From a1af9beb915e96da634b7d17762bf42146104d45 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 25 Jan 2011 10:47:25 -0500 Subject: Add option to disable TLS for LDAP auth Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API. --- src/providers/ldap/ldap_auth.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'src/providers/ldap/ldap_auth.c') diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index 853231b3..f4bbabf6 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -536,6 +536,7 @@ static void auth_resolve_done(struct tevent_req *subreq) struct auth_state *state = tevent_req_data(req, struct auth_state); int ret; + bool use_tls; ret = be_resolve_server_recv(subreq, &state->srv); talloc_zfree(subreq); @@ -546,8 +547,19 @@ static void auth_resolve_done(struct tevent_req *subreq) return; } + /* Check for undocumented debugging feature to disable TLS + * for authentication. This should never be used in production + * for obvious reasons. + */ + use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS); + if (!use_tls) { + sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over " + "insecure connection. This should be done " + "for debugging purposes only."); + } + subreq = sdap_connect_send(state, state->ev, state->ctx->opts, - state->sdap_service->uri, true); + state->sdap_service->uri, use_tls); if (!subreq) { tevent_req_error(req, ENOMEM); return; -- cgit