From a1af9beb915e96da634b7d17762bf42146104d45 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 25 Jan 2011 10:47:25 -0500
Subject: Add option to disable TLS for LDAP auth

Option is named to discourage use in production environments and
is intentionally not listed in the SSSDConfig API.
---
 src/providers/ldap/ldap_auth.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'src/providers/ldap/ldap_auth.c')

diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 853231b3..f4bbabf6 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -536,6 +536,7 @@ static void auth_resolve_done(struct tevent_req *subreq)
     struct auth_state *state = tevent_req_data(req,
                                                     struct auth_state);
     int ret;
+    bool use_tls;
 
     ret = be_resolve_server_recv(subreq, &state->srv);
     talloc_zfree(subreq);
@@ -546,8 +547,19 @@ static void auth_resolve_done(struct tevent_req *subreq)
         return;
     }
 
+    /* Check for undocumented debugging feature to disable TLS
+     * for authentication. This should never be used in production
+     * for obvious reasons.
+     */
+    use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
+    if (!use_tls) {
+        sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
+                               "insecure connection. This should be done "
+                               "for debugging purposes only.");
+    }
+
     subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
-                               state->sdap_service->uri, true);
+                               state->sdap_service->uri, use_tls);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;
-- 
cgit