rand_file can only be set as a global option

diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index 6001c0dc9c92580473154ebc9d0e088a9b42ced2..768e7110f876013ff91a9d30c7570b4de16eeef0 100644 (file)
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -1327,6 +1327,34 @@ static int rlm_ldap_rebind(LDAP *handle, LDAP_CONST char *url, UNUSED ber_tag_t
 }
 #endif
 
+int rlm_ldap_global_init(rlm_ldap_t *inst)
+{
+       int ldap_errno;
+
+#define do_ldap_global_option(_option, _name, _value) \
+       if (ldap_set_option(NULL, _option, _value) != LDAP_OPT_SUCCESS) { \
+               ldap_get_option(NULL, LDAP_OPT_ERROR_NUMBER, &ldap_errno); \
+               ERROR("Failed setting global option %s: %s", _name, \
+                        (ldap_errno != LDAP_SUCCESS) ? ldap_err2string(ldap_errno) : "Unknown error"); \
+               return -1;\
+       }
+
+#define maybe_ldap_global_option(_option, _name, _value) \
+       if (_value) do_ldap_global_option(_option, _name, _value)
+
+       maybe_ldap_global_option(LDAP_OPT_DEBUG_LEVEL, "ldap_debug", &(inst->ldap_debug));
+
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
+       /*
+        *      OpenLDAP will error out if we attempt to set
+        *      this on a handle. Presumably it's global in
+        *      OpenSSL too.
+        */
+       maybe_ldap_global_option(LDAP_OPT_X_TLS_RANDOM_FILE, "random_file", inst->tls_random_file);
+#endif
+       return 0;
+}
+
 /** Close and delete a connection
  *
  * Unbinds the LDAP connection, informing the server and freeing any memory, then releases the memory used by the
@@ -1403,17 +1431,8 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
                goto error;\
        }
 
-#define do_ldap_global_option(_option, _name, _value) \
-       if (ldap_set_option(NULL, _option, _value) != LDAP_OPT_SUCCESS) { \
-               ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &ldap_errno); \
-               LDAP_ERR("Failed setting global option %s: %s", _name, \
-                        (ldap_errno != LDAP_SUCCESS) ? ldap_err2string(ldap_errno) : "Unknown error"); \
-               goto error;\
-       }
-
-       if (inst->ldap_debug) {
-               do_ldap_global_option(LDAP_OPT_DEBUG_LEVEL, "ldap_debug", &(inst->ldap_debug));
-       }
+#define maybe_ldap_option(_option, _name, _value) \
+       if (_value) do_ldap_option(_option, _name, _value)
 
        /*
         *      Leave "dereference" unset to use the OpenLDAP default.
@@ -1473,9 +1492,6 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
                do_ldap_option(LDAP_OPT_X_TLS, "tls_mode", &(inst->tls_mode));
        }
 
-#  define maybe_ldap_option(_option, _name, _value) \
-       if (_value) do_ldap_option(_option, _name, _value)
-
        maybe_ldap_option(LDAP_OPT_X_TLS_CACERTFILE, "ca_file", inst->tls_ca_file);
        maybe_ldap_option(LDAP_OPT_X_TLS_CACERTDIR, "ca_path", inst->tls_ca_path);
 
@@ -1485,7 +1501,6 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
         */
        maybe_ldap_option(LDAP_OPT_X_TLS_CERTFILE, "certificate_file", inst->tls_certificate_file);
        maybe_ldap_option(LDAP_OPT_X_TLS_KEYFILE, "private_key_file", inst->tls_private_key_file);
-       maybe_ldap_option(LDAP_OPT_X_TLS_RANDOM_FILE, "random_file", inst->tls_random_file);
 
 #  ifdef LDAP_OPT_X_TLS_NEVER
        if (inst->tls_require_cert_str) {

diff --git a/src/modules/rlm_ldap/ldap.h b/src/modules/rlm_ldap/ldap.h
index ee17d2420731f6b9aafc115776892dae139e0989..5e25f74f4eaa2efcd471736d12b14348608c0b6d 100644 (file)
--- a/src/modules/rlm_ldap/ldap.h
+++ b/src/modules/rlm_ldap/ldap.h
@@ -417,6 +417,8 @@ ldap_rcode_t rlm_ldap_result(rlm_ldap_t const *inst, ldap_handle_t const *conn,
 
 char *rlm_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in);
 
+int rlm_ldap_global_init(rlm_ldap_t *inst);
+
 void *mod_conn_create(TALLOC_CTX *ctx, void *instance);
 
 ldap_handle_t *mod_conn_get(rlm_ldap_t const *inst, REQUEST *request);

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 99323702d224dc003d3b6a30c3cc9cb6c693e7dd..172a59e1892e1ce2532e6e5e2c547214f748cafd 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -1167,6 +1167,11 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance)
                return -1;
        }
 
+       /*
+        *      Set global options
+        */
+       if (rlm_ldap_global_init(inst) < 0) goto error;
+
        /*
         *      Initialize the socket pool.
         */