@@ -955,6 +955,10 @@ fedfsd_test_nsdb(const char *hostname, unsigned short port)
xlog(D_GENERAL, "%s: %s:%u passed ping test",
__func__, hostname, port);
break;
+ case FEDFS_ERR_NSDB_AUTH:
+ xlog(D_GENERAL, "%s: TLS is required for NSDB %s:%u",
+ __func__, hostname, port);
+ break;
case FEDFS_ERR_NSDB_NONCE:
xlog(D_GENERAL, "%s: %s:%u is up, but not an NSDB: %s",
__func__, hostname, port,
@@ -1008,8 +1012,18 @@ fedfsd_svc_set_nsdb_params_1(SVCXPRT *xprt)
break;
case FEDFS_ERR_NSDB_PARAMS:
result = fedfsd_test_nsdb(hostname, port);
- if (result != FEDFS_OK)
+ switch (result) {
+ case FEDFS_OK:
+ break;
+ case FEDFS_ERR_NSDB_AUTH:
+ if (args.params.secType == FEDFS_SEC_NONE)
+ goto out;
+ result = FEDFS_OK;
+ break;
+ default:
goto out;
+ }
+
result = nsdb_create_nsdb(hostname, port);
if (result != FEDFS_OK) {
xlog(L_ERROR, "Failed to create entry for %s:%u in "
@@ -1749,17 +1749,27 @@ out:
static FedFsStatus
nsdb_ping_contexts_s(nsdb_t host, char **contexts, unsigned int *ldap_err)
{
+ unsigned int ldap_result;
FedFsStatus retval;
char *dn;
int i;
+ retval = FEDFS_ERR_NSDB_RESPONSE;
for (i = 0; contexts[i] != NULL; i++) {
- retval = nsdb_get_ncedn_s(host, contexts[i], &dn, ldap_err);
- if (retval == FEDFS_OK) {
+ retval = nsdb_get_ncedn_s(host, contexts[i], &dn, &ldap_result);
+ switch (retval) {
+ case FEDFS_OK:
free(dn);
break;
- } else
+ case FEDFS_ERR_NSDB_LDAP_VAL:
+ if (ldap_result == LDAP_CONFIDENTIALITY_REQUIRED)
+ retval = FEDFS_ERR_NSDB_AUTH;
+ else
+ *ldap_err = ldap_result;
+ break;
+ default:
retval = FEDFS_ERR_NSDB_NONCE;
+ }
}
return retval;
}
@@ -118,6 +118,11 @@ nsdbparams_test_nsdb(const char *nsdbname, unsigned short nsdbport)
nsdbname, nsdbport, nsdb_display_fedfsstatus(retval));
retval = FEDFS_OK;
break;
+ case FEDFS_ERR_NSDB_AUTH:
+ xlog(L_WARNING, "Warning: TLS is required for NSDB %s:%u",
+ nsdbname, nsdbport);
+ retval = FEDFS_OK;
+ break;
case FEDFS_ERR_NSDB_LDAP_VAL:
xlog(L_WARNING, "Failed to ping NSDB %s:%u: %s",
nsdbname, nsdbport, ldap_err2string(ldap_err));
If an NSDB requires TLS (as recommended by the NSDB protocol draft) nsdb_ping_s() will return FEDFS_ERR_NSDB_LDAP_VAL. When performing an NSDB ping, an NSDB client doesn't yet have NSDB connection parameters, so it can't actually connect to the NSDB and see if it has an NCE. But nsdb_ping_s() can report in this case that TLS is required. The two cases where nsdb_ping_s() is invoked are when fedfsd or nsdbparams is trying to determine if a new NSDB entry is allowed. If the ping tells us we need TLS security, fedfsd and nsdbparams can ensure that the new connection parameters do configure FEDFS_SEC_TLS. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- src/fedfsd/svc.c | 16 +++++++++++++++- src/libnsdb/fileserver.c | 16 +++++++++++++--- src/nsdbparams/update.c | 5 +++++ 3 files changed, 33 insertions(+), 4 deletions(-)