Bug 646381 - Faulty password for nsmultiplexorcredentials does not give any error message in logs

https://bugzilla.redhat.com/show_bug.cgi?id=646381

Description: Chaning db plugin was terse not to reveal the config
error to end users as well as to prevent error log overflow by
every single error possibly caused by end users.
This patch returns this generic error text to end users:
  ldap_add: Operations error (1)
  additional info: database configuration error - \
  please contact the system administrator
And more detailed messages are logged in the errors log.  E.g.,
  chaining database - Internal credentials decoding error;
  password storage schemes do not match or encrypted password
  is corrupted.
  chaining database - cb_get_connection failed (49) Invalid credentials
Note: the messages are logged just once in the errors log.

ldap/servers/plugins/chainingdb/cb.h

@@ -503,4 +503,6 @@ char* get_localhost_DNS();
 /* this function is called when state of a backend changes */
 void cb_be_state_change (void *handle, char *be_name, int old_be_state, int new_be_state);
 
+#define ENDUSERMSG "database configuration error - please contact the system administrator"
+
 #endif

ldap/servers/plugins/chainingdb/cb_add.c

@@ -110,16 +110,24 @@ chaining_back_add ( Slapi_PBlock *pb )
 	}
 
 	/* Grab a connection handle */
-	if ((rc = cb_get_connection(cb->pool,&ld,&cnx,NULL,&cnxerrbuf)) != LDAP_SUCCESS) {
-                cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR,NULL,cnxerrbuf, 0, NULL);
-		ldap_mods_free(mods,1);
-		if (cnxerrbuf) {
-		  PR_smprintf_free(cnxerrbuf);
+	rc = cb_get_connection(cb->pool, &ld, &cnx, NULL, &cnxerrbuf);
+	if (LDAP_SUCCESS != rc) {
+		static int warned_get_conn = 0;
+		if (!warned_get_conn) {
+			slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			                "cb_get_connection failed (%d) %s\n",
+			                rc, ldap_err2string(rc));
+			warned_get_conn = 1;
 		}
-                /* ping the farm. If the farm is unreachable, we increment the counter */
-                cb_ping_farm(cb,NULL,0);
+		cb_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, 
+		                    cnxerrbuf, 0, NULL);
+		ldap_mods_free(mods, 1);
+		slapi_ch_free_string(&cnxerrbuf);
+		/* ping the farm.
+		 * If the farm is unreachable, we increment the counter */
+		cb_ping_farm(cb, NULL, 0);
 
-                return -1;
+		return -1;
 	}
 	
 	/* Control management */
@@ -149,12 +157,14 @@ chaining_back_add ( Slapi_PBlock *pb )
 		ldap_controls_free(ctrls);
 
 	if ( rc != LDAP_SUCCESS ) {
+		slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+		                 "ldap_add_ext failed -- %s\n", ldap_err2string(rc) );
 
-                cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
-                        ldap_err2string(rc), 0, NULL);
+		cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
+		                     ENDUSERMSG, 0, NULL );
 		cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(rc));
 		ldap_mods_free(mods,1);
-                return -1;
+		return -1;
 	}
 
 	/* 
@@ -208,35 +218,53 @@ chaining_back_add ( Slapi_PBlock *pb )
 			parse_rc = ldap_parse_result( ld, res, &rc, &matched_msg, 
          			&error_msg, &referrals, &serverctrls, 1 );
 
-      			if ( parse_rc != LDAP_SUCCESS ) {
-                		cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
-                        		ldap_err2string(parse_rc), 0, NULL);
+			if ( parse_rc != LDAP_SUCCESS ) {
+				static int warned_parse_rc = 0;
+				if (!warned_parse_rc) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+					                ldap_err2string(parse_rc));
+					warned_parse_rc = 1;
+				}
+				cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
+				                     ENDUSERMSG, 0, NULL );
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(parse_rc));
 				ldap_mods_free(mods,1);
-			       	slapi_ch_free((void **)&matched_msg);
+				slapi_ch_free((void **)&matched_msg);
 				slapi_ch_free((void **)&error_msg);
 				if (serverctrls)
-	                                ldap_controls_free(serverctrls);
+					ldap_controls_free(serverctrls);
 				/* jarnou: free referrals */
-                                if (referrals)
-                                        charray_free(referrals);
-                		return -1;
+				if (referrals)
+					charray_free(referrals);
+				return -1;
 			}
 
-      			if ( rc != LDAP_SUCCESS ) {
+			if ( rc != LDAP_SUCCESS ) {
 				struct berval ** refs =  referrals2berval(referrals); 
-                        	cb_send_ldap_result( pb, rc, matched_msg, error_msg, 0, refs);
+				static int warned_rc = 0;
+				if (!warned_rc && error_msg) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+						            error_msg );
+					warned_rc = 1;
+				}
+				cb_send_ldap_result( pb, rc, matched_msg, ENDUSERMSG, 0, refs);
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(rc));
 				ldap_mods_free(mods,1);
 				slapi_ch_free((void **)&matched_msg);
-			       	slapi_ch_free((void **)&error_msg);
+				slapi_ch_free((void **)&error_msg);
 				if (refs) 
 					ber_bvecfree(refs);
 				if (referrals) 
 					charray_free(referrals);
 				if (serverctrls)
-	                                ldap_controls_free(serverctrls);
-                		return -1;
+					ldap_controls_free(serverctrls);
+				return -1;
 			}
 
 			ldap_mods_free(mods,1 );

ldap/servers/plugins/chainingdb/cb_bind.c

@@ -94,8 +94,8 @@ static int
 cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
         struct berval *creds, LDAPControl **reqctrls,
         char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
-        LDAPControl ***resctrlsp , int * status) {
-
+        LDAPControl ***resctrlsp , int * status )
+{
     int                 rc, msgid;
     char                **referrals;
     struct timeval      timeout_copy, *timeout;
@@ -112,10 +112,18 @@ cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
     timeout_copy.tv_usec = pool->conn.bind_timeout.tv_usec;
     PR_RWLock_Unlock(pool->rwl_config_lock);
 
-    if (( rc = cb_get_connection( pool, &ld ,&cnx, NULL, &cnxerrbuf)) != LDAP_SUCCESS ) {
-	*errmsgp=cnxerrbuf;
-        goto release_and_return;
-    }
+	rc = cb_get_connection(pool, &ld, &cnx, NULL, &cnxerrbuf);
+	if (LDAP_SUCCESS != rc) {
+		static int warned_get_conn = 0;
+		if (!warned_get_conn) {
+			slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			                "cb_get_connection failed (%d) %s\n",
+			                rc, ldap_err2string(rc));
+			warned_get_conn = 1;
+		}
+		*errmsgp = cnxerrbuf;
+		goto release_and_return;
+	}
        
     /* Send the bind operation (need to retry on LDAP_SERVER_DOWN) */
     
@@ -171,8 +179,15 @@ cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
 		*errmsgp=slapi_ch_strdup(errmsgp2);
 	
 	if ( LDAP_SUCCESS != rc )  {
-        	slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
-			"cb_sasl_bind_once_s failed (%s)\n",ldap_err2string(rc));
+		static int warned_bind_once = 0;
+		if (!warned_bind_once) {
+			slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			                "cb_sasl_bind_once_s failed (%s%s%s)\n",
+			                matcheddnp?matcheddnp:"", 
+							(matcheddnp&&(*matcheddnp!='\0'))?": ":"",
+			                ldap_err2string(rc));
+			warned_bind_once = 1;
+		}
 	}
     } else {
 
@@ -274,29 +289,30 @@ chainingdb_bind( Slapi_PBlock *pb ) {
 	bind_retry=cb->bind_retry;
         PR_RWLock_Unlock(cb->rwl_config_lock);
 
-	if ( LDAP_SUCCESS == (rc = cb_sasl_bind_s(pb, cb->bind_pool, bind_retry, dn,method,mechanism,
-		creds,reqctrls,&matcheddn,&errmsg,&urls,&resctrls, &status))) {
-        	rc = status;
-            	allocated_errmsg = 1;
-	} else
-	if ( LDAP_USER_CANCELLED != rc ) {
-   		errmsg = ldap_err2string( rc );
+	rc = cb_sasl_bind_s(pb, cb->bind_pool, bind_retry, dn, method, 
+	                    mechanism, creds, reqctrls, &matcheddn, &errmsg, 
+	                    &urls, &resctrls, &status);
+	if ( LDAP_SUCCESS == rc ) {
+		rc = status;
+		allocated_errmsg = 1;
+	} else if ( LDAP_USER_CANCELLED != rc ) {
+		errmsg = ldap_err2string( rc );
 		if (rc == LDAP_TIMEOUT) {
-		  cb_ping_farm(cb,NULL,0);
+			cb_ping_farm(cb,NULL,0);
 		}
-            	rc = LDAP_OPERATIONS_ERROR;
+		rc = LDAP_OPERATIONS_ERROR;
 	}
 
