]> granicus.if.org Git - sudo/commitdiff
For netscape-based LDAP, use ldapssl_set_strength() to implement
authorTodd C. Miller <Todd.Miller@courtesan.com>
Sun, 13 Jan 2008 19:22:11 +0000 (19:22 +0000)
committerTodd C. Miller <Todd.Miller@courtesan.com>
Sun, 13 Jan 2008 19:22:11 +0000 (19:22 +0000)
the checkpeer ldap.conf option.

README.LDAP
config.h.in
configure
configure.in
ldap.c

index ea62a4431eefffec3a1f15c4454b7d024ba0f2cc..6bb08e74a1952e0152c18e9dc152a3c26422fd04 100644 (file)
@@ -258,7 +258,7 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
   #ssl start_tls
   #
   # Additional TLS options follow that allow tweaking of the
-  # SSL/TLS connection.  Only supported when using OpenLDAP.
+  # SSL/TLS connection.
   #
   #tls_checkpeer yes # verify server SSL certificate
   #tls_checkpeer no  # ignore server SSL certificate
index fe8b732fd81deb44b43057937c9134b2704795a2..f4ab5df502c3d1fc03557e3b3b197af4b762471e 100644 (file)
 /* Define to 1 if you have the `ldapssl_init' function. */
 #undef HAVE_LDAPSSL_INIT
 
+/* Define to 1 if you have the `ldapssl_set_strength' function. */
+#undef HAVE_LDAPSSL_SET_STRENGTH
+
 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF
 
index 8ab2798d19c7d4834fa82a1f2ce49f27b7912924..3428891c584d563b5f2ca4a865e0d21c06de4024 100755 (executable)
--- a/configure
+++ b/configure
@@ -22045,7 +22045,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
 
 
 
-for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s
+
+for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5
index 1f02b0c42326a979007e2700d6064fbe7e93f2f6..7fce9d252e3bdea182dc2e3ed9be583c5eb7f924 100644 (file)
@@ -2308,7 +2308,7 @@ if test ${with_ldap-'no'} != "no"; then
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s)
     AC_CHECK_HEADERS([sasl/sasl.h])
 
     AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
diff --git a/ldap.c b/ldap.c
index e11c310a90e7b066454a5ad73647d227ab871514..e6085777ea64ce456791505dbe5af9d29b7788f6 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -166,6 +166,8 @@ static struct ldap_config_table ldap_conf_table[] = {
 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
     { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
        &ldap_conf.tls_checkpeer },
+#else
+    { "tls_checkpeer", CONF_BOOL, FALSE, -1, &ldap_conf.tls_checkpeer },
 #endif
 #ifdef LDAP_OPT_X_TLS_CACERTFILE
     { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
@@ -996,11 +998,18 @@ sudo_ldap_read_config()
      * Interpret SSL option
      */
     if (ldap_conf.ssl != NULL) {
-           if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
-               ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
-           else if (_atobool(ldap_conf.ssl))
-               ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+       if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
+           ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
+       else if (_atobool(ldap_conf.ssl))
+           ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+    }
+
+#if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
+    if (ldap_conf.checkpeer != -1) {
+       ldapssl_set_strength(NULL,
+           ldap_conf.checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK);
     }
+#endif
 
 #ifndef HAVE_LDAP_INITIALIZE
     /* Convert uri list to host list if no ldap_initialize(). */