From: Pierangelo Masarati Date: Wed, 19 Aug 2009 15:00:59 +0000 (+0000) Subject: better logging of privileged connections (more to come; might be unstable for a bit) X-Git-Tag: ACLCHECK_0~273 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=bdec7702d7ad0c6ff1c821cab761069c8a0e9871;p=openldap better logging of privileged connections (more to come; might be unstable for a bit) --- diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 7069245701..8b7f464931 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -64,8 +64,8 @@ enum { typedef struct ldapconn_t { Connection *lc_conn; #define LDAP_BACK_CONN2PRIV(lc) ((unsigned long)(lc)->lc_conn) -#define LDAP_BACK_PCONN_ISPRIV(lc) ((void *)(lc)->lc_conn >= (void *)LDAP_BACK_PCONN_FIRST \ - && (void *)(lc)->lc_conn < (void *)LDAP_BACK_PCONN_LAST) +#define LDAP_BACK_PCONN_ISPRIV(lc) (((void *)(lc)->lc_conn) >= ((void *)LDAP_BACK_PCONN_FIRST) \ + && ((void *)(lc)->lc_conn) < ((void *)LDAP_BACK_PCONN_LAST)) #define LDAP_BACK_PCONN_ISROOTDN(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \ && (LDAP_BACK_CONN2PRIV((lc)) < LDAP_BACK_PCONN_ANON)) #define LDAP_BACK_PCONN_ISANON(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \ @@ -75,8 +75,6 @@ typedef struct ldapconn_t { && (LDAP_BACK_CONN2PRIV((lc)) >= LDAP_BACK_PCONN_BIND)) #define LDAP_BACK_PCONN_ISTLS(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \ && (LDAP_BACK_CONN2PRIV((lc)) & LDAP_BACK_PCONN_TLS)) -#define LDAP_BACK_PCONN_ID(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) ? \ - ( -1 - (long)(lc)->lc_conn ) : (lc)->lc_conn->c_connid ) #ifdef HAVE_TLS #define LDAP_BACK_PCONN_ROOTDN_SET(lc, op) \ ((lc)->lc_conn = (void *)((op)->o_conn->c_is_tls ? (void *) LDAP_BACK_PCONN_ROOTDN_TLS : (void *) LDAP_BACK_PCONN_ROOTDN)) diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 2521b3fbf8..3bd12209f3 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -303,9 +303,10 @@ retry_lock:; if ( LDAP_BACK_SINGLECONN( li ) ) { while ( ( tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, ldap_back_conn_cmp ) ) != NULL ) { + assert( !LDAP_BACK_PCONN_ISPRIV( lc ) ); Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_bind: destroying conn %ld (refcnt=%u)\n", - LDAP_BACK_PCONN_ID( lc ), lc->lc_refcnt, 0 ); + "=>ldap_back_bind: destroying conn %lu (refcnt=%u)\n", + lc->lc_conn->c_connid, lc->lc_refcnt, 0 ); if ( tmplc->lc_refcnt != 0 ) { /* taint it */ @@ -2714,3 +2715,41 @@ ldap_back_controls_free( Operation *op, SlapReply *rs, LDAPControl ***pctrls ) return 0; } + +int +ldap_back_conn2str( ldapconn_t *lc, char *buf, ber_len_t buflen ) +{ + static struct berval conns[] = { + BER_BVC("ROOTDN"), + BER_BVC("ROOTDN-TLS"), + BER_BVC("ANON"), + BER_BVC("ANON-TLS"), + BER_BVC("BIND"), + BER_BVC("BIND-TLS"), + BER_BVNULL + }; + + int len = 0; + + if ( LDAP_BACK_PCONN_ISPRIV( lc ) ) { + long cid; + struct berval *bv; + + cid = (long)lc->lc_conn; + assert( cid >= LDAP_BACK_PCONN_FIRST && cid < LDAP_BACK_PCONN_LAST ); + + bv = &conns[ cid ]; + + if ( bv->bv_len >= buflen ) { + return bv->bv_len + 1; + } + + len = bv->bv_len; + lutil_strncopy( buf, bv->bv_val, bv->bv_len + 1 ); + + } else { + len = snprintf( buf, buflen, "%lu", lc->lc_conn->c_connid ); + } + + return len; +} diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c index 4b6a24ab57..d7d4f64cce 100644 --- a/servers/slapd/back-ldap/chain.c +++ b/servers/slapd/back-ldap/chain.c @@ -2063,7 +2063,6 @@ int chain_initialize( void ) { int rc; - const char *text; /* Make sure we don't exceed the bits reserved for userland */ config_check_userland( CH_LAST ); diff --git a/servers/slapd/back-ldap/proto-ldap.h b/servers/slapd/back-ldap/proto-ldap.h index b0ab84d82f..0c7f2e4983 100644 --- a/servers/slapd/back-ldap/proto-ldap.h +++ b/servers/slapd/back-ldap/proto-ldap.h @@ -63,6 +63,8 @@ extern void ldap_back_conn_free( void *c ); extern ldapconn_t * ldap_back_conn_delete( ldapinfo_t *li, ldapconn_t *lc ); +extern int ldap_back_conn2str( ldapconn_t *lc, char *buf, ber_len_t buflen ); + extern int ldap_back_proxy_authz_ctrl( Operation *op, diff --git a/servers/slapd/back-ldap/unbind.c b/servers/slapd/back-ldap/unbind.c index 6c9d155ad0..bc93a13dac 100644 --- a/servers/slapd/back-ldap/unbind.c +++ b/servers/slapd/back-ldap/unbind.c @@ -53,11 +53,11 @@ ldap_back_conn_destroy( #endif /* LDAP_BACK_PRINT_CONNTREE */ while ( ( lc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)&lc_curr, ldap_back_conn_cmp ) ) != NULL ) { + assert( !LDAP_BACK_PCONN_ISPRIV( lc ) ); Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_conn_destroy: destroying conn %ld " + "=>ldap_back_conn_destroy: destroying conn %lu " "refcnt=%d flags=0x%08x\n", - LDAP_BACK_PCONN_ID( lc ), - lc->lc_refcnt, lc->lc_lcflags ); + lc->lc_conn->c_connid, lc->lc_refcnt, lc->lc_lcflags ); if ( lc->lc_refcnt > 0 ) { /* someone else might be accessing the connection; diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c index 9c97290252..fa8ab230a3 100644 --- a/servers/slapd/back-meta/bind.c +++ b/servers/slapd/back-meta/bind.c @@ -223,9 +223,10 @@ meta_back_bind( Operation *op, SlapReply *rs ) while ( ( tmpmc = avl_delete( &mi->mi_conninfo.lai_tree, (caddr_t)mc, meta_back_conn_cmp ) ) != NULL ) { + assert( !LDAP_BACK_PCONN_ISPRIV( mc ) ); Debug( LDAP_DEBUG_TRACE, - "=>meta_back_bind: destroying conn %ld (refcnt=%u)\n", - LDAP_BACK_PCONN_ID( mc ), mc->mc_refcnt, 0 ); + "=>meta_back_bind: destroying conn %lu (refcnt=%u)\n", + mc->mc_conn->c_connid, mc->mc_refcnt, 0 ); if ( tmpmc->mc_refcnt != 0 ) { /* taint it */ @@ -660,11 +661,15 @@ meta_back_dobind( isroot = 1; } - Debug( LDAP_DEBUG_TRACE, - "%s meta_back_dobind: conn=%ld%s\n", - op->o_log_prefix, - LDAP_BACK_PCONN_ID( mc ), - isroot ? " (isroot)" : "" ); + if ( LogTest( LDAP_DEBUG_TRACE ) ) { + char buf[STRLENOF("4294967295U") + 1] = { 0 }; + ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) ); + + Debug( LDAP_DEBUG_TRACE, + "%s meta_back_dobind: conn=%s%s\n", + op->o_log_prefix, buf, + isroot ? " (isroot)" : "" ); + } /* * all the targets are bound as pseudoroot @@ -796,9 +801,14 @@ retry_ok:; } done:; - Debug( LDAP_DEBUG_TRACE, - "%s meta_back_dobind: conn=%ld bound=%d\n", - op->o_log_prefix, LDAP_BACK_PCONN_ID( mc ), bound ); + if ( LogTest( LDAP_DEBUG_TRACE ) ) { + char buf[STRLENOF("4294967295U") + 1] = { 0 }; + ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) ); + + Debug( LDAP_DEBUG_TRACE, + "%s meta_back_dobind: conn=%s bound=%d\n", + op->o_log_prefix, buf, bound ); + } if ( bound == 0 ) { meta_back_release_conn( mi, mc ); diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c index 09f918956b..3de4b63cb5 100644 --- a/servers/slapd/back-meta/conn.c +++ b/servers/slapd/back-meta/conn.c @@ -1168,8 +1168,14 @@ retry_lock:; LDAP_BACK_CONN_TAINTED_SET( mc ); LDAP_BACK_CONN_CACHED_CLEAR( mc ); - Debug( LDAP_DEBUG_TRACE, "%s meta_back_getconn: mc=%p conn=%ld expired (tainted).\n", - op->o_log_prefix, (void *)mc, LDAP_BACK_PCONN_ID( mc ) ); + if ( LogTest( LDAP_DEBUG_TRACE ) ) { + char buf[STRLENOF("4294967295U") + 1] = { 0 }; + ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) ); + + Debug( LDAP_DEBUG_TRACE, + "%s meta_back_getconn: mc=%p conn=%s expired (tainted).\n", + op->o_log_prefix, (void *)mc, buf ); + } } mc->mc_refcnt++; @@ -1654,10 +1660,14 @@ done:; default: LDAP_BACK_CONN_CACHED_CLEAR( mc ); - Debug( LDAP_DEBUG_ANY, - "%s meta_back_getconn: candidates=%d conn=%ld insert failed\n", - op->o_log_prefix, ncandidates, - LDAP_BACK_PCONN_ID( mc ) ); + if ( LogTest( LDAP_DEBUG_ANY ) ) { + char buf[STRLENOF("4294967295U") + 1] = { 0 }; + ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) ); + + Debug( LDAP_DEBUG_ANY, + "%s meta_back_getconn: candidates=%d conn=%s insert failed\n", + op->o_log_prefix, ncandidates, buf ); + } mc->mc_refcnt = 0; meta_back_conn_free( mc ); @@ -1671,16 +1681,24 @@ done:; } } - Debug( LDAP_DEBUG_TRACE, - "%s meta_back_getconn: candidates=%d conn=%ld inserted\n", - op->o_log_prefix, ncandidates, - LDAP_BACK_PCONN_ID( mc ) ); + if ( LogTest( LDAP_DEBUG_TRACE ) ) { + char buf[STRLENOF("4294967295U") + 1] = { 0 }; + ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) ); + + Debug( LDAP_DEBUG_TRACE, + "%s meta_back_getconn: candidates=%d conn=%s inserted\n", + op->o_log_prefix, ncandidates, buf ); + } } else { - Debug( LDAP_DEBUG_TRACE, - "%s meta_back_getconn: candidates=%d conn=%ld fetched\n", - op->o_log_prefix, ncandidates, - LDAP_BACK_PCONN_ID( mc ) ); + if ( LogTest( LDAP_DEBUG_TRACE ) ) { + char buf[STRLENOF("4294967295U") + 1] = { 0 }; + ldap_back_conn2str( (ldapconn_t *)mc, buf, sizeof(buf) ); + + Debug( LDAP_DEBUG_TRACE, + "%s meta_back_getconn: candidates=%d conn=%s fetched\n", + op->o_log_prefix, ncandidates, buf ); + } } return mc; diff --git a/servers/slapd/back-meta/unbind.c b/servers/slapd/back-meta/unbind.c index d754cf7988..50eff2d499 100644 --- a/servers/slapd/back-meta/unbind.c +++ b/servers/slapd/back-meta/unbind.c @@ -56,11 +56,11 @@ meta_back_conn_destroy( #endif /* META_BACK_PRINT_CONNTREE */ while ( ( mc = avl_delete( &mi->mi_conninfo.lai_tree, ( caddr_t )&mc_curr, meta_back_conn_cmp ) ) != NULL ) { + assert( !LDAP_BACK_PCONN_ISPRIV( mc ) ); Debug( LDAP_DEBUG_TRACE, - "=>meta_back_conn_destroy: destroying conn %ld " + "=>meta_back_conn_destroy: destroying conn %lu " "refcnt=%d flags=0x%08x\n", - LDAP_BACK_PCONN_ID( mc ), - mc->mc_refcnt, mc->msc_mscflags ); + mc->mc_conn->c_connid, mc->mc_refcnt, mc->msc_mscflags ); if ( mc->mc_refcnt > 0 ) { /* someone else might be accessing the connection;