- 	if ( rc != LDAP_USER_CANCELLED ) {  /* not abandoned */
-        	if ( resctrls != NULL ) {
-            		slapi_pblock_set( pb, SLAPI_RESCONTROLS, resctrls );
+	if ( rc != LDAP_USER_CANCELLED ) {  /* not abandoned */
+		if ( resctrls != NULL ) {
+			slapi_pblock_set( pb, SLAPI_RESCONTROLS, resctrls );
 			freectrls=0;
-        	}
+		}
 
 		if ( rc != LDAP_SUCCESS ) {
-        		cb_send_ldap_result( pb, rc, matcheddn, errmsg, 0, urls );
+			cb_send_ldap_result( pb, rc, matcheddn, errmsg, 0, urls );
 		}
-    	}
+	}
 
     	if ( urls != NULL ) {
         	cb_free_bervals( urls );

ldap/servers/plugins/chainingdb/cb_compare.c

@@ -111,15 +111,22 @@ chaining_back_compare ( Slapi_PBlock *pb )
 	/*
 	 * Grab a connection handle
 	 */
-
-	if ((rc = cb_get_connection(cb->pool,&ld,&cnx,NULL,&cnxerrbuf)) != LDAP_SUCCESS) {
-                cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, cnxerrbuf, 0, NULL);
-				if (cnxerrbuf) {
-					PR_smprintf_free(cnxerrbuf);
-				}
-                /* ping the farm. If the farm is unreachable, we increment the counter */
-                cb_ping_farm(cb,NULL,0);
-                return 1;
+	rc = cb_get_connection(cb->pool, &ld, &cnx, NULL, &cnxerrbuf);
+	if (LDAP_SUCCESS != rc) {
+		static int warned_get_conn = 0;
+		if (!warned_get_conn) {
+			slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			                "cb_get_connection failed (%d) %s\n",
+			                rc, ldap_err2string(rc));
+			warned_get_conn = 1;
+		}
+		cb_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, 
+		                    cnxerrbuf, 0, NULL);
+		slapi_ch_free_string(&cnxerrbuf);
+		/* ping the farm. 
+		 * If the farm is unreachable, we increment the counter */
+		cb_ping_farm(cb, NULL, 0);
+		return 1;
 	}
 
  	/*
@@ -195,20 +202,28 @@ chaining_back_compare ( Slapi_PBlock *pb )
 		default:
 			matched_msg=error_msg=NULL;
 			parse_rc = ldap_parse_result( ld, res, &rc, &matched_msg, 
-         			&error_msg, &referrals, &serverctrls, 1 );
-      			if ( parse_rc != LDAP_SUCCESS ) {
-
-                		cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
-                        		ldap_err2string(parse_rc), 0, NULL);
+			                          &error_msg, &referrals, &serverctrls, 1 );
+			if ( parse_rc != LDAP_SUCCESS ) {
+				static int warned_parse_rc = 0;
+				if (!warned_parse_rc) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+					                ldap_err2string(parse_rc));
+					warned_parse_rc = 1;
+				}
+				cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
+				                     ENDUSERMSG, 0, NULL );
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(parse_rc));
-		       		slapi_ch_free((void **)&matched_msg);
-		       		slapi_ch_free((void **)&error_msg);
+				slapi_ch_free((void **)&matched_msg);
+				slapi_ch_free((void **)&error_msg);
 				if (serverctrls)
-	                                ldap_controls_free(serverctrls);
+					ldap_controls_free(serverctrls);
 				/* jarnou: free referrals */
-                                if (referrals)
-                                        charray_free(referrals);
-                		return 1;
+				if (referrals)
+					charray_free(referrals);
+				return 1;
 			}
 
 			switch ( rc ) {

ldap/servers/plugins/chainingdb/cb_conn_stateless.c

@@ -151,8 +151,13 @@ void cb_close_conn_pool(cb_conn_pool * pool) {
  * NOTE : if maxtime NULL, use operation timeout
  */
 
-int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,struct timeval * maxtime, char **errmsg) {
-
+int
+cb_get_connection(cb_conn_pool * pool,
+                  LDAP ** lld,
+                  cb_outgoing_conn ** cc,
+                  struct timeval * maxtime,
+                  char **errmsg)
+{
 	int 				rc=LDAP_SUCCESS;          /* optimistic */
 	cb_outgoing_conn	*conn=NULL;
 	cb_outgoing_conn	*connprev=NULL;
@@ -213,13 +218,17 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s
 
