ipa/SOURCES/0022-Issue-9497-update-debug-logging-in-ipa-pwd-extop.patch

From 3a8fe8c3a9de8d0e17ab4064ac689bce2b4b5042 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:41:10 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa-pwd-extop

Fixes: https://pagure.io/freeipa/issue/9497

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 .../ipa-slapi-plugins/ipa-pwd-extop/common.c  |  25 +++--
 .../ipa-pwd-extop/encoding.c                  |   5 +-
 .../ipa-pwd-extop/ipa_pwd_extop.c             | 106 ++++++++++--------
 .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c |  59 +++++-----
 4 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 5251713c68855e10b0980af71696d944e683ae90..d30764bb2a05c7ca4a33ea114a2dc19af39e216f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -33,7 +33,7 @@
  * Authors:
  * Simo Sorce <ssorce@redhat.com>
  *
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
  * All rights reserved.
  * END COPYRIGHT BLOCK **/
 
@@ -81,7 +81,8 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     char **encsalts;
     char **tmparray;
     char *tmpstr;
-    int i, ret;
+    int ret;
+    size_t i;
 
     config = calloc(1, sizeof(struct ipapwd_krbcfg));
     if (!config) {
@@ -327,7 +328,8 @@ int ipapwd_getPolicy(const char *dn,
                       "ipaPwdUserCheck", NULL};
     Slapi_Entry **es = NULL;
     Slapi_Entry *pe = NULL;
-    int ret, res, scope, i;
+    int ret, res, scope;
+    size_t i;
     int buffer_flags=0;
     Slapi_ValueSet* results = NULL;
     char *actual_type_name = NULL;
@@ -545,7 +547,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
         }
         sdn = slapi_sdn_new_dn_byref(dn);
         if (!sdn) {
-            LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : "<NULL>");
+            LOG_FATAL("Unable to convert dn to sdn %s\n", dn ? dn : "<NULL>");
             *errMesg = "Internal Error";
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
@@ -564,7 +566,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
     /* get the kerberos context and master key */
     *config = ipapwd_getConfig();
     if (NULL == *config) {
-        LOG_FATAL("Error Retrieving Master Key");
+        LOG_FATAL("Error Retrieving Master Key\n");
         *errMesg = "Fatal Internal Error";
         rc = LDAP_OPERATIONS_ERROR;
     }
@@ -594,7 +596,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
             /* Find the entry with the password policy */
             ret = ipapwd_getPolicy(data->dn, data->target, &pol);
             if (ret) {
-                LOG_TRACE("No password policy, use defaults");
+                LOG_TRACE("No password policy, use defaults\n");
             }
             break;
         case IPA_CHANGETYPE_ADMIN:
@@ -620,14 +622,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
              */
             ret = ipapwd_getPolicy(data->dn, data->target, &tmppol);
             if (ret) {
-                LOG_TRACE("No password policy, use defaults");
+                LOG_TRACE("No password policy, use defaults\n");
             } else {
                 pol.max_pwd_life = tmppol.max_pwd_life;
                 pol.history_length = tmppol.history_length;
             }
             break;
         default:
-            LOG_TRACE("Unknown password change type, use defaults");
+            LOG_TRACE("Unknown password change type, use defaults\n");
             break;
     }
 
@@ -860,7 +862,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
                 case IPA_CHANGETYPE_DSMGR:
                 case IPA_CHANGETYPE_ADMIN:
                     /* Mark as administratively reset which will unlock acct */
-                    ret = ipapwd_setdate(data->target, smods, 
+                    ret = ipapwd_setdate(data->target, smods,
                                          "krbLastAdminUnlock",
                                          data->timeNow, false);
                     if (ret != LDAP_SUCCESS)
@@ -951,7 +953,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
     char **new_pwd_history = NULL;
     int n = 0;
     int ret;
-    int i;
+    size_t i;
 
     pwd_history = slapi_entry_attr_get_charray(data->target,
                                                "passwordHistory");
@@ -1083,10 +1085,9 @@ int ipapwd_set_extradata(const char *dn,
 void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
 {
     Slapi_Value **sv = *svals;
-    int i;
 
     if (sv) {
-        for (i = 0; sv[i]; i++) {
+        for (size_t i = 0; sv[i]; i++) {
             slapi_value_free(&sv[i]);
         }
     }
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index 7b2f341229b4f3bf48105c3856c0d6778da154a5..43ae6f0a645c8f3ff0fa2d147891f93efff0eb20 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -33,7 +33,7 @@
  * Authors:
  * Simo Sorce <ssorce@redhat.com>
  *
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
  * All rights reserved.
  * END COPYRIGHT BLOCK **/
 
