Rich Megginson wrote:
On 04/17/2012 06:15 PM, Howard Chu wrote:
> Dmitri Pal wrote:
>> On 04/17/2012 05:21 PM, Howard Chu wrote:
>>>>> If the cause of failure isn't as obvious with NSS, then again I
>>>>> to say, it seems to me that you're looking in the wrong place for
>> I value everybody's time too and understand that creating a good
>> abstraction is a cost especially if single solution worked in the past.
>> So following the rules of the meritocracy it is completely reasonable to
>> expect that whoever has the need does the work. And this is the case
>> here. But we want to do the work in the least intrusive way and to
>> address as many concerns as possible. So the question was and is "can
>> you please let us know how we should implement it to make things work
>> for everybody?".
> OK. But at the moment I still don't understand why providing the debug
> output (as we already do) isn't sufficient to allow administrators to
> identify their misconfiguration issues.
We need some way for developers writing applications that use the
OpenLDAP API to get more detailed information from TLS/SSL connection
and other failures.
Jan's original proposal is for LDAP_TLS_INITIALIZATION_ERROR to allow it to be
distinguished from a session negotiation error. The bugzilla bug quoted
previously complains that TLS settings aren't checked at startup time. Sounds
to me like your actual problem is that you should be forcing the context
initialization to occur earlier, to catch these cases. Unfortunately, ever
since ITS#5696, you'll still be unable to catch all possible NSS internal
errors this way.
For your https://bugzilla.redhat.com/show_bug.cgi?id=640393
I suggest you
add a call to ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &flag) in your app
startup sequence to force libldap to perform context initialization, and do
your pathname/dbname/certname validation at that time. That will give you an
opportunity to detect misconfiguration/initialization errors. Or at least, as
much as is possible since your real initialization is still deferred.
This may seem less precise compared to the original proposal, but it has the
virtue of failing early, rather than waiting until the first session attempt
to report a config error.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/