 	/* For stupid admins */
 	if (maxconnections <=0) {
-                slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
-                	"<== cb_get_connection error (no connection available)\n");
+		static int warned_maxconn = 0;
+		if (!warned_maxconn) {
+			slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			    "<== cb_get_connection error (no connection available)\n");
+			warned_maxconn = 1;
+		}
 		if ( errmsg ) {
-			*errmsg = PR_smprintf(error1, "no connection available");
+			*errmsg = slapi_ch_smprintf("%s", ENDUSERMSG);
 		}
 		return LDAP_CONNECT_ERROR;
-        }
+	}
 
 	if (maxtime) {
 		if (maxtime->tv_sec != 0) {
@@ -324,13 +333,17 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s
              		 */
 
 			/* No need to lock. url can't be changed dynamically */
-			if ((ld=slapi_ldap_init(hostname,port,secure,isMultiThread))== NULL) { 
-				if (cb_debug_on()) {
-                        		slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
-                               		"Can't contact server <%s> port <%d>.\n", hostname, port);
+			ld = slapi_ldap_init(hostname, port, secure, isMultiThread);
+			if (NULL == ld) {
+				static int warned_init = 0;
+				if (!warned_init) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+					                 "Can't contact server <%s> port <%d>.\n",
+					                 hostname, port );
+					warned_init = 1;
 				}
 				if ( errmsg ) {
-					*errmsg = PR_smprintf(error1,"unknown reason");
+					*errmsg = slapi_ch_smprintf("%s", ENDUSERMSG);
 				}
 				rc = LDAP_CONNECT_ERROR;
 				goto unlock_and_return;
@@ -363,11 +376,18 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s
 				/* Pb occured in decryption: stop now, binding will fail */
 				if ( ret == -1 )
 				{
-					if (cb_debug_on()) {
-                               			slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
-                                       		"Internal credentials decoding error\n.");
+					static int warned_pw = 0;
+					if (!warned_pw) {
+						slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+							"Internal credentials decoding error; "
+							"password storage schemes do not match or "
+							"encrypted password is corrupted.\n");
+						warned_pw = 1;
+					}
+					if ( errmsg ) {
+						*errmsg = slapi_ch_smprintf("%s", ENDUSERMSG);
 					}
-					rc = LDAP_LOCAL_ERROR;
+					rc = LDAP_INVALID_CREDENTIALS;
 					goto unlock_and_return;
 				}
 
@@ -378,26 +398,33 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s
 				if ( ret == 0 ) slapi_ch_free_string(&plain); /* free plain only if it has been duplicated */
 
 				if ( rc == LDAP_TIMEOUT ) {
-					if (cb_debug_on()) {
-                                	slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
-                                        	"Can't bind to server <%s> port <%d>. (%s)\n",
-                                        	hostname, port, "time-out expired");
+					static int warned_bind_timeout = 0;
+					if (!warned_bind_timeout) {
+						slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+							"Can't bind to server <%s> port <%d>. (%s)\n",
+							hostname, port, "time-out expired");
+						warned_bind_timeout = 1;
+					}
+					if ( errmsg ) {
+						*errmsg = slapi_ch_smprintf("%s", ENDUSERMSG);
 					}
 					rc = LDAP_CONNECT_ERROR;
 					goto unlock_and_return;
 				} else if ( rc != LDAP_SUCCESS ) {
 					prerr=PR_GetError();
-					if (cb_debug_on()) {
-						slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
+					static int warned_bind_err = 0;
+					if (!warned_bind_err) {
+						slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
 								"Can't bind to server <%s> port <%d>. "
 								"(LDAP error %d - %s; "
 								SLAPI_COMPONENT_NAME_NSPR " error %d - %s)\n",
 								hostname, port, rc,
 								ldap_err2string(rc),
 								prerr, slapd_pr_strerror(prerr));
+						warned_bind_err = 1;
 					}
 					if ( errmsg ) {
-						*errmsg = PR_smprintf(error2, ldap_err2string(rc));
+						*errmsg = slapi_ch_smprintf("%s", ENDUSERMSG);
 					}
 					rc = LDAP_CONNECT_ERROR;
 					goto unlock_and_return;