@@ -231,7 +231,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
 
         if (!*svals) {
             /* errMesg should have been set in encrypt_encode_key() */
-            LOG_FATAL("key encryption/encoding failed\n");
+            LOG_FATAL("key encryption/encoding failed (%s)\n", *errMesg);
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
@@ -267,6 +267,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
             }
             (*ntvals)[0] = slapi_value_new();
             if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
+                LOG("Failed to set value for nt_key");
                 rc = LDAP_OPERATIONS_ERROR;
                 goto done;
             }
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 0d630ca04c38b739bb0d8bf22c162af9d3e15566..43c31becae45c1c91c7c2adf498aedbd05af9a69 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -33,7 +33,7 @@
  * Authors:
  * Simo Sorce <ssorce@redhat.com>
  *
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
  * All rights reserved.
  * END COPYRIGHT BLOCK **/
 
@@ -108,7 +108,7 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
                         struct ipapwd_keyset *kset,
                         bool allow_nthash)
 {
-    int i, j;
+    size_t i, j;
 
     for (i = 0; i < kset->num_keys; i++) {
         for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
@@ -151,11 +151,11 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
                             bool allow_nthash)
 {
     /* first filter for duplicates */
-    for (int i = 0; i + 1 < *num_kenctypes; i++) {
-        for (int j = i + 1; j < *num_kenctypes; j++) {
+    for (size_t i = 0; i + 1 < *num_kenctypes; i++) {
+        for (size_t j = i + 1; j < *num_kenctypes; j++) {
             if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
                 /* duplicate, filter out */
-                for (int k = j; k + 1 < *num_kenctypes; k++) {
+                for (size_t k = j; k + 1 < *num_kenctypes; k++) {
                     kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
                     kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
                 }
@@ -166,8 +166,8 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
     }
 
     /* then filter for supported */
-    for (int i = 0; i < *num_kenctypes; i++) {
-        int j;
+    for (size_t i = 0; i < *num_kenctypes; i++) {
+        size_t j;
 
         /* Check if supported */
         for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
@@ -184,7 +184,7 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
         }
         if (j == krbcfg->num_supp_encsalts) {
             /* Unsupported, filter out */
-            for (int k = i; k + 1 < *num_kenctypes; k++) {
+            for (size_t k = i; k + 1 < *num_kenctypes; k++) {
                 kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
                 kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
             }
@@ -344,6 +344,8 @@ parse_req_done:
 
         rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg);
         if (rc) {
+            LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+                          bindDN, errMesg);
             goto free_and_return;
         }
 
@@ -456,7 +458,7 @@ parse_req_done:
             char *cur_pw;
 
             if (oldPasswd == NULL || *oldPasswd == '\0') {
-                LOG_FATAL("Old password was not provided!\n");
+                LOG_FATAL("Old password was not provided for '%s'!\n", dn);
                 rc = LDAP_INVALID_CREDENTIALS;
                 goto free_and_return;
             }
@@ -466,7 +468,7 @@ parse_req_done:
             cur_pw = slapi_entry_attr_get_charptr(targetEntry,
                                                   "userPassword");
             if (!cur_pw) {
-                LOG_FATAL("User has no current password?\n");
+                LOG_FATAL("User '%s' does not have a current password?\n", dn);
                 rc = LDAP_UNWILLING_TO_PERFORM;
                 goto free_and_return;
             }
@@ -485,7 +487,7 @@ parse_req_done:
             slapi_value_free(&pw);
 
             if (ret != 0) {
-                LOG_TRACE("Invalid password!\n");
+                LOG_TRACE("Invalid password for '%s'!\n", dn);
                 rc = LDAP_INVALID_CREDENTIALS;
                 goto free_and_return;
             }
@@ -579,11 +581,9 @@ parse_req_done:
     /* special cases */
     if ((strcasecmp(dn, bindDN) != 0) &&
         (strcasecmp(ipa_changepw_principal_dn, bindDN) != 0)) {
-        int i;
-
         pwdata.changetype = IPA_CHANGETYPE_ADMIN;
 
