Use ldapssl_init() for ldaps support instead of trying

to do it manually with ldap_init() + ldapssl_install_routines().
Use tls_cert and tls_key for cert7.db and key3.db respectively.
Don't print debugging info for options that are not set.
Add warning if start_tls specified when not supported.

diff --git a/config.h.in b/config.h.in
index 7f4f187e199a5b66bdf24486fa6df36c5b59e172..96102c44bf9f7682ed2bd542bac71d5bbf7008b3 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -224,8 +224,8 @@
 /* Define to 1 if you have the `ldap_start_tls_s' function. */
 #undef HAVE_LDAP_START_TLS_S
 
-/* Define to 1 if you have the `ldapssl_client_init' function. */
-#undef HAVE_LDAPSSL_CLIENT_INIT
+/* Define to 1 if you have the `ldapssl_init' function. */
+#undef HAVE_LDAPSSL_INIT
 
 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF

diff --git a/configure b/configure
index 5f737903fbfdfed82f25802141d526eed1782944..c9cb39d8a77b87a68a5bba2820cac267f77b4eb5 100755 (executable)
--- a/configure
+++ b/configure
@@ -21829,7 +21829,7 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
 
 
 
-for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_client_init
+for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5

diff --git a/configure.in b/configure.in
index 908155eae36b2a989428c951e635439a53482d27..925dc72a20c4e0e8d0004fa1dbff9dcda7e31cad 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2287,7 +2287,7 @@ if test ${with_ldap-'no'} != "no"; then
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_client_init)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init)
     AC_CHECK_HEADERS([sasl/sasl.h])
 
     AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,

diff --git a/ldap.c b/ldap.c
index cfa3ab1962138593d995fe3bb2f3ff6a49a01998..1e49af7970fa3c377d3cc404d9dfc00a823fd027 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -132,7 +132,6 @@ struct ldap_config {
     char *rootbinddn;
     char *base;
     char *ssl;
-    char *sslpath;
     char *tls_cacertfile;
     char *tls_cacertdir;
     char *tls_random_file;
@@ -150,7 +149,7 @@ struct ldap_config_table ldap_conf_table[] = {
     { "host", CONF_STR, FALSE, -1, &ldap_conf.host },
     { "port", CONF_INT, FALSE, -1, &ldap_conf.port },
     { "ssl", CONF_STR, FALSE, -1, &ldap_conf.ssl },
-    { "sslpath", CONF_STR, FALSE, -1, &ldap_conf.sslpath },
+    { "sslpath", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
     { "uri", CONF_STR, FALSE, -1, &ldap_conf.uri },
 #ifdef LDAP_OPT_DEBUG_LEVEL
     { "debug", CONF_INT, FALSE, LDAP_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug },
@@ -182,10 +181,14 @@ struct ldap_config_table ldap_conf_table[] = {
 #ifdef LDAP_OPT_X_TLS_CERTFILE
     { "tls_cert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CERTFILE,
        &ldap_conf.tls_certfile },
+#else
+    { "tls_cert", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
 #endif
 #ifdef LDAP_OPT_X_TLS_KEYFILE
     { "tls_key", CONF_STR, FALSE, LDAP_OPT_X_TLS_KEYFILE,
        &ldap_conf.tls_keyfile },
+#else
+    { "tls_key", CONF_STR, FALSE, -1, &ldap_conf.tls_keyfile },
 #endif
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
     { "bind_timelimit", CONF_INT, TRUE, -1 /* needs timeval, set manually */,
@@ -736,23 +739,41 @@ sudo_ldap_read_config()
            ldap_conf.binddn : "(anonymous)");
        fprintf(stderr, "bindpw           %s\n", ldap_conf.bindpw ?
            ldap_conf.bindpw : "(anonymous)");
-       fprintf(stderr, "bind_timelimit   %d\n", ldap_conf.bind_timelimit);
-       fprintf(stderr, "timelimit        %d\n", ldap_conf.timelimit);
+       if (ldap_conf.bind_timelimit > 0)
+           fprintf(stderr, "bind_timelimit   %d\n", ldap_conf.bind_timelimit);
+       if (ldap_conf.timelimit > 0)
+           fprintf(stderr, "timelimit        %d\n", ldap_conf.timelimit);
        fprintf(stderr, "ssl              %s\n", ldap_conf.ssl ?
            ldap_conf.ssl : "(no)");
-       fprintf(stderr, "sslpath          %s\n", ldap_conf.sslpath ?
-           ldap_conf.sslpath : "(NONE)");
+       if (ldap_conf.tls_checkpeer != -1)
+           fprintf(stderr, "tls_checkpeer    %s\n", ldap_conf.tls_checkpeer ?
+               "(yes)" : "(no)");
+       if (ldap_conf.tls_cacertfile != NULL)
+           fprintf(stderr, "tls_cacertfile   %s\n", ldap_conf.tls_cacertfile);
+       if (ldap_conf.tls_cacertdir != NULL)
+           fprintf(stderr, "tls_cacertdir    %s\n", ldap_conf.tls_cacertdir);
+       if (ldap_conf.tls_random_file != NULL)
+           fprintf(stderr, "tls_random_file  %s\n", ldap_conf.tls_random_file);
+       if (ldap_conf.tls_cipher_suite != NULL)
+           fprintf(stderr, "tls_cipher_suite %s\n", ldap_conf.tls_cipher_suite);
+       if (ldap_conf.tls_certfile != NULL)
+           fprintf(stderr, "tls_certfile     %s\n", ldap_conf.tls_certfile);
+       if (ldap_conf.tls_keyfile != NULL)
+           fprintf(stderr, "tls_keyfile      %s\n", ldap_conf.tls_keyfile);
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
-       fprintf(stderr, "use_sasl         %d\n", ldap_conf.use_sasl);
-       fprintf(stderr, "sasl_auth_id     %s\n", ldap_conf.sasl_auth_id ?
-           ldap_conf.sasl_auth_id : "(NONE)");
-       fprintf(stderr, "rootuse_sasl     %d\n", ldap_conf.rootuse_sasl);
-       fprintf(stderr, "rootsasl_auth_id %s\n", ldap_conf.rootsasl_auth_id ?
-           ldap_conf.rootsasl_auth_id : "(NONE)");
-       fprintf(stderr, "sasl_secprops    %s\n", ldap_conf.sasl_secprops ?
-           ldap_conf.sasl_secprops : "(NONE)");
-       fprintf(stderr, "krb5_ccname      %s\n", ldap_conf.krb5_ccname ?
-           ldap_conf.krb5_ccname : "(NONE)");
+       if (ldap_conf.use_sasl != -1) {
+           fprintf(stderr, "use_sasl         %s\n",
+               ldap_conf.use_sasl ? "yes" : "no");
+           fprintf(stderr, "sasl_auth_id     %s\n", ldap_conf.sasl_auth_id ?
+               ldap_conf.sasl_auth_id : "(NONE)");
+           fprintf(stderr, "rootuse_sasl     %d\n", ldap_conf.rootuse_sasl);
+           fprintf(stderr, "rootsasl_auth_id %s\n", ldap_conf.rootsasl_auth_id ?
+               ldap_conf.rootsasl_auth_id : "(NONE)");
+           fprintf(stderr, "sasl_secprops    %s\n", ldap_conf.sasl_secprops ?
+               ldap_conf.sasl_secprops : "(NONE)");
+           fprintf(stderr, "krb5_ccname      %s\n", ldap_conf.krb5_ccname ?
+               ldap_conf.krb5_ccname : "(NONE)");
+       }
 #endif
        fprintf(stderr, "===================\n");
     }
@@ -1107,7 +1128,7 @@ sudo_ldap_set_options(ld)
     }
 #endif
 