ldap/servers/plugins/chainingdb/cb_delete.c

@@ -105,15 +105,22 @@ chaining_back_delete ( Slapi_PBlock *pb )
 	/*
 	 * Grab a connection handle
 	 */
-
-	if ((rc = cb_get_connection(cb->pool,&ld,&cnx,NULL,&cnxerrbuf)) != LDAP_SUCCESS) {
-                cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, cnxerrbuf, 0, NULL);
-				if (cnxerrbuf) {
-					PR_smprintf_free(cnxerrbuf);
-				}
-                /* ping the farm. If the farm is unreachable, we increment the counter */
-                cb_ping_farm(cb,NULL,0);
-                return -1;
+	rc = cb_get_connection(cb->pool, &ld, &cnx, NULL, &cnxerrbuf);
+	if (LDAP_SUCCESS != rc) {
+		static int warned_get_conn = 0;
+		if (!warned_get_conn) {
+			slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			                "cb_get_connection failed (%d) %s\n",
+			                rc, ldap_err2string(rc));
+			warned_get_conn = 1;
+		}
+		cb_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL,
+		                    cnxerrbuf, 0, NULL);
+		slapi_ch_free_string(&cnxerrbuf);
+		/* ping the farm.
+		 * If the farm is unreachable, we increment the counter */
+		cb_ping_farm(cb, NULL, 0);
+		return -1;
 	}
 
 	/*
@@ -188,35 +195,52 @@ chaining_back_delete ( Slapi_PBlock *pb )
 		default:
 			matched_msg=error_msg=NULL;
 			parse_rc = ldap_parse_result( ld, res, &rc, &matched_msg, 
-         			&error_msg, &referrals, &serverctrls, 1 );
-      			if ( parse_rc != LDAP_SUCCESS ) {
-                		cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
-                        		ldap_err2string(parse_rc), 0, NULL);
+			                          &error_msg, &referrals, &serverctrls, 1 );
+			if ( parse_rc != LDAP_SUCCESS ) {
+				static int warned_parse_rc = 0;
+				if (!warned_parse_rc) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+					                ldap_err2string(parse_rc) );
+					warned_parse_rc = 1;
+				}
+				cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
+				                     ENDUSERMSG, 0, NULL );
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(parse_rc));
-			       	slapi_ch_free((void **)&matched_msg);
-			       	slapi_ch_free((void **)&error_msg);
-                        	if (serverctrls)
-                                	ldap_controls_free(serverctrls);
+				slapi_ch_free((void **)&matched_msg);
+				slapi_ch_free((void **)&error_msg);
+				if (serverctrls)
+					ldap_controls_free(serverctrls);
 				/* jarnou: free referrals */
-                                if (referrals)
-                                        charray_free(referrals);
-                		return -1;
+				if (referrals)
+					charray_free(referrals);
+				return -1;
 			}
 
-      			if ( rc != LDAP_SUCCESS ) {
+			if ( rc != LDAP_SUCCESS ) {
 				struct berval ** refs =  referrals2berval(referrals); 
-
-                        	cb_send_ldap_result( pb, rc, matched_msg, error_msg, 0, refs);
+				static int warned_rc = 0;
+				if (!warned_rc && error_msg) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+						            error_msg );
+					warned_rc = 1;
+				}
+				cb_send_ldap_result( pb, rc, matched_msg, ENDUSERMSG, 0, refs);
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(rc));
-			       	slapi_ch_free((void **)&matched_msg);
-			       	slapi_ch_free((void **)&error_msg);
+				slapi_ch_free((void **)&matched_msg);
+				slapi_ch_free((void **)&error_msg);
 				if (refs) 
 					ber_bvecfree(refs);
 				if (referrals) 
 					charray_free(referrals);
-                        	if (serverctrls)
-                                	ldap_controls_free(serverctrls);
-                		return -1;
+				if (serverctrls)
+					ldap_controls_free(serverctrls);
+				return -1;
 			}
 
 			cb_release_op_connection(cb->pool,ld,0);

ldap/servers/plugins/chainingdb/cb_modify.c

@@ -114,14 +114,22 @@ chaining_back_modify ( Slapi_PBlock *pb )
 
 
 	/* Grab a connection handle */
-	if ((rc = cb_get_connection(cb->pool,&ld,&cnx,NULL,&cnxerrbuf)) != LDAP_SUCCESS) {
-                cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, cnxerrbuf, 0, NULL);
-				if (cnxerrbuf) {
-					PR_smprintf_free(cnxerrbuf);
-				}
-                /* ping the farm. If the farm is unreachable, we increment the counter */
-                cb_ping_farm(cb,NULL,0);
-                return -1;
+	rc = cb_get_connection(cb->pool, &ld, &cnx, NULL, &cnxerrbuf);
+	if (LDAP_SUCCESS != rc) {
+		static int warned_get_conn = 0;
+		if (!warned_get_conn) {
+			slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			                "cb_get_connection failed (%d) %s\n",
+			                rc, ldap_err2string(rc));
+			warned_get_conn = 1;
+		}
+		cb_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL,
+		                    cnxerrbuf, 0, NULL);
+		slapi_ch_free_string(&cnxerrbuf);
+		/* ping the farm.
+		 * If the farm is unreachable, we increment the counter */
+		cb_ping_farm(cb, NULL, 0);
+		return -1;
 	}
 