-        for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+        for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
             if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
                 pwdata.changetype = IPA_CHANGETYPE_DSMGR;
                 break;
@@ -606,6 +606,8 @@ parse_req_done:
 			errMesg = ipapwd_error2string(ret);
 			ret = ipapwd_to_ldap_pwpolicy_error(ret);
 			slapi_pwpolicy_make_response_control(pb, -1, -1, ret);
+			LOG_PWDPOLICY("Failed to set password credentials for"
+			              " '%s': %s\n", dn, errMesg);
 			rc = LDAP_CONSTRAINT_VIOLATION;
 			goto free_and_return;
 		}
@@ -666,7 +668,7 @@ free_and_return:
 	if (targetEntry) slapi_entry_free(targetEntry);
 	if (ber) ber_free(ber, 1);
 
-	LOG("%s", errMesg ? errMesg : "success");
+	LOG("%s\n", errMesg ? errMesg : "success");
 	slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
 
 	return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@@ -732,7 +734,8 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
                          "krbCanonicalName",
                          "enrolledBy", NULL };
     Slapi_Entry **es = NULL;
-    int res, ret, i;
+    int res, ret;
+    size_t i;
     Slapi_Entry *entry = NULL;
 
     /* Find ancestor base DN */
@@ -774,7 +777,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
 
     /* if there is none or more than one, freak out */
     if (i != 1) {
-        LOG_TRACE("Too many entries, or entry no found (%d)", i);
+        LOG_TRACE("Too many entries, or entry no found (%ld)\n", i);
         goto free_and_return;
     }
     entry = slapi_entry_dup(es[0]);
@@ -809,7 +812,7 @@ static bool is_allowed_to_access_attr(Slapi_PBlock *pb, char *bindDN,
      */
     be = get_realm_backend();
     if (!be) {
-        LOG_FATAL("Could not fetch REALM backend!");
+        LOG_FATAL("Could not fetch REALM backend!\n");
         return false;
     }
     if (slapi_pblock_set(pb, SLAPI_BACKEND, be)) {
@@ -868,7 +871,8 @@ static void remove_user_password(Slapi_Mods *smods,
         if ((NULL != pw) && (NULL == krbLastPwdChange)) {
             slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE,
                                       "userPassword", NULL);
-            LOG_TRACE("Removing userPassword from host entry\n");
+            LOG_TRACE("Removing userPassword from host entry '%s'\n",
+                      slapi_entry_get_dn_const(targetEntry));
         }
     }
     if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
@@ -891,8 +895,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
     rc = set_krbLastPwdChange(smods, time_now);
     if (rc) {
         rc = LDAP_OPERATIONS_ERROR;
-        LOG_FATAL("Failed to set krbLastPwdChange");
-        err_msg = "Internal error while storing keytab data\n";
+        LOG_FATAL("Failed to set krbLastPwdChange for target '%s'\n",
+                  slapi_entry_get_dn_const(target));
+        err_msg = "Internal error while storing keytab data";
         goto done;
     }
 
@@ -905,8 +910,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
     rc = ipapwd_apply_mods(slapi_entry_get_dn_const(target), smods);
     if (rc != LDAP_SUCCESS) {
         rc = LDAP_OPERATIONS_ERROR;
-        LOG_FATAL("Failed to apply mods");
-        err_msg = "Internal error while saving keys\n";
+        LOG_FATAL("Failed to apply mods to target '%s'\n",
+                  slapi_entry_get_dn_const(target));
+        err_msg = "Internal error while saving keys";
         goto done;
     }
 
@@ -914,8 +920,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
                               svcname, time_now);
     if (rc != LDAP_SUCCESS) {
         rc = LDAP_OPERATIONS_ERROR;
-        LOG_FATAL("Failed to set extradata");
-        err_msg = "Internal error while saving keytab extradata\n";
+        LOG_FATAL("Failed to set extradata for target '%s'\n",
+                  slapi_entry_get_dn_const(target));
+        err_msg = "Internal error while saving keytab extradata";
         goto done;
     }
 
