Add support for ldaps using Tivoli LDAP libraries.

author Todd C. Miller <Todd.Miller@courtesan.com>

Fri, 29 Jun 2012 16:55:22 +0000 (12:55 -0400)

committer Todd C. Miller <Todd.Miller@courtesan.com>

Fri, 29 Jun 2012 16:55:22 +0000 (12:55 -0400)
author Todd C. Miller <Todd.Miller@courtesan.com>
Fri, 29 Jun 2012 16:55:22 +0000 (12:55 -0400)
committer Todd C. Miller <Todd.Miller@courtesan.com>
Fri, 29 Jun 2012 16:55:22 +0000 (12:55 -0400)
diff --git a/config.h.in b/config.h.in

index 980a29e3c4806aee1baea50ea8bf77621b221bdf..229d4e4117d04ed468c96b20a8299a484219a1f0 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -290,6 +290,9 @@
  /* Define to 1 if you have the <ldap_ssl.h> header file. */
  #undef HAVE_LDAP_SSL_H
  
+/* Define to 1 if you have the `ldap_ssl_init' function. */
+#undef HAVE_LDAP_SSL_INIT
+
  /* Define to 1 if you have the `ldap_start_tls_s' function. */
  #undef HAVE_LDAP_START_TLS_S
  
diff --git a/configure b/configure

index 605367dce38950435720be5ac4f6a9f7ec4eb0ba..1b6cb5abe574a8773d8975b24f257683d7a617c2 100755 (executable)
--- a/configure
+++ b/configure
@@ -19431,7 +19431,7 @@ fi
  
  done
  
-    for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np
+    for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np
  do :
    as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
  ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff --git a/configure.in b/configure.in

index 1c75f69ec13ddd561f58f91fdd95e0ecb63f5b5d..b28630e14817319e08bfc518de8007c46e0ca88f 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2870,7 +2870,7 @@ if test ${with_ldap-'no'} != "no"; then
  
      AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
      AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np)
      AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
  
      if test X"$check_gss_krb5_ccache_name" = X"yes"; then
diff --git a/ldap.c b/ldap.c

index e4ef482eb26547cedb7831ceb793f9e6c95da3ac..4f98addc531763fccd79a8cc89cd4d882e1383fe 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -220,6 +220,7 @@ static struct ldap_config {
      char *tls_cipher_suite;
      char *tls_certfile;
      char *tls_keyfile;
+    char *tls_keypw;
      char *sasl_auth_id;
      char *rootsasl_auth_id;
      char *sasl_secprops;
@@ -259,6 +260,9 @@ static struct ldap_config_table ldap_conf_global[] = {
  #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
      { "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE,
         &ldap_conf.tls_cipher_suite },
+#elif defined(LDAP_OPT_SSL_CIPHER)
+    { "tls_ciphers", CONF_STR, LDAP_OPT_SSL_CIPHER,
+       &ldap_conf.tls_cipher_suite },
  #endif
  #ifdef LDAP_OPT_X_TLS_CERTFILE
      { "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE,
@@ -271,6 +275,9 @@ static struct ldap_config_table ldap_conf_global[] = {
         &ldap_conf.tls_keyfile },
  #else
      { "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile },
+#endif
+#ifdef HAVE_LDAP_SSL_CLIENT_INIT
+    { "tls_keypw", CONF_STR, -1, &ldap_conf.tls_keypw },
  #endif
      { "binddn", CONF_STR, -1, &ldap_conf.binddn },
      { "bindpw", CONF_STR, -1, &ldap_conf.bindpw },
@@ -578,6 +585,16 @@ sudo_ldap_init(ldp, host, port)
         if ((ld = ldapssl_init(host, port, defsecure)) != NULL)
             rc = LDAP_SUCCESS;
      } else
+#elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT)
+    if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
+       if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
+           warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
+           debug_return_int(-1);
+       }
+       DPRINTF(("ldap_ssl_init(%s, %d, NULL)", host, port), 2);
+       if ((ld = ldap_ssl_init((char *)host, port, NULL)) != NULL)
+           rc = LDAP_SUCCESS;
+    } else
  #endif
      {
  #ifdef HAVE_LDAP_CREATE
@@ -588,7 +605,7 @@ sudo_ldap_init(ldp, host, port)
         rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host);
  #else
         DPRINTF(("ldap_init(%s, %d)", host, port), 2);
-       if ((ld = ldap_init(host, port)) != NULL)
+       if ((ld = ldap_init((char *)host, port)) != NULL)
             rc = LDAP_SUCCESS;
  #endif
      }
@@ -2246,7 +2263,7 @@ sudo_ldap_open(nss)
         }
         DPRINTF(("ldap_start_tls_s() ok"), 1);
  #elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
-       if (ldap_ssl_client_init(NULL, NULL, 0, &rc) != LDAP_SUCCESS) {
+       if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
             warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
             return -1;
         }
author	Todd C. Miller <Todd.Miller@courtesan.com>
	Fri, 29 Jun 2012 16:55:22 +0000 (12:55 -0400)
committer	Todd C. Miller <Todd.Miller@courtesan.com>
	Fri, 29 Jun 2012 16:55:22 +0000 (12:55 -0400)
config.h.in		patch \| blob \| history
configure		patch \| blob \| history
configure.in		patch \| blob \| history
ldap.c		patch \| blob \| history