|
||||
return len;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2063,7 +2063,6 @@ int
|
|||
chain_initialize( void )
|
||||
{
|
||||
int rc;
|
||||
const char *text;
|
||||
|
||||
/* Make sure we don't exceed the bits reserved for userland */
|
||||
config_check_userland( CH_LAST );
|
||||
|
|
|
|||
|
|
@ -63,6 +63,8 @@ extern void ldap_back_conn_free( void *c );
|
|||
|
||||
extern ldapconn_t * ldap_back_conn_delete( ldapinfo_t *li, ldapconn_t *lc );
|
||||
|
||||
extern int ldap_back_conn2str( ldapconn_t *lc, char *buf, ber_len_t buflen );
|
||||
|
||||
extern int
|
||||
ldap_back_proxy_authz_ctrl(
|
||||
Operation *op,
|
||||
|
|
|
|||
|
|
@ -53,11 +53,11 @@ ldap_back_conn_destroy(
|
|||
#endif /* LDAP_BACK_PRINT_CONNTREE */
|
||||
while ( ( lc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)&lc_curr, ldap_back_conn_cmp ) ) != NULL )
|
||||
{
|
||||
assert( !LDAP_BACK_PCONN_ISPRIV( lc ) );
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"=>ldap_back_conn_destroy: destroying conn %ld "
|
||||
"=>ldap_back_conn_destroy: destroying conn %lu "
|
||||
"refcnt=%d flags=0x%08x\n",
|
||||
LDAP_BACK_PCONN_ID( lc ),
|
||||
lc->lc_refcnt, lc->lc_lcflags );
|
||||
lc->lc_conn->c_connid, lc->lc_refcnt, lc->lc_lcflags );
|
||||
|
||||
if ( lc->lc_refcnt > 0 ) {
|
||||
/* someone else might be accessing the connection;
|
||||
|
|
|
|||
|
|
@ -223,9 +223,10 @@ meta_back_bind( Operation *op, SlapReply *rs )
|
|||
|
||||
while ( ( tmpmc = avl_delete( &mi->mi_conninfo.lai_tree, (caddr_t)mc, meta_back_conn_cmp ) ) != NULL )
|
||||
{
|
||||
assert( !LDAP_BACK_PCONN_ISPRIV( mc ) );
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"=>meta_back_bind: destroying conn %ld (refcnt=%u)\n",
|
||||
LDAP_BACK_PCONN_ID( mc ), mc->mc_refcnt, 0 );
|
||||
"=>meta_back_bind: destroying conn %lu (refcnt=%u)\n",
|
||||
mc->mc_conn->c_connid, mc->mc_refcnt, 0 );
|
||||
|
||||
if ( tmpmc->mc_refcnt != 0 ) {
|
||||
/* taint it */
|
||||
|
|
@ -660,11 +661,15 @@ meta_back_dobind(
|
|||
isroot = 1;
|
||||
}
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_dobind: conn=%ld%s\n",
|
||||
op->o_log_prefix,
|
||||
LDAP_BACK_PCONN_ID( mc ),
|
||||
isroot ? " (isroot)" : "" );
|
||||
if ( LogTest( LDAP_DEBUG_TRACE ) ) {
|
||||
char buf[STRLENOF("4294967295U") + 1] = { 0 };
|
||||
ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_dobind: conn=%s%s\n",
|
||||
op->o_log_prefix, buf,
|
||||
isroot ? " (isroot)" : "" );
|
||||
}
|
||||
|
||||
/*
|
||||
* all the targets are bound as pseudoroot
|
||||
|
|
@ -796,9 +801,14 @@ retry_ok:;
|
|||
}
|
||||
|
||||
done:;
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_dobind: conn=%ld bound=%d\n",
|
||||
op->o_log_prefix, LDAP_BACK_PCONN_ID( mc ), bound );
|
||||
if ( LogTest( LDAP_DEBUG_TRACE ) ) {
|
||||
char buf[STRLENOF("4294967295U") + 1] = { 0 };
|
||||
ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_dobind: conn=%s bound=%d\n",
|
||||
op->o_log_prefix, buf, bound );
|
||||
}
|
||||
|
||||
if ( bound == 0 ) {
|
||||
meta_back_release_conn( mi, mc );
|
||||
