aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--dirmngr/dirmngr.c1
-rw-r--r--dirmngr/dirmngr.h2
-rw-r--r--dirmngr/ks-engine-ldap.c66
3 files changed, 54 insertions, 15 deletions
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index d418d09e2..14472e9ef 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -332,6 +332,7 @@ static struct debug_flags_s debug_flags [] =
{ DBG_LOOKUP_VALUE , "lookup" },
{ DBG_EXTPROG_VALUE, "extprog" },
{ DBG_KEEPTMP_VALUE, "keeptmp" },
+ { DBG_LDAP_VALUE, "ldap" },
{ 77, NULL } /* 77 := Do not exit on "help" or "?". */
};
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 5de66721b..984c60db2 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -179,6 +179,7 @@ struct
#define DBG_LOOKUP_VALUE 8192 /* debug lookup details */
#define DBG_EXTPROG_VALUE 16384 /* debug external program calls */
#define DBG_KEEPTMP_VALUE 32768 /* keep some temporary files */
+#define DBG_LDAP_VALUE 65536 /* debug ldap connection problems. */
#define DBG_X509 (opt.debug & DBG_X509_VALUE)
#define DBG_CRYPTO (opt.debug & DBG_CRYPTO_VALUE)
@@ -191,6 +192,7 @@ struct
#define DBG_LOOKUP (opt.debug & DBG_LOOKUP_VALUE)
#define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE)
#define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE)
+#define DBG_LDAP (opt.debug & DBG_LDAP_VALUE)
/* Compatibility flags */
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index 789f9706b..5f8af81c0 100644
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -1,7 +1,7 @@
/* ks-engine-ldap.c - talk to a LDAP keyserver
* Copyright (C) 2001, 2002, 2004, 2005, 2006
* 2007 Free Software Foundation, Inc.
- * Copyright (C) 2015, 2020, 2023 g10 Code GmbH
+ * Copyright (C) 2015, 2020, 2023, 2025 g10 Code GmbH
*
* This file is part of GnuPG.
*
@@ -616,6 +616,8 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
lerr = ldap_search_s (ldap_conn, object, LDAP_SCOPE_BASE,
"(objectClass=*)", attr2, 0, &si_res);
npth_protect ();
+ if (DBG_LDAP)
+ log_debug ("%s: searched for '%s': ldaprc=%d\n", __func__, object, lerr);
xfree (object);
if (lerr == LDAP_SUCCESS)
@@ -624,12 +626,14 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
if (vals && vals[0])
basedn = xtrystrdup (vals[0]);
my_ldap_value_free (vals);
+ if (DBG_LDAP)
+ log_debug ("%s: baseDN='%s'\n", __func__, basedn);
vals = ldap_get_values (ldap_conn, si_res, "pgpSoftware");
if (vals && vals[0])
{
- if (opt.debug)
- log_debug ("Server: \t%s\n", vals[0]);
+ if (DBG_LDAP)
+ log_debug ("%s: pgpSoftware: \t%s\n", __func__, vals[0]);
if (!ascii_strcasecmp (vals[0], "GnuPG"))
is_gnupg = 1;
}
@@ -638,8 +642,6 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
vals = ldap_get_values (ldap_conn, si_res, "pgpVersion");
if (vals && vals[0])
{
- if (opt.debug)
- log_debug ("Version:\t%s\n", vals[0]);
if (is_gnupg)
{
const char *fields[2];
@@ -654,6 +656,11 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
&& !ascii_strcasecmp (fields[1], "cnfpr"))
*r_serverinfo |= SERVERINFO_CNFPR;
}
+ if (DBG_LDAP)
+ log_debug ("%s: pgpVersion:\t%s%s%s%s\n", __func__, vals[0],
+ (*r_serverinfo & SERVERINFO_SCHEMAV2)? " schema2":"",
+ (*r_serverinfo & SERVERINFO_NTDS)? " ntds":"",
+ (*r_serverinfo & SERVERINFO_CNFPR)? "cnfpr":"");
}
my_ldap_value_free (vals);
}
@@ -758,9 +765,9 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
if (opt.verbose)
log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s%s'%s\n",
host, port,
- basedn_arg ? basedn_arg : "",
bindname ? bindname : "",
password ? "*****" : "",
+ basedn_arg ? basedn_arg : "",
use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain",
use_ntds ? ",ntds":"",
use_areconly? ",areconly":"",
@@ -910,11 +917,13 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
npth_protect ();
if (lerr != LDAP_SUCCESS)
{
- log_error ("error binding to LDAP via AD: %s\n",
+ log_error ("error binding to LDAP via NTDS: %s\n",
ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto out;
}
+ if (DBG_LDAP)
+ log_debug ("%s: ldap_bind to NTDS succeeded\n", __func__);
#else
log_error ("ldap: no Active Directory support but 'ntds' requested\n");
