basic_ldap_auth: Return BH on internal errors; polished messages (#347)

Basic LDAP auth helper now returns BH instead of ERR in case of errors other than LDAP_SECURITY_ERROR, per helper guidelines. Motivation: I have a wrapper around Basic LDAP auth helper. If an LDAP server is down, then the helper returns BH, and the wrapper uses a fallback authentication source. Also converted printf() to SEND_*() macros and reduced message verbosity.
squid-cache · Feb 8, 2019 · 2498f93 · 2498f93
1 parent 568e66b
commit 2498f93
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/src/auth/basic/LDAP/basic_ldap_auth.cc b/src/auth/basic/LDAP/basic_ldap_auth.cc
@@ -38,6 +38,8 @@
  * or (at your option) any later version.
  *
  * Changes:
+ * 2019-01-02: Amish
+ *             - Use SEND_*() macro and support for BH error
  * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org>
  *             - Added some sanity checks on login names to avoid
  *               users bypassing equality checks by exploring the
@@ -91,6 +93,7 @@
  */
 
 #include "squid.h"
+#include "helper/protocol_defines.h"
 
 #define LDAP_DEPRECATED 1
 
@@ -578,33 +581,37 @@ main(int argc, char **argv)
         passwd = strtok(NULL, "\r\n");
 
         if (!user) {
-            printf("ERR Missing username\n");
+            SEND_ERR(HLP_MSG("Missing username"));
             continue;
         }
         if (!passwd || !passwd[0]) {
-            printf("ERR Missing password '%s'\n", user);
+            SEND_ERR(HLP_MSG("Missing password"));
             continue;
         }
         rfc1738_unescape(user);
         rfc1738_unescape(passwd);
         if (!validUsername(user)) {
-            printf("ERR No such user '%s':'%s'\n",user, passwd);
+            SEND_ERR(HLP_MSG("Invalid username"));
             continue;
         }
         tryagain = (ld != NULL);
 recover:
         if (ld == NULL && persistent)
             ld = open_ldap_connection(ldapServer, port);
         if (checkLDAP(ld, user, passwd, ldapServer, port) != 0) {
-            if (tryagain && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS) {
+            const auto e = squid_ldap_errno(ld);
+            if (tryagain && e != LDAP_INVALID_CREDENTIALS) {
                 tryagain = 0;
                 ldap_unbind(ld);
                 ld = NULL;
                 goto recover;
             }
-            printf("ERR %s\n", ldap_err2string(squid_ldap_errno(ld)));
+            if (LDAP_SECURITY_ERROR(e))
+                SEND_ERR(ldap_err2string(e));
+            else
+                SEND_BH(ldap_err2string(e));
         } else {
-            printf("OK\n");
+            SEND_OK("");
         }
         if (ld && (squid_ldap_errno(ld) != LDAP_SUCCESS && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS)) {
             ldap_unbind(ld);