Don't print debug servers list unless we do tacacs lookup

Unlike most of the other tacacs client code, we run as part of many
processes, and because of min_uid, and mapped user lookups, often
don't actually make a tacacs connection.

So don't log the debug message showing the servers, unless we are
actually going to do the tacacs lookup.  This significantly reduces
noise messages in syslog from local user lookups.

Only print 'uid N < min_uid' if debug > 1, since it can occur so
frequently, and isn't as useful as some other debug messages.

Also some minor cleanup while looking for possible incorrect closes.

1 files changed, 33 insertions, 23 deletions

diff --git a/nss_tacplus.c b/nss_tacplus.c
index 635327a..4fa652e 100644
--- a/nss_tacplus.c
+++ b/nss_tacplus.c
@@ -87,7 +87,7 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top)
         if(!conf_parsed && debug) /*  debug because privileges may not allow */
             syslog(LOG_DEBUG, "%s: can't open config file %s: %m",
                 nssname, cfile);
-        goto err;
+        return 1;
     }
 
     while(fgets(lbuf, sizeof lbuf, conf)) {
@@ -206,28 +206,36 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top)
     }
     fclose(conf);
 
-    if(top == 1) {
-        int n;
-        if(tac_srv_no == 0 && debug)
-            syslog(LOG_DEBUG, "%s:%s: no TACACS %s in config (or no perm),"
-                " giving up",
-                nssname, __FUNCTION__, tac_srv_no ? "service" :
-                (*tac_service ? "server" : "service and no server"));
-
-        for(n = 0; debug && n < tac_srv_no; n++)
-            syslog(LOG_DEBUG, "%s: server[%d] { addr=%s, key='%s' }", nssname,
-                n, tac_srv[n].addr ? tac_ntop(tac_srv[n].addr->ai_addr)
-                : "unknown", tac_srv[n].key);
-    }
 
     return 0;
-
-err:
-    if(conf)
-            fclose(conf);
-    return 1;
 }
 
+/*
+ * Separate function so we can print first time we try to connect,
+ * rather than during config.
+ * Don't print at config, because often the uid lookup is one we
+ * skip due to min_uid, so no reason to clutter the log.
+ */
+static void print_servers(void)
+{
+    static int printed = 0;
+    int n;
+
+    if (printed || !debug)
+        return;
+    printed = 1;
+
+    if(tac_srv_no == 0)
+        syslog(LOG_DEBUG, "%s:%s: no TACACS %s in config (or no perm),"
+            " giving up",
+            nssname, __FUNCTION__, tac_srv_no ? "service" :
+            (*tac_service ? "server" : "service and no server"));
+
+    for(n = 0; n < tac_srv_no; n++)
+        syslog(LOG_DEBUG, "%s: server[%d] { addr=%s, key='%s' }", nssname,
+            n, tac_srv[n].addr ? tac_ntop(tac_srv[n].addr->ai_addr)
+            : "unknown", tac_srv[n].key);
+}
 
 /*
  * copy a passwd structure and it's strings, using the provided buffer
@@ -454,9 +462,6 @@ connect_tacacs(struct tac_attrib **attr, int srvr)
 {
     int fd;
 
-    if(!*tac_service) /* reported at config file processing */
-        return -1;
-
     fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL,
         vrfname[0]?vrfname:NULL);
     if(fd >= 0) {
@@ -509,6 +514,11 @@ lookup_tacacs_user(struct pwbuf *pb)
                 return 2;
         }
     }
+
+    if(!*tac_service) /* reported at config file processing */
+        return ret;
+    print_servers();
+
     for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
         arep.msg = NULL;
         arep.attr = NULL;
@@ -692,7 +702,7 @@ enum nss_status _nss_tacplus_getpwuid_r(uid_t uid, struct passwd *pw,
     conf_parsed = ret == 0 ? 2 : 1;
 
     if (min_uid != ~0U && uid < min_uid) {
-        if(debug)
+        if(debug > 1)
             syslog(LOG_DEBUG, "%s: uid %u < min_uid %u, don't lookup",
                 nssname, uid, min_uid);
         return status;