sasl-regexp uid=(.*),cn=external,cn=auth
ldap:///dc=example,dc=com??sub?(uid=$1)
+One more update: you can use the ldapdb_starttls keyword to use the
+StartTLS extended operation on an LDAP session. This item may be set
+to either "try" or "demand", e.g.:
+
+ldapdb_uri: ldap://ldap.example.com
+ldapdb_starttls: try
+
+When set to "try" any failure in StartTLS is ignored. When set to "demand"
+then any failure aborts the connection.
struct berval id; /* SASL authcid to bind as */
struct berval pw; /* password for bind */
struct berval mech; /* SASL mech */
+ int use_tls; /* Issue StartTLS request? */
} ldapctx;
typedef struct gluectx {
i = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &i);
+ /* If TLS is set and it fails, continue or bail out as requested */
+ if (ctx->use_tls && ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) {
+ if (ctx->use_tls > 1) goto done;
+ }
+
ret = ldap_sasl_interactive_bind_s(ld, NULL, ctx->mech.bv_val, NULL, NULL,
LDAP_SASL_QUIET, ldapdb_interact, &gc);
if (ret != LDAP_SUCCESS) goto done;
if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
+ memset(&tmp, 0, sizeof(tmp));
+
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
if(!tmp.uri) return SASL_BADPARAM;
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech",
(const char **)&tmp.mech.bv_val, &len);
tmp.mech.bv_len = len;
+ utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL);
+ if (s)
+ {
+ if (!strcasecmp(s, "demand")) tmp.use_tls = 2;
+ else if (!strcasecmp(s, "try")) tmp.use_tls = 1;
+ }
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, &len);
if (s)
{
projects / openldap / commitdiff