@@ -1003,7 +1010,7 @@ static int decode_setkeytab_request(krb5_context krbctx,
     kset->mkvno = mkvno;
 
     rtag = ber_peek_tag(ber, &tlen);
-    for (int i = 0; rtag == LBER_SEQUENCE; i++) {
+    for (size_t i = 0; rtag == LBER_SEQUENCE; i++) {
         krb5_key_data *newset;
         ber_tag_t ctag;
         ber_int_t type;
@@ -1181,29 +1188,29 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset,
     rc = ber_printf(ber, "{i{", (ber_int_t)kset->keys[0].key_data_kvno);
     if (rc == -1) {
         rc = LDAP_OPERATIONS_ERROR;
-        LOG_FATAL("Failed to ber_printf the kvno");
+        LOG_FATAL("Failed to ber_printf the kvno\n");
         goto done;
     }
 
-    for (int i = 0; i < kset->num_keys; i++) {
+    for (size_t i = 0; i < kset->num_keys; i++) {
         rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]);
         if (rc == -1) {
             rc = LDAP_OPERATIONS_ERROR;
-            LOG_FATAL("Failed to ber_printf the enctype");
+            LOG_FATAL("Failed to ber_printf the enctype\n");
             goto done;
         }
     }
     rc = ber_printf(ber, "}}");
     if (rc == -1) {
         rc = LDAP_OPERATIONS_ERROR;
-        LOG_FATAL("Failed to ber_printf the termination");
+        LOG_FATAL("Failed to ber_printf the termination\n");
         goto done;
     }
 
     rc = ber_flatten(ber, &bvp);
     if (rc == -1) {
         rc = LDAP_OPERATIONS_ERROR;
-        LOG_FATAL("Failed to ber_flatten the buffer");
+        LOG_FATAL("Failed to ber_flatten the buffer\n");
         goto done;
     }
 
@@ -1306,7 +1313,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 
     /* get next kvno for entry (will be 1 if this is new) and fix keyset */
     kvno = ipapwd_get_cur_kvno(targetEntry) + 1;
-    for (int i = 0; i < kset->num_keys; i++) {
+    for (size_t i = 0; i < kset->num_keys; i++) {
         kset->keys[i].key_data_kvno = kvno;
     }
 
@@ -1352,7 +1359,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 
     rc = encode_setkeytab_reply(kset, &bvp);
     if (rc) {
-        errMesg = "Internal Error.\n";
+        errMesg = "Internal Error.";
         goto free_and_return;
     }
 
@@ -1372,7 +1379,7 @@ free_and_return:
     if (targetEntry) slapi_entry_free(targetEntry);
 
 	if (svals) {
-		for (int i = 0; svals[i]; i++) {
+		for (size_t i = 0; svals[i]; i++) {
 			slapi_value_free(&svals[i]);
 		}
 		free(svals);
@@ -1382,7 +1389,7 @@ free_and_return:
 
         if (rc == LDAP_SUCCESS)
             errMesg = NULL;
-	LOG("%s", errMesg ? errMesg : "success");
+	LOG("%s\n", errMesg ? errMesg : "success");
 	slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
 
 	return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@@ -1403,7 +1410,6 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
     krb5_key_salt_tuple *enctypes = NULL;
     bool newkt;
     bool ret;
-    int i;
 
     ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt,
                             &svcname, &password, &etypes, &numtypes);
@@ -1423,7 +1429,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
                 goto done;
             }
 
-            for (i = 0; i < numtypes; i++) {
+            for (size_t i = 0; i < numtypes; i++) {
                 enctypes[i].ks_enctype = etypes[i];
                 enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
             }
@@ -1466,7 +1472,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
     /* uses last key kvno */
     kvno = keys[num_keys-1].key_data_kvno;
 
-    for (int i = 0; i < num_keys; i++) {
+    for (size_t i = 0; i < num_keys; i++) {
         krb5_enc_data cipher = { 0 };
         krb5_data plain = { 0 };
         krb5_int16 plen;
@@ -1516,7 +1522,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
     rc = LDAP_SUCCESS;
 
