summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2009-06-02 18:08:08 +0200
committerSimo Sorce <ssorce@redhat.com>2009-06-02 15:34:53 -0400
commite7514def89cbbf52cc49fbc0f8ad6fe642304331 (patch)
tree6b58e34b5efd89245e29bd9b4a470f7b562bc063
parent72a36ddec46744a6aa1443f62066c1d9e422b190 (diff)
downloadsssd-e7514def89cbbf52cc49fbc0f8ad6fe642304331.tar.gz
sssd-e7514def89cbbf52cc49fbc0f8ad6fe642304331.tar.bz2
sssd-e7514def89cbbf52cc49fbc0f8ad6fe642304331.zip
added tls_reqcert option for native LDAP backend
In order to allow to access LDAP servers which do not provide SSL/TLS encryption the option tls_reqcert is added to the native LDAP backend. It accepts the same arguments as the corresponding OpenLDAP option documented in ldap.conf(5) and should preform accordingly.
-rw-r--r--server/providers/ldap/ldap_auth.c32
1 files changed, 32 insertions, 0 deletions
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index b2100895..476dbc73 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -786,6 +786,8 @@ int sssm_ldap_auth_init(struct be_ctx *bectx,
char *user_search_base;
char *user_name_attribute;
char *user_object_class;
+ char *tls_reqcert;
+ int ldap_opt_x_tls_require_cert;
int network_timeout;
int opt_timeout;
int ret;
@@ -850,6 +852,36 @@ int sssm_ldap_auth_init(struct be_ctx *bectx,
if (ret != EOK) goto done;
ctx->network_timeout = opt_timeout;
+ ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
+ "tls_reqcert", NULL, &tls_reqcert);
+ if (ret != EOK) goto done;
+ if (tls_reqcert != NULL ) {
+ if (strcasecmp(tls_reqcert, "never") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER;
+ } else if (strcasecmp(tls_reqcert, "allow") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW;
+ } else if (strcasecmp(tls_reqcert, "try") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY;
+ } else if (strcasecmp(tls_reqcert, "demand") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
+ } else if (strcasecmp(tls_reqcert, "hard") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD;
+ } else {
+ DEBUG(1, ("Unknown value for tls_reqcert.\n"));
+ ret = EINVAL;
+ goto done;
+ }
+ /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, because
+ * the SSL/TLS context is initialized from this value. */
+ ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+ &ldap_opt_x_tls_require_cert);
+ if (ret != LDAP_OPT_SUCCESS) {
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+ ret = EIO;
+ goto done;
+ }
+ }
+
*ops = &sdap_auth_ops;
*pvt_data = ctx;
ret = EOK;