digest_edirectory_auth: Fix LDAPS memory leaks (#2169)

LDAPS connections now succeed; referral chasing behaves as configured,
and some small memory leaks have been eliminated.

diff --git a/doc/release-notes/release-7.sgml.in b/doc/release-notes/release-7.sgml.in
index 304b7500138c3c9031d1384a503dbc7878ea1945..786883126ad2fe5c5fc5e5aeaea33d3cb31e231e 100644 (file)
--- a/doc/release-notes/release-7.sgml.in
+++ b/doc/release-notes/release-7.sgml.in
@@ -337,6 +337,11 @@ This section gives an account of those changes in three categories:
 <sect1>Other changes<label id="otherchanges">
 <p>
 <descrip>
+       <tag>digest_edirectory_auth</tag>
+       <p>LDAPS activation and referrals were broken, and memory could leak.
+          LDAPS may now negotiate correctly, referrals honor configuration
+          (use <em>-R</em> to disable), and memory is now properly freed.
+
        <tag>Adjusted configuration and format of ext_time_quota_acl helper debugging</tag>
        <p>The <em>-l</em> option that enables <em>ext_time_quota_acl</em> to log debug messages
                to a custom logfile has been removed, and their format has been

diff --git a/src/auth/digest/eDirectory/ldap_backend.cc b/src/auth/digest/eDirectory/ldap_backend.cc
index fd80542c17bbf13693be48916743b77019b4db96..20c44c8e82dba3687f53fc19a8b3f20a2a2570fc 100644 (file)
--- a/src/auth/digest/eDirectory/ldap_backend.cc
+++ b/src/auth/digest/eDirectory/ldap_backend.cc
@@ -120,6 +120,12 @@ squid_ldap_set_connect_timeout(int aTimeLimit)
 #endif
 }
 
+static void
+squid_ldap_memfree(char *p)
+{
+    ldap_memfree(p);
+}
+
 #else
 static int
 squid_ldap_errno(LDAP * ld)
@@ -135,7 +141,7 @@ static void
 squid_ldap_set_referrals(int referrals)
 {
     if (referrals)
-        ld->ld_options |= ~LDAP_OPT_REFERRALS;
+        ld->ld_options |= LDAP_OPT_REFERRALS;
     else
         ld->ld_options &= ~LDAP_OPT_REFERRALS;
 }
@@ -261,7 +267,13 @@ retrydnattr:
         if (rc == LDAP_SUCCESS) {
             entry = ldap_first_entry(ld, res);
             if (entry) {
-                debug("ldap dn: %s\n", ldap_get_dn(ld, entry));
+                const auto dn = ldap_get_dn(ld, entry);
+                if (!dn) {
+                    fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", login);
+                    ldap_msgfree(res);
+                    return nullptr;
+                }
+                debug("ldap dn: %s\n", dn);
                 if (edir_universal_passwd) {
 
                     /* allocate some memory for the universal password returned by NMAS */
@@ -269,7 +281,7 @@ retrydnattr:
                     values = (char**)calloc(2, sizeof(char *));
 
                     /* actually talk to NMAS to get a password */
-                    nmas_res = nds_get_password(ld, ldap_get_dn(ld, entry), &universal_password_len, universal_password);
+                    nmas_res = nds_get_password(ld, dn, &universal_password_len, universal_password);
                     if (nmas_res == LDAP_SUCCESS && universal_password) {
                         debug("NMAS returned value %s\n", universal_password);
                         values[0] = universal_password;
@@ -280,6 +292,7 @@ retrydnattr:
                 } else {
                     values = ldap_get_values(ld, entry, passattr);
                 }
+                squid_ldap_memfree(dn);
             } else {
                 ldap_msgfree(res);
                 return nullptr;
@@ -397,7 +410,7 @@ ldapconnect(void)
         }
         if (use_tls) {
 #ifdef LDAP_OPT_X_TLS
-            if ((version == LDAP_VERSION3) && (ldap_start_tls_s(ld, nullptr, nullptr) == LDAP_SUCCESS)) {
+            if ((version == LDAP_VERSION3) && (ldap_start_tls_s(ld, nullptr, nullptr) != LDAP_SUCCESS)) {
                 fprintf(stderr, "Could not Activate TLS connection\n");
                 ldap_unbind(ld);
                 ld = nullptr;