'[pamldap] LDAPS connections with OpenLDAP 2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] LDAPS connections with OpenLDAP 2
From:       Norbert Klasen <klasen () zdv ! uni-tuebingen ! de>
Date:       2000-12-01 17:50:38
[Download RAW message or body]

Hi,
I've written a patch to pam_ldap-82 to allow connections using LDAP over
SSL (LDAPS, usually port 636) with the OpenLDAP 2.0 libs.

The configuratin directive is "ssl yes" to be compatible with the
Netscape SDK. The start_tls mode introduced in pam_ldap 73 is now
activated with "ssl start_tls".

P.S.: See also OpenLDAP ITS #889 for a bug in OpenLDAPs 2.0.7 SSL mode.

-- =

Norbert Klasen
DFN Directory Services                           tel: +49 7071 29 70335
ZDV, Universit=E4t T=FCbingen                        fax: +49 7071 29 591=
2
W=E4chterstr. 76, 72074 T=FCbingen              http://www.directory.dfn.=
de
Germany                             norbert.klasen@zdv.uni-tuebingen.de
["norbert.klasen-20001201-openldap2ssl.patch" (text/plain)]

--- pam_ldap.c.orig	Fri Dec  1 18:13:18 2000
+++ pam_ldap.c	Fri Dec  1 18:24:29 2000
@@ -113,6 +113,10 @@
 #include <ldap_ssl.h>
 #endif
 
+#define SSL_OFF			0
+#define SSL_YES			1
+#define SSL_START_TLS 	2
+
 #ifdef YPLDAPD
 #include <rpcsvc/yp_prot.h>
 #include <rpcsvc/ypclnt.h>
@@ -406,7 +410,7 @@
   result->bindpw = NULL;
   result->rootbinddn = NULL;
   result->rootbindpw = NULL;
-  result->ssl_on = 0;
+  result->ssl_on = SSL_OFF;
   result->sslpath = NULL;
   result->filter = NULL;
   result->userattr = NULL;
@@ -645,7 +650,14 @@
 	}
       else if (!strcasecmp (k, "ssl"))
 	{
-	  result->ssl_on = !strcasecmp (v, "yes");
+		if (!strcasecmp (v, "yes"))
+		  {
+			result->ssl_on = SSL_YES;
+		  }
+		else if (!strcasecmp (v, "start_tls"))
+		  {
+			result->ssl_on = SSL_START_TLS;
+		  }
 	}
       else if (!strcasecmp (k, "pam_filter"))
 	{
@@ -715,8 +727,8 @@
 
   if (result->port == 0)
     {
-#ifdef HAVE_LDAPSSL_INIT
-      if (result->ssl_on)
+#if (HAVE_LDAPSSL_INIT || LDAP_OPT_X_TLS)
+      if (result->ssl_on == SSL_YES)
 	{
 	  result->port = LDAPS_PORT;
 	}
@@ -766,7 +778,7 @@
 #ifdef HAVE_LDAPSSL_INIT
   int rc;
 
-  if (session->conf->ssl_on && ssl_initialized == 0)
+  if (session->conf->ssl_on == SSL_YES && ssl_initialized == 0)
     {
       rc = ldapssl_client_init (session->conf->sslpath, NULL);
       if (rc != LDAP_SUCCESS)
@@ -788,6 +800,16 @@
     {
 #ifdef HAVE_LDAP_INIT
       session->ld = ldap_init (session->conf->host, session->conf->port);
+#ifdef    LDAP_OPT_X_TLS
+		if (session->conf->ssl_on == SSL_YES)
+		  {
+			int tls = LDAP_OPT_X_TLS_HARD;
+			if (ldap_set_option(session->ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
+			  {
+				ldap_perror(session->ld,"ldap_set_option(LDAP_OPT_X_TLS)");
+			  }
+		  }
+#endif    /* LDAP_OPT_X_TLS */
 #else
       session->ld = ldap_open (session->conf->host, session->conf->port);
 #endif /* HAVE_LDAP_INIT */
@@ -818,7 +840,7 @@
 
 #ifdef HAVE_LDAP_START_TLS_S 
 
-   if (session->conf->ssl_on)
+   if (session->conf->ssl_on == SSL_START_TLS)
    {
       if (ldap_start_tls_s( session->ld, NULL, NULL ) != LDAP_SUCCESS)
          ldap_perror(session->ld,"ldap_start_tls");


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic