lib-ldap: Allow disabling of TLS

diff --git a/src/lib-dict/dict-ldap-settings.c b/src/lib-dict/dict-ldap-settings.c
index df793a5b73a8e01d1e5cfb170f0a8c13552e2218..200ca8c3e660acef2e1c697d0ac53d8a04d37761 100644 (file)
--- a/src/lib-dict/dict-ldap-settings.c
+++ b/src/lib-dict/dict-ldap-settings.c
@@ -209,13 +209,18 @@ parse_setting(const char *key, const char *value,
                        }
                        return NULL;
                }
-               if (strcmp(key, "require_ssl") == 0) {
+               if (strcmp(key, "tls") == 0) {
                        if (strcasecmp(value, "yes") == 0) {
                                ctx->set->require_ssl = TRUE;
+                               ctx->set->start_tls = TRUE;
                        } else if (strcasecmp(value, "no") == 0) {
                                ctx->set->require_ssl = FALSE;
+                               ctx->set->start_tls = FALSE;
+                       } else if (strcasecmp(value, "try") == 0) {
+                               ctx->set->require_ssl = FALSE;
+                               ctx->set->start_tls = TRUE;
                        } else {
-                               return "require_ssl must be either yes or no";
+                               return "tls must be yes, try or no";
                        }
                        return NULL;
                }
@@ -286,6 +291,8 @@ dict_ldap_settings_read(pool_t pool, const char *path, const char **error_r)
        p_array_init(&ctx.set->maps, pool, 8);
 
        ctx.set->timeout = 30; /* default timeout */
+       ctx.set->require_ssl = FALSE; /* try to start SSL */
+       ctx.set->start_tls = TRUE;
 
        if (!settings_read(path, NULL, parse_setting, parse_section,
                           &ctx, error_r))

diff --git a/src/lib-dict/dict-ldap-settings.h b/src/lib-dict/dict-ldap-settings.h
index dadd32121b001efa43fc33d91b8f05725776f777..0919ca9d6ddf9fa105cc72c29d1a156061b89369 100644 (file)
--- a/src/lib-dict/dict-ldap-settings.h
+++ b/src/lib-dict/dict-ldap-settings.h
@@ -26,6 +26,7 @@ struct dict_ldap_settings {
        unsigned int debug;
        unsigned int max_attribute_count;
        bool require_ssl;
+       bool start_tls;
        ARRAY(struct dict_ldap_map) maps;
 };
 

diff --git a/src/lib-dict/dict-ldap.c b/src/lib-dict/dict-ldap.c
index 6344681beead9af335d0a61a3cb44fee9a3ce213..b3c07d292968f3984f0a313f6bd9383470ce960d 100644 (file)
--- a/src/lib-dict/dict-ldap.c
+++ b/src/lib-dict/dict-ldap.c
@@ -161,6 +161,7 @@ int dict_ldap_connect(struct ldap_dict *dict, const char **error_r)
        set.max_idle_time_secs = dict->set->max_idle_time;
        set.debug = dict->set->debug;
        set.require_ssl = dict->set->require_ssl;
+       set.start_tls = dict->set->start_tls;
        return ldap_client_init(&set, &dict->client, error_r);
 }
 

diff --git a/src/lib-ldap/ldap-client.h b/src/lib-ldap/ldap-client.h
index 2ee7d1cf244ed6902a76fba23a349e0c2bcd2679..5ce14dc6bf7795a5fab4af5f635ac2a6c5115104 100644 (file)
--- a/src/lib-ldap/ldap-client.h
+++ b/src/lib-ldap/ldap-client.h
@@ -29,6 +29,7 @@ struct ldap_client_settings {
        unsigned int max_idle_time_secs;
        unsigned int debug;
        bool require_ssl;
+       bool start_tls;
 };
 
 struct ldap_search_input {

diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c
index c19ccca767bfbb228ecf0af2562d47133d93cca2..7b5caa091dfd6c8d959eb698f3770e09d2c06547 100644 (file)
--- a/src/lib-ldap/ldap-connection.c
+++ b/src/lib-ldap/ldap-connection.c
@@ -91,12 +91,20 @@ int ldap_connection_init(struct ldap_client *client,
                         const struct ldap_client_settings *set,
                         struct ldap_connection **conn_r, const char **error_r)
 {
+       i_assert(set->uri != NULL);
+
+       if (set->require_ssl &&
+           !set->start_tls &&
+           strncmp("ldaps://",set->uri,8) != 0) {
+               *error_r = t_strdup_printf("ldap_connection_init(uri=%s) failed: %s", set->uri,
+                       "uri does not start with ldaps and ssl required without start TLS");
+               return -1;
+       }
+
        pool_t pool = pool_alloconly_create("ldap connection", 1024);
        struct ldap_connection *conn = p_new(pool, struct ldap_connection, 1);
        conn->pool = pool;
 
-       i_assert(set->uri != NULL);
-
        conn->client = client;
        conn->set = *set;
        /* deep copy relevant strings */
@@ -385,7 +393,8 @@ ldap_connect_next_message(struct ldap_connection *conn,
 
        switch(conn->state) {
        case LDAP_STATE_DISCONNECT:
-               if (strstr(conn->set.uri, "ldaps://") == NULL) {
+               /* if we should not disable SSL, and the URI is not ldaps:// */
+               if (!conn->set.start_tls || strstr(conn->set.uri, "ldaps://") == NULL) {
                        ret = ldap_start_tls(conn->conn, NULL, NULL, &(req->msgid));
                        if (ret != LDAP_SUCCESS) {
                                ldap_connection_result_failure(conn, req, ret, t_strdup_printf(