5 files changed, 37 insertions, 1 deletions

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 407b9ef5..b3467c60 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -62,6 +62,9 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "entry_cache_timeout", DP_OPT_NUMBER, { .number = 1800 }, NULL_NUMBER },
     { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_sasl_mech", DP_OPT_STRING, { "GSSAPI" } , NULL_STRING },
     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 294e84fa..39fe31dc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
 /* the following defines are used to keep track of the options in the ldap
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 44
+#define IPA_OPTS_BASIC_TEST 47
 
 /* the following define is used to keep track of the options in the krb5
  * module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 48c35638..e669ba6c 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -57,6 +57,9 @@ struct dp_option default_basic_opts[] = {
     { "entry_cache_timeout", DP_OPT_NUMBER, { .number = 5400 }, NULL_NUMBER },
     { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 573de178..ea2eabe7 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -350,6 +350,33 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
         }
     }
 
+    tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CERT);
+    if (tls_opt) {
+        ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, tls_opt);
+        if (ret != LDAP_OPT_SUCCESS) {
+            DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+            return EIO;
+        }
+    }
+
+    tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_KEY);
+    if (tls_opt) {
+        ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, tls_opt);
+        if (ret != LDAP_OPT_SUCCESS) {
+            DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+            return EIO;
+        }
+    }
+
+    tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CIPHER_SUITE);
+    if (tls_opt) {
+        ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, tls_opt);
+        if (ret != LDAP_OPT_SUCCESS) {
+            DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+            return EIO;
+        }
+    }
+
     return EOK;
 }
 
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 932abca4..e053210a 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -176,6 +176,9 @@ enum sdap_basic_opt {
     SDAP_ENTRY_CACHE_TIMEOUT,
     SDAP_TLS_CACERT,
     SDAP_TLS_CACERTDIR,
+    SDAP_TLS_CERT,
+    SDAP_TLS_KEY,
+    SDAP_TLS_CIPHER_SUITE,
     SDAP_ID_TLS,
     SDAP_SASL_MECH,
     SDAP_SASL_AUTHID,