 done:
-    for (int i = 0; i < ksc.nkeys; i ++) {
+    for (size_t i = 0; i < ksc.nkeys; i++) {
         free(ksc.ksdata[i].key.contents);
     }
     if (rc != LDAP_SUCCESS) {
@@ -1632,7 +1638,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
     * this operation. */
     if (bind_dn == NULL || *bind_dn == '\0') {
         /* Refuse the operation because they're bound anonymously */
-        err_msg = "Anonymous Binds are not allowed.\n";
+        err_msg = "Anonymous Binds are not allowed.";
         rc = LDAP_INSUFFICIENT_ACCESS;
         goto free_and_return;
     }
@@ -1648,7 +1654,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
     slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
     if (!extop_value) {
         LOG_FATAL("Failed to retrieve extended op value from pblock\n");
-        err_msg = "Failed to retrieve extended operation value\n";
+        err_msg = "Failed to retrieve extended operation value";
         rc = LDAP_OPERATIONS_ERROR;
         goto free_and_return;
     }
@@ -1674,7 +1680,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
     /* get Entry by krbPrincipalName */
     target_entry = get_entry_by_principal(service_name);
     if (!target_entry) {
-        err_msg = "PrincipalName not found.\n";
+        err_msg = "PrincipalName not found.";
         rc = LDAP_NO_SUCH_OBJECT;
         goto free_and_return;
     }
@@ -1690,7 +1696,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
         if (!acl_ok) {
             LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n",
                       service_name, bind_dn);
-            err_msg = "Insufficient access rights\n";
+            err_msg = "Insufficient access rights";
             rc = LDAP_INSUFFICIENT_ACCESS;
             goto free_and_return;
         }
@@ -1701,6 +1707,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
             /* if password was passed-in, check its length */
             rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg);
             if (rc) {
+                LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+                              bind_dn, err_msg);
                 goto free_and_return;
             }
 	}
@@ -1712,7 +1720,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
         if (!acl_ok) {
             LOG_FATAL("Not allowed to set keytab on [%s]!\n",
                       service_name);
-            err_msg = "Insufficient access rights\n";
+            err_msg = "Insufficient access rights";
             rc = LDAP_INSUFFICIENT_ACCESS;
             goto free_and_return;
         }
@@ -1745,7 +1753,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
         if (!svals) {
             rc = LDAP_OPERATIONS_ERROR;
             LOG_FATAL("encrypt_encode_keys failed!\n");
-            err_msg = "Internal error while encrypting keys\n";
+            err_msg = "Internal error while encrypting keys";
             goto free_and_return;
         }
 
@@ -1765,7 +1773,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
     rc = encode_getkeytab_reply(krbctx, krbcfg->kmkey, mkvno,
                                 keys, num_keys, &bvp);
     if (rc != LDAP_SUCCESS) {
-        err_msg = "Internal Error.\n";
+        err_msg = "Internal Error.";
         goto free_and_return;
     }
 
@@ -1776,7 +1784,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 
 free_and_return:
     if (rc == LDAP_SUCCESS) err_msg = NULL;
-    LOG("%s", err_msg ? err_msg : "success");
+    LOG("%s\n", err_msg ? err_msg : "success");
     slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
 
     /* Free anything that we allocated above */
@@ -1787,7 +1795,7 @@ free_and_return:
     if (target_entry) slapi_entry_free(target_entry);
     if (keys) ipa_krb5_free_key_data(keys, num_keys);
     if (svals) {
-        for (int i = 0; svals[i]; i++) {
+        for (size_t i = 0; svals[i]; i++) {
             slapi_value_free(&svals[i]);
         }
         free(svals);
@@ -2031,7 +2039,7 @@ int ipapwd_init( Slapi_PBlock *pb )
                               "ipapwd_post_init_betxn", ipapwd_post_init_betxn,
                               "IPA pwd post ops betxn", NULL,
                               ipapwd_plugin_id);
-    } 
+    }
 
     slapi_register_plugin("preoperation", 1,
                           "ipapwd_pre_init", ipapwd_pre_init,
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 45626523ffa1030cdff4f3e0ccdfa1618a51ccaf..6898e6596e1cbbb2cc69ba592401619ce86899d8 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -33,7 +33,7 @@
  * Authors:
  * Simo Sorce <ssorce@redhat.com>
  *
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
  * All rights reserved.
  * END COPYRIGHT BLOCK **/
 
@@ -248,6 +248,13 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
         return 0;
     }
 
+    /* Get target DN */
+    ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    if (ret) {
+        rc = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
     /* Ok this is interesting,
      * Check this is a clear text password, or refuse operation */
     if ('{' == userpw[0]) {
@@ -280,6 +287,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
             } else {
                 rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
                 if (rc) {
+                    LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+                                  slapi_sdn_get_dn(sdn), errMesg);
                     goto done;
                 }
                 userpw = slapi_ch_strdup(userpw_clear);
@@ -329,13 +338,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
         goto done;
     }
 
