From 13ae94695852169a06207a9e1380f9f2ef836e21 Mon Sep 17 00:00:00 2001 From: Michael Weiser Date: Wed, 27 Feb 2019 13:07:54 +0000 Subject: Capture and handle ldapsearch error Since the value of $? survives command substitution and variable assignment, we can capture and evaluate it. The next hurdle is that by default only the return code of the last command in a pipe is returned which is an awk in our case that will always succeed because it'll just get no input if ldapsearch fails. This can be worked around using shell option pipefail but this is a bashism. Instead we go the route of writing it to a temporary file in a group command as elsewhere in the code. --- src/usr/share/laps/laps.sh | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh index 9780b9e..132e2e9 100755 --- a/src/usr/share/laps/laps.sh +++ b/src/usr/share/laps/laps.sh @@ -108,6 +108,7 @@ main_workflow() { # 2. fetch timestamp from ldap LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" )" + test $? -eq 0 || return 1 # 3. check timestamp to see if close to expiration check_ts_against_expiration_threshold "${LAPS_THRESHOLD}" "${LAPS_epoch}" "${LAPS_FORCE}" @@ -178,26 +179,42 @@ get_attrib_from_ldap() { # execute to check for ldap or kerberos errors ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )" + if test "$?" -ne 0 ; then if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ; then ferror "Kerberos ticket expired. Any values from ldap will be garbage." + return 1; elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ; then ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage." + return 1; elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ; then ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage." + return 1; else { echo "other ldap error:" echo "${___gtfl_stderr}" } | debuglevoutput 9 + return 1; + fi fi # execute for actually fetching the value - ___gtfl_attrib="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>/dev/null | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" + ___gtfl_attrib="$( { KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" \ + "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" \ + "${___gtfl_attrib}" 2>/dev/null ; \ + echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \ + } | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" + ___gtfl_ldap_success="$( cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )" + if test "$___gtfl_ldap_success" -ne 0 ; then + ferror "LDAP lookup failed" + return 1 + fi - # no value means either the ldap connection malfunctioned or there was no attribute by that name defined. + # here we can be sure that an empty value means there was no attribute by + # that name defined or it had an actual empty value. echo "${___gtfl_attrib}" @@ -215,6 +232,8 @@ wrapper_get_timestamp_from_ldap() { ___wgtfl_krb5cc_tmpfile="${7}" ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" )" + test "$?" -eq 0 || return 1 + ts_epoch=0 if test -n "$ts_filetime" ; then debuglev 3 && ferror "timestamp(FILETIME): ${ts_filetime}" @@ -637,6 +656,7 @@ test -z "${LAPS_TMPDIR}" && LAPS_TMPDIR="$( mktemp -d /tmp/laps.XXXXXXXXXX )" test -z "${LAPS_KRB5CC_TMPFILE}" && LAPS_KRB5CC_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_LDIF_TMPFILE}" && LAPS_LDIF_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" && LAPS_LDAPMODIFY_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" +test -z "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" && LAPS_LDAPSEARCH_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_PASSWORD_STATUS_TMPFILE}" && LAPS_PASSWORD_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" define_if_new LAPS_KINIT_HOST_SCRIPT "/usr/share/bgscripts/work/kinit-host.sh" define_if_new LAPS_KINIT_HOST_SCRIPT_DEFAULT "/usr/share/bgscripts/work/kinit-host.sh" -- cgit