From 3de14196c85d3fc6a3b939efb09870add5792e06 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 14 Apr 2015 09:50:40 -0600
Subject: [PATCH] Add some ldap_err2string() debugging when the LDAP search
 fails. Adapted from a diff from Steven Soulen.

---
 plugins/sudoers/ldap.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 921449bf9..6ed5b5fcd 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -609,7 +609,7 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
 		}
 	    }
 	    if (retry) {
-		DPRINTF2("ldapssl_clientauth_init(%s, %s)",
+		DPRINTF2("retry ldapssl_clientauth_init(%s, %s)",
 		    ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
 		    ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL");
 		rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
@@ -1348,6 +1348,7 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
 	DPRINTF1("searching from netgroup_base '%s'", base->val);
 
 	/* Build query, using NIS domain if it is set. */
+	/* XXX - move outside foreach */
 	if (domain != NULL) {
 	    filt_len = sizeof("(nisNetgroupTriple=\\(,,\\))") - 1 +
 		sudo_ldap_value_len(pw->pw_name);
@@ -1430,7 +1431,7 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
 	rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
 	    NULL, 0, NULL, NULL, tvp, 0, &result);
 	if (rc != LDAP_SUCCESS) {
-	    DPRINTF1("nothing found for '%s'", filt);
+	    DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc));
 	    if (result)
 		ldap_msgfree(result);
 	    sudo_efree(filt);
@@ -2863,20 +2864,18 @@ sudo_ldap_open(struct sudo_nss *nss)
 #ifdef HAVE_LDAP_INITIALIZE
     if (!STAILQ_EMPTY(&ldap_conf.uri)) {
 	char *buf = sudo_ldap_join_uri(&ldap_conf.uri);
-	if (buf != NULL) {
-	    DPRINTF2("ldap_initialize(ld, %s)", buf);
-	    rc = ldap_initialize(&ld, buf);
-	    sudo_efree(buf);
-	    if (rc != LDAP_SUCCESS) {
-		sudo_warnx(U_("unable to initialize LDAP: %s"),
-		    ldap_err2string(rc));
-	    }
-	}
+	if (buf == NULL)
+	    goto done;
+	DPRINTF2("ldap_initialize(ld, %s)", buf);
+	rc = ldap_initialize(&ld, buf);
+	sudo_efree(buf);
     } else
 #endif
 	rc = sudo_ldap_init(&ld, ldap_conf.host, ldap_conf.port);
-    if (rc != LDAP_SUCCESS)
+    if (rc != LDAP_SUCCESS) {
+	sudo_warnx(U_("unable to initialize LDAP: %s"), ldap_err2string(rc));
 	goto done;
+    }
 
     /* Set LDAP per-connection options */
     rc = sudo_ldap_set_options_conn(ld);
@@ -3259,7 +3258,8 @@ sudo_ldap_result_get(struct sudo_nss *nss, struct passwd *pw)
 		rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
 		    NULL, 0, NULL, NULL, tvp, 0, &result);
 		if (rc != LDAP_SUCCESS) {
-		    DPRINTF1("nothing found for '%s'", filt);
+		    DPRINTF1("ldap search pass %d failed: %s", pass + 1,
+			ldap_err2string(rc));
 		    continue;
 		}
 		lres->user_matches = true;
-- 
2.40.0