-#ifdef LDAP_OPT_X_TLS
+#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT)
     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
        int val = LDAP_OPT_X_TLS_HARD;
        rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val);
@@ -1138,16 +1159,20 @@ sudo_ldap_open()
     if (!sudo_ldap_read_config())
        return(NULL);
 
-#if defined(HAVE_LDAPSSL_CLIENT_INIT)  && !defined(LDAP_OPT_X_TLS)
+#ifdef HAVE_LDAPSSL_INIT
     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
-       DPRINTF(("ldapssl_client_init(%s, NULL)", ldap_conf.sslpath), 2);
-       if (ldapssl_client_init(ldap_conf.sslpath, NULL) != LDAP_SUCCESS) {
-           warningx("unable to initialize SSL cert db: %s",
+       DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+           ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+           ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
+       rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+           ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
+       if (rc != LDAP_SUCCESS) {
+           warningx("unable to initialize SSL cert and key db: %s",
                ldapssl_err2string(rc));
            return(NULL);
        }
     }
-#endif
+#endif /* HAVE_LDAPSSL_INIT */
 
     /* Connect to LDAP server */
 #ifdef HAVE_LDAP_INITIALIZE
@@ -1161,8 +1186,16 @@ sudo_ldap_open()
     } else
 #endif /* HAVE_LDAP_INITIALIZE */
     {
+#ifdef HAVE_LDAPSSL_INIT
+       DPRINTF(("ldapssl_init(%s, %d, %d)", ldap_conf.host, ldap_conf.port,
+           ldap_conf.ssl_mode == SUDO_LDAP_SSL), 2);
+       ld = ldapssl_init(ldap_conf.host, ldap_conf.port,
+           ldap_conf.ssl_mode == SUDO_LDAP_SSL);
+#else
        DPRINTF(("ldap_init(%s, %d)", ldap_conf.host, ldap_conf.port), 2);
-       if ((ld = ldap_init(ldap_conf.host, ldap_conf.port)) == NULL) {
+       ld = ldap_init(ldap_conf.host, ldap_conf.port);
+#endif
+       if (ld == NULL) {
            warning("unable to initialize LDAP");
            return(NULL);
        }
@@ -1172,33 +1205,18 @@ sudo_ldap_open()
     if (sudo_ldap_set_options(ld) < 0)
        return(NULL);
 
-#if defined(HAVE_LDAPSSL_CLIENT_INIT)  && !defined(LDAP_OPT_X_TLS)
-    if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
-       DPRINTF(("ldapssl_install_routines()"), 2);
-       rc = ldapssl_install_routines(ld);
-       if (rc != LDAP_SUCCESS) {
-           warningx("ldapssl_install_routines(): %s", ldapssl_err2string(rc));
-           return(NULL);
-       }
-# ifdef LDAP_OPT_SSL
-       rc = ldap_set_option(ld, LDAP_OPT_SSL, LDAP_OPT_ON);
-       if (rc != LDAP_SUCCESS) {
-           warningx("unable to enable SSL: %s", ldapssl_err2string(rc));
-           return(NULL);
-       }
-# endif
-    }
-#endif
-#ifdef HAVE_LDAP_START_TLS_S
     if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
+#ifdef HAVE_LDAP_START_TLS_S
        rc = ldap_start_tls_s(ld, NULL, NULL);
        if (rc != LDAP_SUCCESS) {
            warningx("ldap_start_tls_s(): %s", ldap_err2string(rc));
            return(NULL);
        }
        DPRINTF(("ldap_start_tls_s() ok"), 1);
-    }
+#else
+       warningx("start_tls specified but LDAP libs do not support ldap_start_tls_s()");
 #endif /* HAVE_LDAP_START_TLS_S */
+    }
 
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
     if (ldap_conf.rootuse_sasl == TRUE ||