In the Heimdal version of kadmin-backend, retry the kadmin connection
once if the first connection fails. This is a workaround for a
transient networking error that we're seeing at Stanford and therefore
- may not be fully appropriate for other sites. Even on a successful
- reconnect, this will cause some errors to be sent to standard error
- due to the behavior of Heimdal::Kadm5.
+ may not be fully appropriate for other sites. Also suppress the
+ standard error output from the Heimdal library since Heimdal::Kadm5
+ does not.
+
+ Clean up error reporting in the Heimdal version of kadmin-backend.
+ Use the correct (rather than the documented) way to tell
+ Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin
+ functions uniformly use the same standard error formatting and exit
+ status for kadmin failures.
When prompting for a username in passwd_change, strip any surrounding
whitespace from that username before proceeding.
my $first = 1;
CONNECT:
{
- local $SIG{__WARN__} = sub {};
+ my $olderr;
+ if (open($olderr, '>&', \*STDERR)) {
+ close(STDERR) or warn "cannot close STDERR: $!\n";
+ }
$kadmin = eval {
Heimdal::Kadm5::Client->new(
- Principal => $CONFIG{$instance}{k5_admin},
- Keytab => $CONFIG{$instance}{k5_keytab},
- RaiseErrors => 1,
+ Principal => $CONFIG{$instance}{k5_admin},
+ Keytab => $CONFIG{$instance}{k5_keytab},
+ RaiseError => 1,
);
};
+ if ($olderr) {
+ open(STDERR, '>&', $olderr) or warn "cannot reopen STDERR: $!\n";
+ close($olderr) or warn "cannot close duplicate STDERR: $!\n";
+ }
if ($first && ($@ || !$kadmin)) {
$first = 0;
redo CONNECT;
}
if ($@ || !$kadmin) {
- die;
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot connect to kadmin server: $error\n";
+ exit 1;
}
}
$CONFIG{$instance}{handle} = $kadmin;
}
$princdata->setAttributes ($attrs);
- eval { $kadmin->createPrincipal ($princdata, $password, 0) };
+ if (!eval { $kadmin->createPrincipal ($princdata, $password, 0) }) {
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot create $principal: $error";
+ exit 1;
+ }
}
# Delete a principal using kadmin.
$principal = "$principal/$instance" if $instance;
my $kadmin = kadmin_handle ($instance);
- my $retval = eval { $kadmin->deletePrincipal ($principal) };
- if ($@) {
- warn "error deleting $principal: $@";
+ if (!eval { $kadmin->deletePrincipal ($principal) }) {
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot delete principal: $error";
exit 1;
}
}
$principal = "$principal/$instance" if $instance;
my $kadmin = kadmin_handle ($instance);
- eval { $kadmin->disablePrincipal ($principal) };
- if ($@) {
- warn "error: $@\n";
+ if (!eval { $kadmin->disablePrincipal ($principal) }) {
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot disable $principal: $error";
exit 1;
}
}
exit 1;
}
}
-
my $kadmin = kadmin_handle ($instance);
eval { $kadmin->enablePrincipal ($principal) };
if ($@) {
- warn "error: $@\n";
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot enable $principal: $error\n";
exit 1;
}
}
my $kadmin = kadmin_handle ($instance);
my $data = eval { $kadmin->getPrincipal ($principal) };
if ($@) {
- warn "error: $@\n";
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot retrieve $principal: $error\n";
exit 1;
} elsif (!defined $data) {
warn "error: principal $principal does not exist\n";
$kadmin->modifyPrincipal ($data);
};
if ($@) {
- warn "error: $@\n";
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot modify $principal: $error\n";
exit 1;
}
}
my $kadmin = kadmin_handle ($instance);
my $data = eval { $kadmin->getPrincipal ($principal) };
if ($@) {
- warn "error: $@\n";
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot retrieve $principal: $error\n";
exit 1;
} elsif (!defined $data) {
warn "error: principal $principal does not exist\n";
$kadmin->modifyPrincipal ($data);
};
if ($@) {
- warn "error: $@\n";
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot modify $principal: $error\n";
exit 1;
}
}
my $kadmin = kadmin_handle ($instance);
my $data = eval { $kadmin->getPrincipal ($principal) };
if ($@) {
- warn "error: $@\n";
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot retrieve $principal: $error\n";
exit 1;
} elsif (!defined $data) {
warn "error: principal $principal does not exist\n";
my $kadmin = kadmin_handle ($instance);
eval { $kadmin->changePassword ($principal, $password) };
if ($@) {
- warn "error: $@\n";
+ my $error = $@ || "unknown error\n";
+ warn "error: cannot change password for $principal: $error\n";
exit 1;
}
}