Provide a more useful error message if using a Mozilla-style LDAP

author Todd C. Miller <Todd.Miller@courtesan.com>

Mon, 23 Apr 2012 19:30:34 +0000 (15:30 -0400)

committer Todd C. Miller <Todd.Miller@courtesan.com>

Mon, 23 Apr 2012 19:30:34 +0000 (15:30 -0400)
author Todd C. Miller <Todd.Miller@courtesan.com>
Mon, 23 Apr 2012 19:30:34 +0000 (15:30 -0400)
committer Todd C. Miller <Todd.Miller@courtesan.com>
Mon, 23 Apr 2012 19:30:34 +0000 (15:30 -0400)
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c

index 705b518fca1f08b11182319051df7e3b448e1555..ac45a7c80003519c01cc8e961b6e24ff599507e2 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -529,32 +529,42 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
         rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
             ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
         /*
-        * Mozilla-derived SDKs have a bug starting with version 5.0
-        * where the path can no longer be a file name and must be a dir.
+        * Starting with version 5.0, Mozilla-derived LDAP SDKs require
+        * the cert and key paths to be a directory, not a file.
+        * If the user specified a file and it fails, try the parent dir.
          */
         if (rc != LDAP_SUCCESS) {
-           char *cp;
-           if (ldap_conf.tls_certfile) {
-               cp = strrchr(ldap_conf.tls_certfile, '/');
-               if (cp != NULL && strncmp(cp + 1, "cert", 4) == 0)
+           bool retry = false;
+           if (ldap_conf.tls_certfile != NULL) {
+               char *cp = strrchr(ldap_conf.tls_certfile, '/');
+               if (cp != NULL && strncmp(cp + 1, "cert", 4) == 0) {
                     *cp = '\0';
+                   retry = true;
+               }
             }
-           if (ldap_conf.tls_keyfile) {
-               cp = strrchr(ldap_conf.tls_keyfile, '/');
-               if (cp != NULL && strncmp(cp + 1, "key", 3) == 0)
+           if (ldap_conf.tls_keyfile != NULL) {
+               char *cp = strrchr(ldap_conf.tls_keyfile, '/');
+               if (cp != NULL && strncmp(cp + 1, "key", 3) == 0) {
                     *cp = '\0';
+                   retry = true;
+               }
             }
-           DPRINTF(("ldapssl_clientauth_init(%s, %s)",
-               ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
-               ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
-           rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
-               ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
-           if (rc != LDAP_SUCCESS) {
-               warningx(_("unable to initialize SSL cert and key db: %s"),
-                   ldapssl_err2string(rc));
-               goto done;
+           if (retry) {
+               DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+                   ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+                   ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
+               rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+                   ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
             }
         }
+       if (rc != LDAP_SUCCESS) {
+           warningx(_("unable to initialize SSL cert and key db: %s"),
+               ldapssl_err2string(rc));
+           if (ldap_conf.tls_certfile == NULL)
+               warningx(_("you must set TLS_CERT in %s to use SSL"),
+                   _PATH_LDAP_CONF);
+           goto done;
+       }
  
         DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
         if ((ld = ldapssl_init(host, port, 1)) != NULL)
author	Todd C. Miller <Todd.Miller@courtesan.com>
	Mon, 23 Apr 2012 19:30:34 +0000 (15:30 -0400)
committer	Todd C. Miller <Todd.Miller@courtesan.com>
	Mon, 23 Apr 2012 19:30:34 +0000 (15:30 -0400)