-    /* Get target DN */
-    ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
-    if (ret) {
-        rc = LDAP_OPERATIONS_ERROR;
-        goto done;
-    }
-
     /* time to get the operation handler */
     ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
     if (ret != 0) {
@@ -359,7 +361,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
         pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
     } else {
         char *binddn;
-        int i;
 
         pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
 
@@ -367,7 +368,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
         slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
 
         /* if it is a passsync manager we also need to skip resets */
-        for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+        for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
             if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
                 pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
                 break;
@@ -385,6 +386,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
     if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
         (ret != 0) ) {
         errMesg = ipapwd_error2string(ret);
+        LOG_PWDPOLICY("Failed to add password credentials for '%s': %s\n",
+                      slapi_sdn_get_dn(sdn), errMesg);
         rc = LDAP_CONSTRAINT_VIOLATION;
         goto done;
     }
@@ -507,6 +510,13 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
         goto done;
     }
 
+    /* Get target DN */
+    ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    if (ret) {
+        rc = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
     /* grab the mods - we'll put them back later with
      * our modifications appended
      */
@@ -568,6 +578,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
 
             rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg);
             if (rc) {
+                LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+                              slapi_sdn_get_dn(sdn), errMesg);
                 goto done;
             }
             slapi_ch_free_string(&unhashedpw);
@@ -591,14 +603,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
 
     /* OK we have something interesting here, start checking for
      * pre-requisites */
-
-    /* Get target DN */
-    ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
-    if (ret) {
-        rc = LDAP_OPERATIONS_ERROR;
-        goto done;
-    }
-
     tmp_sdn = slapi_sdn_dup(sdn);
     if (tmp_sdn) {
         /* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be
@@ -795,6 +799,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
                 const char *userpw_clear = &userpw[strlen("{CLEAR}")];
                 rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
                 if (rc) {
+                    LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+                                  slapi_sdn_get_dn(sdn), errMesg);
                     goto done;
                 }
                 unhashedpw = slapi_ch_strdup(userpw_clear);
@@ -806,9 +812,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
                 slapi_ch_free_string(&userpw);
 
             } else if (slapi_is_encoded(userpw)) {
-
-                LOG("Pre-Encoded passwords are not valid\n");
-                errMesg = "Pre-Encoded passwords are not valid\n";
+                errMesg = "Pre-Encoded passwords are not valid";
+                LOG("%s (%s)\n", errMesg, slapi_sdn_get_dn(sdn));
                 rc = LDAP_CONSTRAINT_VIOLATION;
                 goto done;
             }
@@ -843,7 +848,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
     } else {
         char *binddn;
         Slapi_DN *bdn, *tdn;
-        int i;
 
         /* Check Bind DN */
         slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
@@ -857,18 +861,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
             pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
 
             /* if it is a passsync manager we also need to skip resets */
-            for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+            for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
                 if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
                     pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
                     break;
                 }
             }
-
         }
 
         slapi_sdn_free(&bdn);
         slapi_sdn_free(&tdn);
-
     }
 
     pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
@@ -884,6 +886,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
         if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
             (ret != 0)) {
             errMesg = ipapwd_error2string(ret);
+            LOG_PWDPOLICY("Check Password Policy failed for (%s) - %s/n",
+                          pwdop->pwdata.dn, errMesg);
             rc = LDAP_CONSTRAINT_VIOLATION;
             goto done;
         }
@@ -976,7 +980,6 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
     int num_keys;
     int mkvno;
     int ret;
-    int i;
 
     ret = slapi_entry_attr_find(entry, "ipaNTHash", &attr);
     if (ret == 0) {
@@ -1008,7 +1011,7 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
 
     ret = LDAP_UNWILLING_TO_PERFORM;
 
-    for (i = 0; i < num_keys; i++) {
+    for (size_t i = 0; i < num_keys; i++) {
         char nthash[16];
         krb5_enc_data cipher;
         krb5_data plain;
@@ -1511,6 +1514,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     } else {
         rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg);
         if (rc) {
+            LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+                          slapi_sdn_get_dn(sdn), errMesg);
             goto invalid_creds;
         }
     }
-- 
2.43.0