From 9a07c1a7f17fcb92f7858e1ac8488e1fe6d1d011 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 13 Jan 2008 19:22:11 +0000 Subject: [PATCH] For netscape-based LDAP, use ldapssl_set_strength() to implement the checkpeer ldap.conf option. --- README.LDAP | 2 +- config.h.in | 3 +++ configure | 3 ++- configure.in | 2 +- ldap.c | 17 +++++++++++++---- 5 files changed, 20 insertions(+), 7 deletions(-) diff --git a/README.LDAP b/README.LDAP index ea62a4431..6bb08e74a 100644 --- a/README.LDAP +++ b/README.LDAP @@ -258,7 +258,7 @@ when you imported the sudoers. Below is an example /etc/ldap.conf #ssl start_tls # # Additional TLS options follow that allow tweaking of the - # SSL/TLS connection. Only supported when using OpenLDAP. + # SSL/TLS connection. # #tls_checkpeer yes # verify server SSL certificate #tls_checkpeer no # ignore server SSL certificate diff --git a/config.h.in b/config.h.in index fe8b732fd..f4ab5df50 100644 --- a/config.h.in +++ b/config.h.in @@ -242,6 +242,9 @@ /* Define to 1 if you have the `ldapssl_init' function. */ #undef HAVE_LDAPSSL_INIT +/* Define to 1 if you have the `ldapssl_set_strength' function. */ +#undef HAVE_LDAPSSL_SET_STRENGTH + /* Define to 1 if you have the `lockf' function. */ #undef HAVE_LOCKF diff --git a/configure b/configure index 8ab2798d1..3428891c5 100755 --- a/configure +++ b/configure @@ -22045,7 +22045,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ -for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s + +for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` { echo "$as_me:$LINENO: checking for $ac_func" >&5 diff --git a/configure.in b/configure.in index 1f02b0c42..7fce9d252 100644 --- a/configure.in +++ b/configure.in @@ -2308,7 +2308,7 @@ if test ${with_ldap-'no'} != "no"; then AC_MSG_RESULT([yes]) AC_DEFINE(HAVE_LBER_H)]) - AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s) + AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s) AC_CHECK_HEADERS([sasl/sasl.h]) AC_CHECK_LIB(gssapi, gss_krb5_ccache_name, diff --git a/ldap.c b/ldap.c index e11c310a9..e6085777e 100644 --- a/ldap.c +++ b/ldap.c @@ -166,6 +166,8 @@ static struct ldap_config_table ldap_conf_table[] = { #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_conf.tls_checkpeer }, +#else + { "tls_checkpeer", CONF_BOOL, FALSE, -1, &ldap_conf.tls_checkpeer }, #endif #ifdef LDAP_OPT_X_TLS_CACERTFILE { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE, @@ -996,11 +998,18 @@ sudo_ldap_read_config() * Interpret SSL option */ if (ldap_conf.ssl != NULL) { - if (strcasecmp(ldap_conf.ssl, "start_tls") == 0) - ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS; - else if (_atobool(ldap_conf.ssl)) - ldap_conf.ssl_mode = SUDO_LDAP_SSL; + if (strcasecmp(ldap_conf.ssl, "start_tls") == 0) + ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS; + else if (_atobool(ldap_conf.ssl)) + ldap_conf.ssl_mode = SUDO_LDAP_SSL; + } + +#if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT) + if (ldap_conf.checkpeer != -1) { + ldapssl_set_strength(NULL, + ldap_conf.checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK); } +#endif #ifndef HAVE_LDAP_INITIALIZE /* Convert uri list to host list if no ldap_initialize(). */ -- 2.40.0