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
@@ -932,10 +941,14 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
err = ldap_err_to_gpg_err (lerr);
goto out;
}
+ if (DBG_LDAP)
+ log_debug ("%s: ldap_bind to '%s' succeeded\n", __func__, bindname);
}
else
{
/* By default we don't bind as there is usually no need to. */
+ if (DBG_LDAP)
+ log_debug ("%s: ldap_bind not used\n", __func__);
}
if (generic)
@@ -951,6 +964,9 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
goto out;
}
}
+ if (DBG_LDAP)
+ log_debug ("%s: serverinfo set to generic; basedn '%s'\n", __func__,
+ basedn);
}
else if (basedn_arg && *basedn_arg)
{
@@ -971,6 +987,9 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
basedn = interrogate_ldap_dn (ldap_conn, basedn_parent + 1,
r_serverinfo);
}
+ if (DBG_LDAP)
+ log_debug ("%s: serverinfo set to realldap; basedn '%s'\n", __func__,
+ basedn);
}
else
{ /* Look for namingContexts. */
@@ -981,6 +1000,8 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
lerr = ldap_search_s (ldap_conn, "", LDAP_SCOPE_BASE,
"(objectClass=*)", attr, 0, &res);
npth_protect ();
+ if (DBG_LDAP)
+ log_debug ("%s: searched namingContexts: lerr=%d\n", __func__, lerr);
if (lerr == LDAP_SUCCESS)
{
@@ -1004,7 +1025,15 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
r_serverinfo);
ldap_value_free (context);
+ if (DBG_LDAP)
+ log_debug ("%s: namingContext found (realldap); basedn='%s'\n",
+ __func__, basedn);
}
+ else
+ {
+ if (DBG_LDAP)
+ log_debug ("%s: namingContext not found\n", __func__);
+ }
}
else /* ldap_search failed. */
{
@@ -1019,6 +1048,9 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
lerr = ldap_search_s (ldap_conn, "cn=pgpServerInfo", LDAP_SCOPE_BASE,
"(objectClass=*)", attr2, 0, &si_res);
npth_protect ();
+ if (DBG_LDAP)
+ log_debug ("%s: searched cn=pgpServerInfo: lerr=%d\n",
+ __func__, lerr);
if (lerr == LDAP_SUCCESS)
{
/* For the PGP LDAP keyserver, this is always
@@ -1029,6 +1061,8 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
if (vals && vals[0])
{
basedn = xtrystrdup (vals[0]);
+ if (DBG_LDAP)
+ log_debug ("%s: baseKeySpaceDN='%s'\n", __func__, basedn);
}
my_ldap_value_free (vals);
@@ -1036,7 +1070,8 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
if (vals && vals[0])
{
if (opt.debug)
- log_debug ("ks-ldap: PGP Server: \t%s\n", vals[0]);
+ log_debug ("%s: PGP Server software='%s'\n",
+ __func__, vals[0]);
}
my_ldap_value_free (vals);
@@ -1044,7 +1079,8 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
if (vals && vals[0])
{
if (opt.debug)
- log_debug ("ks-ldap: PGP Server Version:\t%s\n", vals[0]);
+ log_debug ("%s: PGP Server version='%s'\n",
+ __func__, vals[0]);
/* If the version is high enough, use the new
pgpKeyV2 attribute. This design is iffy at best,
@@ -1069,7 +1105,7 @@ my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
}
out:
- if (!err && opt.debug)
+ if (!err && DBG_LDAP)
{
log_debug ("ldap_conn: %p\n", ldap_conn);
log_debug ("server_type: %s\n",
@@ -1818,7 +1854,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
filter = fstr;
}
- if (opt.debug)
+ if (DBG_LDAP)
log_debug ("ks-ldap: using filter: %s\n", filter);
/* Replace "dummy". */
@@ -1978,7 +2014,7 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
NULL
};
- if (opt.debug)
+ if (DBG_LDAP)
log_debug ("SEARCH '%s' => '%s' BEGIN\n", pattern, filter);
npth_unprotect ();
@@ -2187,7 +2223,7 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
free_strlist (dupelist);
}
- if (opt.debug)
+ if (DBG_LDAP)
log_debug ("SEARCH %s END\n", pattern);
out:
@@ -3015,7 +3051,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
err = gpg_error_from_syserror ();
goto out;
}
- if (opt.debug)
+ if (DBG_LDAP)
log_debug ("ks-ldap: using DN: %s\n", dn);
npth_unprotect ();
@@ -3328,7 +3364,7 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
basedn = basedn_from_rootdse (ctrl, uri);
}
- if (opt.debug)
+ if (DBG_LDAP)
{
log_debug ("ks-ldap: using basedn: %s\n", basedn);
log_debug ("ks-ldap: using filter: %s\n", filter);
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 20:51:56 +0000