|
|
|
|||
|
|
@ -1168,8 +1168,14 @@ retry_lock:;
|
|||
LDAP_BACK_CONN_TAINTED_SET( mc );
|
||||
LDAP_BACK_CONN_CACHED_CLEAR( mc );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE, "%s meta_back_getconn: mc=%p conn=%ld expired (tainted).\n",
|
||||
op->o_log_prefix, (void *)mc, LDAP_BACK_PCONN_ID( mc ) );
|
||||
if ( LogTest( LDAP_DEBUG_TRACE ) ) {
|
||||
char buf[STRLENOF("4294967295U") + 1] = { 0 };
|
||||
ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_getconn: mc=%p conn=%s expired (tainted).\n",
|
||||
op->o_log_prefix, (void *)mc, buf );
|
||||
}
|
||||
}
|
||||
|
||||
mc->mc_refcnt++;
|
||||
|
|
@ -1654,10 +1660,14 @@ done:;
|
|||
|
||||
default:
|
||||
LDAP_BACK_CONN_CACHED_CLEAR( mc );
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s meta_back_getconn: candidates=%d conn=%ld insert failed\n",
|
||||
op->o_log_prefix, ncandidates,
|
||||
LDAP_BACK_PCONN_ID( mc ) );
|
||||
if ( LogTest( LDAP_DEBUG_ANY ) ) {
|
||||
char buf[STRLENOF("4294967295U") + 1] = { 0 };
|
||||
ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) );
|
||||
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s meta_back_getconn: candidates=%d conn=%s insert failed\n",
|
||||
op->o_log_prefix, ncandidates, buf );
|
||||
}
|
||||
|
||||
mc->mc_refcnt = 0;
|
||||
meta_back_conn_free( mc );
|
||||
|
|
@ -1671,16 +1681,24 @@ done:;
|
|||
}
|
||||
}
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_getconn: candidates=%d conn=%ld inserted\n",
|
||||
op->o_log_prefix, ncandidates,
|
||||
LDAP_BACK_PCONN_ID( mc ) );
|
||||
if ( LogTest( LDAP_DEBUG_TRACE ) ) {
|
||||
char buf[STRLENOF("4294967295U") + 1] = { 0 };
|
||||
ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_getconn: candidates=%d conn=%s inserted\n",
|
||||
op->o_log_prefix, ncandidates, buf );
|
||||
}
|
||||
|
||||
} else {
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_getconn: candidates=%d conn=%ld fetched\n",
|
||||
op->o_log_prefix, ncandidates,
|
||||
LDAP_BACK_PCONN_ID( mc ) );
|
||||
if ( LogTest( LDAP_DEBUG_TRACE ) ) {
|
||||
char buf[STRLENOF("4294967295U") + 1] = { 0 };
|
||||
ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"%s meta_back_getconn: candidates=%d conn=%s fetched\n",
|
||||
op->o_log_prefix, ncandidates, buf );
|
||||
}
|
||||
}
|
||||
|
||||
return mc;
|
||||
|
|
|
|||
|
|
@ -56,11 +56,11 @@ meta_back_conn_destroy(
|
|||
#endif /* META_BACK_PRINT_CONNTREE */
|
||||
while ( ( mc = avl_delete( &mi->mi_conninfo.lai_tree, ( caddr_t )&mc_curr, meta_back_conn_cmp ) ) != NULL )
|
||||
{
|
||||
assert( !LDAP_BACK_PCONN_ISPRIV( mc ) );
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"=>meta_back_conn_destroy: destroying conn %ld "
|
||||
"=>meta_back_conn_destroy: destroying conn %lu "
|
||||
"refcnt=%d flags=0x%08x\n",
|
||||
LDAP_BACK_PCONN_ID( mc ),
|
||||
mc->mc_refcnt, mc->msc_mscflags );
|
||||
mc->mc_conn->c_connid, mc->mc_refcnt, mc->msc_mscflags );
|
||||
|
||||
if ( mc->mc_refcnt > 0 ) {
|
||||
/* someone else might be accessing the connection;
|
||||
|
|
|
|||
Loading…
Reference in a new issue