From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 24 Oct 2013 21:40:02 +0000 (-0600)
Subject: If user specified start_tls and ldaps, display a warning and ignore
X-Git-Tag: SUDO_1_8_9^2~139
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e2bfbe603903e983ef6cc696b6dfe2e99795d2b1;p=sudo

If user specified start_tls and ldaps, display a warning and ignore
start_tls.  There's no reason to make this a fatal error.
---

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index d11b1ebf8..c799e404f 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -493,10 +493,8 @@ sudo_ldap_parse_uri(const struct ldap_config_str_list *uri_list)
 		warningx(_("unable to mix ldap and ldaps URIs"));
 		goto done;
 	    }
-	    if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
-		warningx(_("unable to mix ldaps and starttls"));
-		goto done;
-	    }
+	    if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS)
+		warningx(_("starttls not supported when using ldaps"));
 	    ldap_conf.ssl_mode = SUDO_LDAP_SSL;
 	}
 	efree(buf);
@@ -518,18 +516,18 @@ toobig:
 }
 #else
 static char *
-sudo_ldap_join_uri(struct ldap_config_str_list *uri_list, int ssl_mode)
+sudo_ldap_join_uri(struct ldap_config_str_list *uri_list)
 {
     struct ldap_config_str *uri;
     size_t len = 0;
-    char *cp, *buf = NULL;
+    char *buf, *cp;
     debug_decl(sudo_ldap_join_uri, SUDO_DEBUG_LDAP)
 
     STAILQ_FOREACH(uri, uri_list, entries) {
-	if (ssl_mode == SUDO_LDAP_STARTTLS) {
+	if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
 	    if (strncasecmp(uri->val, "ldaps://", 8) == 0) {
-		warningx(_("unable to mix ldaps and starttls"));
-		goto done;
+		warningx(_("starttls not supported when using ldaps"));
+		ldap_conf.ssl_mode = SUDO_LDAP_SSL;
 	    }
 	}
 	len += strlen(uri->val) + 1;
@@ -541,7 +539,6 @@ sudo_ldap_join_uri(struct ldap_config_str_list *uri_list, int ssl_mode)
 	*cp++ = ' ';
     }
     cp[-1] = '\0';
-done:
     debug_return_str(buf);
 }
 #endif /* HAVE_LDAP_INITIALIZE */
@@ -2491,7 +2488,7 @@ sudo_ldap_open(struct sudo_nss *nss)
     /* Connect to LDAP server */
 #ifdef HAVE_LDAP_INITIALIZE
     if (!STAILQ_EMPTY(&ldap_conf.uri)) {
-	char *buf = sudo_ldap_join_uri(&ldap_conf.uri, ldap_conf.ssl_mode);
+	char *buf = sudo_ldap_join_uri(&ldap_conf.uri);
 	if (buf != NULL) {
 	    DPRINTF2("ldap_initialize(ld, %s)", buf);
 	    rc = ldap_initialize(&ld, buf);