From: Aki Tuomi Date: Wed, 13 Apr 2016 08:01:29 +0000 (+0300) Subject: lib-ldap: Allow disabling of TLS X-Git-Tag: 2.2.24~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3be0145dff35c54c3c89c3ad3e1afd2c486a2d4;p=thirdparty%2Fdovecot%2Fcore.git lib-ldap: Allow disabling of TLS --- diff --git a/src/lib-dict/dict-ldap-settings.c b/src/lib-dict/dict-ldap-settings.c index df793a5b73..200ca8c3e6 100644 --- a/src/lib-dict/dict-ldap-settings.c +++ b/src/lib-dict/dict-ldap-settings.c @@ -209,13 +209,18 @@ parse_setting(const char *key, const char *value, } return NULL; } - if (strcmp(key, "require_ssl") == 0) { + if (strcmp(key, "tls") == 0) { if (strcasecmp(value, "yes") == 0) { ctx->set->require_ssl = TRUE; + ctx->set->start_tls = TRUE; } else if (strcasecmp(value, "no") == 0) { ctx->set->require_ssl = FALSE; + ctx->set->start_tls = FALSE; + } else if (strcasecmp(value, "try") == 0) { + ctx->set->require_ssl = FALSE; + ctx->set->start_tls = TRUE; } else { - return "require_ssl must be either yes or no"; + return "tls must be yes, try or no"; } return NULL; } @@ -286,6 +291,8 @@ dict_ldap_settings_read(pool_t pool, const char *path, const char **error_r) p_array_init(&ctx.set->maps, pool, 8); ctx.set->timeout = 30; /* default timeout */ + ctx.set->require_ssl = FALSE; /* try to start SSL */ + ctx.set->start_tls = TRUE; if (!settings_read(path, NULL, parse_setting, parse_section, &ctx, error_r)) diff --git a/src/lib-dict/dict-ldap-settings.h b/src/lib-dict/dict-ldap-settings.h index dadd32121b..0919ca9d6d 100644 --- a/src/lib-dict/dict-ldap-settings.h +++ b/src/lib-dict/dict-ldap-settings.h @@ -26,6 +26,7 @@ struct dict_ldap_settings { unsigned int debug; unsigned int max_attribute_count; bool require_ssl; + bool start_tls; ARRAY(struct dict_ldap_map) maps; }; diff --git a/src/lib-dict/dict-ldap.c b/src/lib-dict/dict-ldap.c index 6344681bee..b3c07d2929 100644 --- a/src/lib-dict/dict-ldap.c +++ b/src/lib-dict/dict-ldap.c @@ -161,6 +161,7 @@ int dict_ldap_connect(struct ldap_dict *dict, const char **error_r) set.max_idle_time_secs = dict->set->max_idle_time; set.debug = dict->set->debug; set.require_ssl = dict->set->require_ssl; + set.start_tls = dict->set->start_tls; return ldap_client_init(&set, &dict->client, error_r); } diff --git a/src/lib-ldap/ldap-client.h b/src/lib-ldap/ldap-client.h index 2ee7d1cf24..5ce14dc6bf 100644 --- a/src/lib-ldap/ldap-client.h +++ b/src/lib-ldap/ldap-client.h @@ -29,6 +29,7 @@ struct ldap_client_settings { unsigned int max_idle_time_secs; unsigned int debug; bool require_ssl; + bool start_tls; }; struct ldap_search_input { diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c index c19ccca767..7b5caa091d 100644 --- a/src/lib-ldap/ldap-connection.c +++ b/src/lib-ldap/ldap-connection.c @@ -91,12 +91,20 @@ int ldap_connection_init(struct ldap_client *client, const struct ldap_client_settings *set, struct ldap_connection **conn_r, const char **error_r) { + i_assert(set->uri != NULL); + + if (set->require_ssl && + !set->start_tls && + strncmp("ldaps://",set->uri,8) != 0) { + *error_r = t_strdup_printf("ldap_connection_init(uri=%s) failed: %s", set->uri, + "uri does not start with ldaps and ssl required without start TLS"); + return -1; + } + pool_t pool = pool_alloconly_create("ldap connection", 1024); struct ldap_connection *conn = p_new(pool, struct ldap_connection, 1); conn->pool = pool; - i_assert(set->uri != NULL); - conn->client = client; conn->set = *set; /* deep copy relevant strings */ @@ -385,7 +393,8 @@ ldap_connect_next_message(struct ldap_connection *conn, switch(conn->state) { case LDAP_STATE_DISCONNECT: - if (strstr(conn->set.uri, "ldaps://") == NULL) { + /* if we should not disable SSL, and the URI is not ldaps:// */ + if (!conn->set.start_tls || strstr(conn->set.uri, "ldaps://") == NULL) { ret = ldap_start_tls(conn->conn, NULL, NULL, &(req->msgid)); if (ret != LDAP_SUCCESS) { ldap_connection_result_failure(conn, req, ret, t_strdup_printf(