From 19ff128f314a8b5aa6e47e3cde06a9754e40ed4f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 4 Sep 2007 22:51:35 +0000
Subject: [PATCH] back out partial ldaps support mistakenly committed

---
 ldap.c | 69 ++++++++++------------------------------------------------
 1 file changed, 11 insertions(+), 58 deletions(-)

diff --git a/ldap.c b/ldap.c
index ffa90ae3a..d6e97dfbf 100644
--- a/ldap.c
+++ b/ldap.c
@@ -109,14 +109,13 @@ struct ldap_config {
     int bind_timelimit;
     int use_sasl;
     int rootuse_sasl;
-    int use_ssl;
-    int start_tls;
     char *host;
     char *uri;
     char *binddn;
     char *bindpw;
     char *rootbinddn;
     char *base;
+    char *ssl;
     char *tls_cacertfile;
     char *tls_cacertdir;
     char *tls_random_file;
@@ -126,7 +125,6 @@ struct ldap_config {
     char *sasl_auth_id;
     char *rootsasl_auth_id;
     char *sasl_secprops;
-    char *sslpath;
     char *krb5_ccname;
 } ldap_conf;
 
@@ -511,11 +509,11 @@ int
 sudo_ldap_read_config()
 {
     FILE *f;
-    char buf[LINE_MAX], *c, *keyword, *value, *ssl = NULL;
+    char buf[LINE_MAX], *c, *keyword, *value;
 
     /* defaults */
-    ldap_conf.version = LDAP_VERSION_MAX; /* XXX - use LDAP_VERSION? */
-    ldap_conf.port = -1;
+    ldap_conf.version = 3;
+    ldap_conf.port = 389;
     ldap_conf.tls_checkpeer = -1;
     ldap_conf.timelimit = -1;
     ldap_conf.bind_timelimit = -1;
@@ -569,9 +567,7 @@ sudo_ldap_read_config()
 	    else
 	MATCH_I("port", ldap_conf.port)
 	    else
-	MATCH_S("ssl", ssl)
-	    else
-	MATCH_S("sslpath", ldap_conf.sslpath)
+	MATCH_S("ssl", ldap_conf.ssl)
 	    else
 	MATCH_B("tls_checkpeer", ldap_conf.tls_checkpeer)
 	    else
@@ -630,25 +626,6 @@ sudo_ldap_read_config()
     }
     fclose(f);
 
-    /*
-     * The ssl option may be a boolean or the string "start_tls".
-     */
-    if (ssl != NULL) {
-	if (strcasecmp(ssl, "start_tls") == 0)
-	    ldap_conf.start_tls = 1;
-	else
-	    ldap_conf.use_ssl = _atobool(ssl);
-    }
-
-    if (ldap_conf.port == -1) {
-#ifdef HAVE_LDAPSSL_INIT
-	if (ldap_conf.use_ssl)
-	    ldap_conf.port = LDAPS_PORT;
-	else
-#endif
-	    ldap_conf.port = LDAP_PORT;
-    }
-
     if (!ldap_conf.host)
 	ldap_conf.host = estrdup("localhost");
 
@@ -678,11 +655,9 @@ sudo_ldap_read_config()
 	    ldap_conf.bindpw : "(anonymous)");
 	fprintf(stderr, "bind_timelimit   %d\n", ldap_conf.bind_timelimit);
 	fprintf(stderr, "timelimit        %d\n", ldap_conf.timelimit);
-#ifdef HAVE_LDAPSSL_INIT
-	fprintf(stderr, "use_ssl          %d\n", ldap_conf.use_ssl);
-#endif
 #ifdef HAVE_LDAP_START_TLS_S
-	fprintf(stderr, "start_tls        %d\n", ldap_conf.start_tls);
+	fprintf(stderr, "ssl              %s\n", ldap_conf.ssl ?
+	    ldap_conf.ssl : "(no)");
 #endif
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
 	fprintf(stderr, "use_sasl         %d\n", ldap_conf.use_sasl);
@@ -992,7 +967,7 @@ sudo_ldap_open()
     if (!sudo_ldap_read_config())
 	return(NULL);
 
-    /* attempt to setup TLS options */
+    /* attempt to setup ssl options */
 #ifdef LDAP_OPT_X_TLS_CACERTFILE
     SET_OPTS(X_TLS_CACERTFILE, tls_cacertfile);
 #endif /* LDAP_OPT_X_TLS_CACERTFILE */
@@ -1050,26 +1025,14 @@ sudo_ldap_open()
     }
 #endif
 
-#ifdef HAVE_LDAPSSL_INIT
-    /* setup SSL before connecting */
-    if (ldap_conf.use_ssl && ldap_conf.sslpath != NULL) {
-	rc = ldapssl_client_init(ldap_conf.sslpath, NULL);
-	if (rc != LDAP_SUCCESS) {
-	    fprintf(stderr, "ldapssl_client_init()=%d : %s\n",
-		rc, ldap_err2string(rc));
-	    return(NULL);
-	}
-    }
-#endif
-
-    /* attempt connection */
+    /* attempt connect */
 #ifdef HAVE_LDAP_INITIALIZE
     if (ldap_conf.uri) {
 
 	DPRINTF(("ldap_initialize(ld,%s)", ldap_conf.uri), 2);
 
 	rc = ldap_initialize(&ld, ldap_conf.uri);
-	if (rc != LDAP_SUCCESS) {
+	if (rc) {
 	    fprintf(stderr, "ldap_initialize()=%d : %s\n",
 		rc, ldap_err2string(rc));
 	    return(NULL);
@@ -1077,21 +1040,11 @@ sudo_ldap_open()
     } else
 #endif /* HAVE_LDAP_INITIALIZE */
     if (ldap_conf.host) {
-#ifdef HAVE_LDAPSSL_INIT
-	DPRINTF(("ldapssl_init(%s,%d,%d)", ldap_conf.host, ldap_conf.port,
-	    ldap_conf.use_ssl), 2);
-	ld = ldapssl_init(ldap_conf.host, ldap_conf.port, ldap_conf.use_ssl);
-	if (ld == NULL) {
-	    warning("ldapssl_init()");
-	    return(NULL);
-	}
-#else
 	DPRINTF(("ldap_init(%s,%d)", ldap_conf.host, ldap_conf.port), 2);
 	if ((ld = ldap_init(ldap_conf.host, ldap_conf.port)) == NULL) {
 	    warning("ldap_init()");
 	    return(NULL);
 	}
-#endif
     }
 
 #ifdef LDAP_OPT_PROTOCOL_VERSION
@@ -1101,7 +1054,7 @@ sudo_ldap_open()
 
 #ifdef HAVE_LDAP_START_TLS_S
     /* Turn on TLS */
-    if (ldap_conf.start_tls) {
+    if (ldap_conf.ssl && !strcasecmp(ldap_conf.ssl, "start_tls")) {
 	rc = ldap_start_tls_s(ld, NULL, NULL);
 	if (rc != LDAP_SUCCESS) {
 	    fprintf(stderr, "ldap_start_tls_s(): %d: %s\n", rc,
-- 
2.40.0