From: Howard Chu Date: Tue, 7 Oct 2003 00:19:36 +0000 (+0000) Subject: Added ldapdb_starttls keyword X-Git-Tag: OPENLDAP_REL_ENG_2_1_MP~612 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=fee0f44307f407ff187645c3a2192b39f605718a;p=openldap Added ldapdb_starttls keyword --- diff --git a/contrib/ldapsasl/README b/contrib/ldapsasl/README index db8d31e117..3ac8f814a4 100644 --- a/contrib/ldapsasl/README +++ b/contrib/ldapsasl/README @@ -64,3 +64,12 @@ sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth sasl-regexp uid=(.*),cn=external,cn=auth ldap:///dc=example,dc=com??sub?(uid=$1) +One more update: you can use the ldapdb_starttls keyword to use the +StartTLS extended operation on an LDAP session. This item may be set +to either "try" or "demand", e.g.: + +ldapdb_uri: ldap://ldap.example.com +ldapdb_starttls: try + +When set to "try" any failure in StartTLS is ignored. When set to "demand" +then any failure aborts the connection. diff --git a/contrib/ldapsasl/ldapdb.c b/contrib/ldapsasl/ldapdb.c index b2c408e3bc..0ed61732af 100644 --- a/contrib/ldapsasl/ldapdb.c +++ b/contrib/ldapsasl/ldapdb.c @@ -38,6 +38,7 @@ typedef struct ldapctx { struct berval id; /* SASL authcid to bind as */ struct berval pw; /* password for bind */ struct berval mech; /* SASL mech */ + int use_tls; /* Issue StartTLS request? */ } ldapctx; typedef struct gluectx { @@ -145,6 +146,11 @@ static void ldapdb_auxprop_lookup(void *glob_context, i = LDAP_VERSION3; ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &i); + /* If TLS is set and it fails, continue or bail out as requested */ + if (ctx->use_tls && ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) { + if (ctx->use_tls > 1) goto done; + } + ret = ldap_sasl_interactive_bind_s(ld, NULL, ctx->mech.bv_val, NULL, NULL, LDAP_SASL_QUIET, ldapdb_interact, &gc); if (ret != LDAP_SUCCESS) goto done; @@ -210,6 +216,8 @@ static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils, if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS; + memset(&tmp, 0, sizeof(tmp)); + utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL); if(!tmp.uri) return SASL_BADPARAM; @@ -222,6 +230,12 @@ static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils, utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech", (const char **)&tmp.mech.bv_val, &len); tmp.mech.bv_len = len; + utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL); + if (s) + { + if (!strcasecmp(s, "demand")) tmp.use_tls = 2; + else if (!strcasecmp(s, "try")) tmp.use_tls = 1; + } utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, &len); if (s) {