 	/* Control management */
@@ -197,34 +205,52 @@ chaining_back_modify ( Slapi_PBlock *pb )
 			matched_msg=error_msg=NULL;
 			serverctrls=NULL;
 			parse_rc = ldap_parse_result( ld, res, &rc, &matched_msg, 
-         			&error_msg, &referrals, &serverctrls, 1 );
-      			if ( parse_rc != LDAP_SUCCESS ) {
-                		cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
-                        		ldap_err2string(parse_rc), 0, NULL);
+			                          &error_msg, &referrals, &serverctrls, 1 );
+			if ( parse_rc != LDAP_SUCCESS ) {
+				static int warned_parse_rc = 0;
+				if (!warned_parse_rc) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+					                ldap_err2string(parse_rc));
+					warned_parse_rc = 1;
+				}
+				cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
+				                     ENDUSERMSG, 0, NULL );
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(parse_rc));
-			       	slapi_ch_free((void **)&matched_msg);
-			       	slapi_ch_free((void **)&error_msg);
+				slapi_ch_free((void **)&matched_msg);
+				slapi_ch_free((void **)&error_msg);
 				if (serverctrls)
-	                                ldap_controls_free(serverctrls);
+					ldap_controls_free(serverctrls);
 				/* jarnou: free referrals */
-                                if (referrals)
-                                        charray_free(referrals);
-                		return -1;
+				if (referrals)
+					charray_free(referrals);
+				return -1;
 			}
 
-      			if ( rc != LDAP_SUCCESS ) {
+			if ( rc != LDAP_SUCCESS ) {
 				struct berval ** refs =  referrals2berval(referrals); 
-                        	cb_send_ldap_result( pb, rc, matched_msg, error_msg, 0, refs);
+				static int warned_rc = 0;
+				if (!warned_rc && error_msg) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+						            error_msg );
+					warned_rc = 1;
+				}
+				cb_send_ldap_result( pb, rc, matched_msg, ENDUSERMSG, 0, refs);
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(rc));
-			       	slapi_ch_free((void **)&matched_msg);
-			       	slapi_ch_free((void **)&error_msg);
+				slapi_ch_free((void **)&matched_msg);
+				slapi_ch_free((void **)&error_msg);
 				if (refs) 
 					ber_bvecfree(refs);
 				if (referrals) 
 					charray_free(referrals);
 				if (serverctrls)
-	                                ldap_controls_free(serverctrls);
-                		return -1;
+				ldap_controls_free(serverctrls);
+				return -1;
 			}
 
 			cb_release_op_connection(cb->pool,ld,0);

ldap/servers/plugins/chainingdb/cb_modrdn.c

@@ -139,15 +139,22 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
 	/*
 	 * Grab a connection handle
 	 */
-
-	if ((rc = cb_get_connection(cb->pool,&ld,&cnx,NULL,&cnxerrbuf)) != LDAP_SUCCESS) {
-                cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, cnxerrbuf, 0, NULL);
-				if (cnxerrbuf) {
-					PR_smprintf_free(cnxerrbuf);
-				}
-                /* ping the farm. If the farm is unreachable, we increment the counter */
-                cb_ping_farm(cb,NULL,0);
-                return -1;
+	rc = cb_get_connection(cb->pool, &ld, &cnx, NULL, &cnxerrbuf);
+	if (LDAP_SUCCESS != rc) {
+		static int warned_get_conn = 0;
+		if (!warned_get_conn) {
+			slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			                "cb_get_connection failed (%d) %s\n",
+			                rc, ldap_err2string(rc));
+			warned_get_conn = 1;
+		}
+		cb_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL,
+		                    cnxerrbuf, 0, NULL);
+		slapi_ch_free_string(&cnxerrbuf);
+		/* ping the farm.
+		 * If the farm is unreachable, we increment the counter */
+		cb_ping_farm(cb, NULL, 0);
+		return -1;
 	}
 
 	/*
@@ -223,36 +230,53 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
 		default:
 			matched_msg=error_msg=NULL;
 			parse_rc = ldap_parse_result( ld, res, &rc, &matched_msg, 
-         			&error_msg, &referrals, &serverctrls, 1 );
-
-      			if ( parse_rc != LDAP_SUCCESS ) {
-                		cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
-                        		ldap_err2string(parse_rc), 0, NULL);
+			                          &error_msg, &referrals, &serverctrls, 1 );
+
+			if ( parse_rc != LDAP_SUCCESS ) {
+				static int warned_parse_rc = 0;
+				if (!warned_parse_rc) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+					                ldap_err2string(parse_rc));
+					warned_parse_rc = 1;
+				}
+				cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
+				                     ENDUSERMSG, 0, NULL );
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(parse_rc));
-			       	slapi_ch_free((void **)&matched_msg);
-			       	slapi_ch_free((void **)&error_msg);
-                        	if (serverctrls)
-                                	ldap_controls_free(serverctrls);
+				slapi_ch_free((void **)&matched_msg);
+				slapi_ch_free((void **)&error_msg);
+				if (serverctrls)
+					ldap_controls_free(serverctrls);
 				/* jarnou: free referrals */
-                                if (referrals)
-                                        charray_free(referrals);
-                		return -1;
+				if (referrals)
+					charray_free(referrals);
+				return -1;
 			}
 
-      			if ( rc != LDAP_SUCCESS ) {
+			if ( rc != LDAP_SUCCESS ) {
 				struct berval ** refs =  referrals2berval(referrals); 
-
-                        	cb_send_ldap_result( pb, rc, matched_msg, error_msg, 0, refs);
+				static int warned_rc = 0;
+				if (!warned_rc && error_msg) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+						            error_msg );
+					warned_rc = 1;
+				}
+				cb_send_ldap_result( pb, rc, matched_msg, ENDUSERMSG, 0, refs);
 				cb_release_op_connection(cb->pool,ld,CB_LDAP_CONN_ERROR(rc));
-			       	slapi_ch_free((void **)&matched_msg);
-			       	slapi_ch_free((void **)&error_msg);
+				slapi_ch_free((void **)&matched_msg);
+				slapi_ch_free((void **)&error_msg);
 				if (refs) 
 					ber_bvecfree(refs);
 				if (referrals) 
 					charray_free(referrals);
-                        	if (serverctrls)
-                                	ldap_controls_free(serverctrls);
-                		return -1;
+				if (serverctrls)
+					ldap_controls_free(serverctrls);
+				return -1;
 			}
 
 			cb_release_op_connection(cb->pool,ld,0);

ldap/servers/plugins/chainingdb/cb_search.c

@@ -214,18 +214,25 @@ chainingdb_build_candidate_list ( Slapi_PBlock *pb )
 	}
 
 	/* Grab a connection handle */
-
-	if ( LDAP_SUCCESS != (rc = cb_get_connection(cb->pool,&ld,&cnx,&timeout,&cnxerrbuf))) {
-		if (rc == LDAP_TIMELIMIT_EXCEEDED)
-			cb_send_ldap_result( pb, rc, NULL,cnxerrbuf, 0, NULL);
-		else
-			cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,cnxerrbuf, 0, NULL);
-
-		if (cnxerrbuf) {
-			PR_smprintf_free(cnxerrbuf);
+	rc = cb_get_connection(cb->pool, &ld, &cnx, &timeout, &cnxerrbuf);
+	if (LDAP_SUCCESS != rc) {
+		static int warned_get_conn = 0;
+		if (!warned_get_conn) {
+			slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+			                "cb_get_connection failed (%d) %s\n",
+			                rc, ldap_err2string(rc));
+			warned_get_conn = 1;
+		}
+		if (rc == LDAP_TIMELIMIT_EXCEEDED) {
+			cb_send_ldap_result(pb, rc, NULL, cnxerrbuf, 0, NULL);
+		} else {
+			cb_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL,
+			                    cnxerrbuf, 0, NULL);
 		}
-                /* ping the farm. If the farm is unreachable, we increment the counter */
-                cb_ping_farm(cb,NULL,0);
+		slapi_ch_free_string(&cnxerrbuf);
+		/* ping the farm.
+		 * If the farm is unreachable, we increment the counter */
+		cb_ping_farm(cb, NULL, 0);
 		return 1;
 	}
 
@@ -358,17 +365,34 @@ chainingdb_build_candidate_list ( Slapi_PBlock *pb )
 				error_msg=NULL;
 				referrals=NULL;
 				serverctrls=NULL;
-                        	parse_rc=ldap_parse_result(ld,res,&rc,&matched_msg,
+				parse_rc=ldap_parse_result(ld,res,&rc,&matched_msg,
 					&error_msg,&referrals, &serverctrls, 0 );
-                        	if ( parse_rc != LDAP_SUCCESS ) {
-                                	cb_send_ldap_result(pb,parse_rc,
-						matched_msg,error_msg,0,NULL);
+				if ( parse_rc != LDAP_SUCCESS ) {
+					static int warned_parse_rc = 0;
+					if (!warned_parse_rc && error_msg) {
+						slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+						            error_msg );
+						warned_parse_rc = 1;
+					}
+					cb_send_ldap_result( pb, parse_rc, NULL,
+					                     ENDUSERMSG, 0, NULL );
 					rc=-1;
-                        	} else
-                        	if ( rc != LDAP_SUCCESS ) {
-                                	slapi_ldap_get_lderrno( ctx->ld, &matched_msg, &error_msg );
-                                	cb_send_ldap_result( pb, rc, matched_msg,
-                                        	error_msg,0,NULL);
+				} else if ( rc != LDAP_SUCCESS ) {
+					static int warned_rc = 0;
+					if (!warned_rc) {
+						slapi_ldap_get_lderrno( ctx->ld, 
+						                        &matched_msg, &error_msg );
+						slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+						            error_msg );
+						warned_rc = 1;
+					}
+					cb_send_ldap_result( pb, rc, NULL, ENDUSERMSG, 0, NULL);
 					/* BEWARE: matched_msg and error_msg points */
 					/* to ld fields.			    */
 					matched_msg=NULL;
@@ -689,25 +713,42 @@ chainingdb_next_search_entry ( Slapi_PBlock *pb )
 
 		case LDAP_RES_SEARCH_RESULT:
 
-         		/* Parse the final result received from the server. Note the last
-            		 * argument is a non-zero value, which indicates that the 
-            		 * LDAPMessage structure will be freed when done. 
+			/* Parse the final result received from the server. Note the last
+			 * argument is a non-zero value, which indicates that the 
+			 * LDAPMessage structure will be freed when done. 
 			 */
 
         		slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,NULL);
         		slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,NULL);
 
-         		parse_rc = ldap_parse_result( ctx->ld, res, 
+			parse_rc = ldap_parse_result( ctx->ld, res, 
 				&rc,&matched_msg,&error_msg, &referrals, &serverctrls, 1 );
-         		if ( parse_rc != LDAP_SUCCESS ) {
-	                	cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, matched_msg, 
-					ldap_err2string( parse_rc ), 0, NULL);
-				
+			if ( parse_rc != LDAP_SUCCESS ) {
+				static int warned_parse_rc = 0;
+				if (!warned_parse_rc) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+					                ldap_err2string( parse_rc ));
+					warned_parse_rc = 1;
+				}
+				cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL,
+				                     ENDUSERMSG, 0, NULL );
 				retcode=-1;
 			} else
 			if ( rc != LDAP_SUCCESS ) {
+				static int warned_rc = 0;
 				slapi_ldap_get_lderrno( ctx->ld, &matched_msg, &error_msg );
-	                	cb_send_ldap_result( pb, rc, matched_msg, NULL, 0, NULL);
+				if (!warned_rc) {
+					slapi_log_error( SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+						            "%s%s%s\n", 
+						            matched_msg?matched_msg:"",
+						            (matched_msg&&(*matched_msg!='\0'))?": ":"",
+						            error_msg );
+					warned_rc = 1;
+				}
+				cb_send_ldap_result( pb, rc, matched_msg, ENDUSERMSG, 0, NULL );
 
 				/* BEWARE: Don't free matched_msg && error_msg */
 				/* Points to the ld fields		       */

ldap/servers/slapd/pw.c

@@ -457,7 +457,7 @@ pw_rever_decode(char *cipher, char **plain, const char * attr_name)
 				if ( pwsp->pws_dec != NULL )	
 				{
 					/* check that the prefix of the cipher is the same name
-						as the schema name */
+						as the scheme name */
 					prefixOK = checkPrefix(cipher, pwsp->pws_name, &encrypt);
 					if ( prefixOK == -1 )
 					{
@@ -468,7 +468,7 @@ pw_rever_decode(char *cipher, char **plain, const char * attr_name)
 					}
 					else if ( prefixOK == 1 )
 					{
-						/* schema names are different */
+						/* scheme names are different */
 						ret_code = -1;
 						goto free_and_return;
 					}