[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: [pamldap] LDAPS connections with OpenLDAP 2
From: Norbert Klasen <klasen () zdv ! uni-tuebingen ! de>
Date: 2000-12-01 17:50:38
[Download RAW message or body]
Hi,
I've written a patch to pam_ldap-82 to allow connections using LDAP over
SSL (LDAPS, usually port 636) with the OpenLDAP 2.0 libs.
The configuratin directive is "ssl yes" to be compatible with the
Netscape SDK. The start_tls mode introduced in pam_ldap 73 is now
activated with "ssl start_tls".
P.S.: See also OpenLDAP ITS #889 for a bug in OpenLDAPs 2.0.7 SSL mode.
-- =
Norbert Klasen
DFN Directory Services tel: +49 7071 29 70335
ZDV, Universit=E4t T=FCbingen fax: +49 7071 29 591=
2
W=E4chterstr. 76, 72074 T=FCbingen http://www.directory.dfn.=
de
Germany norbert.klasen@zdv.uni-tuebingen.de
["norbert.klasen-20001201-openldap2ssl.patch" (text/plain)]
--- pam_ldap.c.orig Fri Dec 1 18:13:18 2000
+++ pam_ldap.c Fri Dec 1 18:24:29 2000
@@ -113,6 +113,10 @@
#include <ldap_ssl.h>
#endif
+#define SSL_OFF 0
+#define SSL_YES 1
+#define SSL_START_TLS 2
+
#ifdef YPLDAPD
#include <rpcsvc/yp_prot.h>
#include <rpcsvc/ypclnt.h>
@@ -406,7 +410,7 @@
result->bindpw = NULL;
result->rootbinddn = NULL;
result->rootbindpw = NULL;
- result->ssl_on = 0;
+ result->ssl_on = SSL_OFF;
result->sslpath = NULL;
result->filter = NULL;
result->userattr = NULL;
@@ -645,7 +650,14 @@
}
else if (!strcasecmp (k, "ssl"))
{
- result->ssl_on = !strcasecmp (v, "yes");
+ if (!strcasecmp (v, "yes"))
+ {
+ result->ssl_on = SSL_YES;
+ }
+ else if (!strcasecmp (v, "start_tls"))
+ {
+ result->ssl_on = SSL_START_TLS;
+ }
}
else if (!strcasecmp (k, "pam_filter"))
{
@@ -715,8 +727,8 @@
if (result->port == 0)
{
-#ifdef HAVE_LDAPSSL_INIT
- if (result->ssl_on)
+#if (HAVE_LDAPSSL_INIT || LDAP_OPT_X_TLS)
+ if (result->ssl_on == SSL_YES)
{
result->port = LDAPS_PORT;
}
@@ -766,7 +778,7 @@
#ifdef HAVE_LDAPSSL_INIT
int rc;
- if (session->conf->ssl_on && ssl_initialized == 0)
+ if (session->conf->ssl_on == SSL_YES && ssl_initialized == 0)
{
rc = ldapssl_client_init (session->conf->sslpath, NULL);
if (rc != LDAP_SUCCESS)
@@ -788,6 +800,16 @@
{
#ifdef HAVE_LDAP_INIT
session->ld = ldap_init (session->conf->host, session->conf->port);
+#ifdef LDAP_OPT_X_TLS
+ if (session->conf->ssl_on == SSL_YES)
+ {
+ int tls = LDAP_OPT_X_TLS_HARD;
+ if (ldap_set_option(session->ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
+ {
+ ldap_perror(session->ld,"ldap_set_option(LDAP_OPT_X_TLS)");
+ }
+ }
+#endif /* LDAP_OPT_X_TLS */
#else
session->ld = ldap_open (session->conf->host, session->conf->port);
#endif /* HAVE_LDAP_INIT */
@@ -818,7 +840,7 @@
#ifdef HAVE_LDAP_START_TLS_S
- if (session->conf->ssl_on)
+ if (session->conf->ssl_on == SSL_START_TLS)
{
if (ldap_start_tls_s( session->ld, NULL, NULL ) != LDAP_SUCCESS)
ldap_perror(session->ld,"ldap_start_tls");
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic