ldap_server: Plumb ldb error string from a failed connect to ldapsrv_terminate_connection()

However, do not plumb it to the client-seen error string, as it could contain server paths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

source4/ldap_server/ldap_backend.c

@@ -180,15 +180,17 @@ static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
 /*
   connect to the sam database
 */
-NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn) 
+int ldapsrv_backend_Init(struct ldapsrv_connection *conn,
+			      char **errstring)
 {
-	conn->ldb = samdb_connect(conn, 
+	int ret = samdb_connect_url(conn,
 				    conn->connection->event.ctx,
 				    conn->lp_ctx,
 				    conn->session_info,
-				     conn->global_catalog ? LDB_FLG_RDONLY : 0);
-	if (conn->ldb == NULL) {
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+				    conn->global_catalog ? LDB_FLG_RDONLY : 0,
+				    "sam.ldb", &conn->ldb, errstring);
+	if (ret != LDB_SUCCESS) {
+		return ret;
 	}
 
 	if (conn->server_credentials) {
@@ -205,11 +207,11 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
 				char *sasl_name = talloc_strdup(conn, ops[i]->sasl_name);
 
 				if (!sasl_name) {
-					return NT_STATUS_NO_MEMORY;
+					return LDB_ERR_OPERATIONS_ERROR;
 				}
 				sasl_mechs = talloc_realloc(conn, sasl_mechs, char *, j + 2);
 				if (!sasl_mechs) {
-					return NT_STATUS_NO_MEMORY;
+					return LDB_ERR_OPERATIONS_ERROR;
 				}
 				sasl_mechs[j] = sasl_name;
 				talloc_steal(sasl_mechs, sasl_name);
@@ -230,7 +232,7 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
 	ldb_set_opaque(conn->ldb, "remoteAddress",
 		       conn->connection->remote_address);
 
-	return NT_STATUS_OK;
+	return LDB_SUCCESS;
 }
 
 struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, uint8_t type)

source4/ldap_server/ldap_bind.c

@@ -237,6 +237,7 @@ static void ldapsrv_BindSimple_done(struct tevent_req *subreq)
 						    call,
 						    &session_info);
 	if (NT_STATUS_IS_OK(status)) {
+		char *ldb_errstring = NULL;
 		result = LDAP_SUCCESS;
 		errstr = NULL;
 
@@ -248,11 +249,16 @@ static void ldapsrv_BindSimple_done(struct tevent_req *subreq)
 		/* don't leak the old LDB */
 		talloc_unlink(call->conn, call->conn->ldb);
 
-		status = ldapsrv_backend_Init(call->conn);		
+		result = ldapsrv_backend_Init(call->conn, &ldb_errstring);
 
-		if (!NT_STATUS_IS_OK(status)) {
-			result = LDAP_OPERATIONS_ERROR;
-			errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
+		if (result != LDB_SUCCESS) {
+			/* Only put the detailed error in DEBUG() */
+			DBG_ERR("ldapsrv_backend_Init failed: %s: %s",
+				ldb_errstring, ldb_strerror(result));
+			errstr = talloc_strdup(reply,
+					       "Simple Bind: Failed to advise "
+					       "ldb new credentials");
+			result = LDB_ERR_OPERATIONS_ERROR;
 		}
 	} else {
 		status = nt_status_squash(status);
@@ -475,6 +481,7 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
 	NTSTATUS status;
 	int result;
 	const char *errstr = NULL;
+	char *ldb_errstring = NULL;
 	DATA_BLOB output = data_blob_null;
 
 	status = gensec_update_recv(subreq, call, &output);
@@ -582,15 +589,16 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
 
 	call->conn->authz_logged = true;
 
-	status = ldapsrv_backend_Init(conn);
+	result = ldapsrv_backend_Init(call->conn, &ldb_errstring);
 
-	if (!NT_STATUS_IS_OK(status)) {
-		result = LDAP_OPERATIONS_ERROR;
-		errstr = talloc_asprintf(reply,
-					 "SASL:[%s]: Failed to advise samdb of new credentials: %s",
-					 req->creds.SASL.mechanism,
-					 nt_errstr(status));
-		goto do_reply;
+	if (result != LDB_SUCCESS) {
+		/* Only put the detailed error in DEBUG() */
+		DBG_ERR("ldapsrv_backend_Init failed: %s: %s",
+			ldb_errstring, ldb_strerror(result));
+		errstr = talloc_strdup(reply,
+				       "SASL Bind: Failed to advise "
+				       "ldb new credentials");
+		result = LDB_ERR_OPERATIONS_ERROR;
 	}
 
 	if (context != NULL) {

source4/ldap_server/ldap_server.c

@@ -293,6 +293,7 @@ static void ldapsrv_accept(struct stream_connection *c,
 	int ret;
 	struct tevent_req *subreq;
 	struct timeval endtime;
+	char *errstring = NULL;
 
 	conn = talloc_zero(c, struct ldapsrv_connection);
 	if (!conn) {
@@ -361,8 +362,13 @@ static void ldapsrv_accept(struct stream_connection *c,
 		conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
 	}
 
-	if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
-		ldapsrv_terminate_connection(conn, "backend Init failed");
+	ret = ldapsrv_backend_Init(conn, &errstring);
+	if (ret != LDB_SUCCESS) {
+		char *reason = talloc_asprintf(conn,
+					       "LDB backend for LDAP Init "
+					       "failed: %s: %s",
+					       errstring, ldb_strerror(ret));
+		ldapsrv_terminate_connection(conn, reason);
 		return;
 	}