From: Marco Bettini <marco.bettini@open-xchange.com>
Date: Wed, 16 Oct 2024 10:02:23 +0000 (+0000)
Subject: lib-ldap: ldap_client_settings - Remove require_ssl
X-Git-Tag: 2.4.1~395
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=104da6eea2e9a25962f5f7ee887c5ab244dde438;p=thirdparty%2Fdovecot%2Fcore.git

lib-ldap: ldap_client_settings - Remove require_ssl
---

diff --git a/src/lib-ldap/Makefile.am b/src/lib-ldap/Makefile.am
index f33a823ae5..3a7ca234ed 100644
--- a/src/lib-ldap/Makefile.am
+++ b/src/lib-ldap/Makefile.am
@@ -44,7 +44,6 @@ pkginc_lib_HEADERS = $(headers)
 
 test_libs = \
 	../lib-test/libtest.la \
-	../lib-ssl-iostream/libssl_iostream.la \
 	../lib-var-expand/libvar_expand.la \
 	../lib/liblib.la
 
diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c
index b72f115f0b..36c76fa01d 100644
--- a/src/lib-ldap/ldap-connection.c
+++ b/src/lib-ldap/ldap-connection.c
@@ -107,14 +107,6 @@ int ldap_connection_init(struct ldap_client *client,
 {
 	i_assert(set->uris != NULL && set->uris[0] != '\0');
 
-	if (set->require_ssl &&
-	    !set->starttls &&
-	    strncmp("ldaps://",set->uris,8) != 0) {
-		*error_r = t_strdup_printf("ldap_connection_init(uris=%s) failed: %s", set->uris,
-			"uri does not start with ldaps and ssl required without start TLS");
-		return -1;
-	}
-
 	pool_t pool = pool_alloconly_create("ldap connection", 1024);
 	struct ldap_connection *conn = p_new(pool, struct ldap_connection, 1);
 	conn->pool = pool;
@@ -301,13 +293,11 @@ ldap_connection_connect_parse(struct ldap_connection *conn,
 				conn->set->uris, ldap_err2string(ret)));
 			return ret;
 		} else if (result_err != 0) {
-			if (conn->set->require_ssl) {
-				ldap_connection_result_failure(conn, req, result_err, t_strdup_printf(
-					"ldap_start_tls(uris=%s) failed: %s",
-					conn->set->uris, result_errmsg));
-				ldap_memfree(result_errmsg);
-				return LDAP_INVALID_CREDENTIALS; /* make sure it disconnects */
-			}
+			ldap_connection_result_failure(conn, req, result_err, t_strdup_printf(
+				"ldap_start_tls(uris=%s) failed: %s",
+				conn->set->uris, result_errmsg));
+			ldap_memfree(result_errmsg);
+			return LDAP_INVALID_CREDENTIALS; /* make sure it disconnects */
 		} else {
 			ret = ldap_parse_extended_result(conn->conn, message, &retoid, NULL, 0);
 			/* retoid can be NULL even if ret == 0 */
@@ -322,12 +312,10 @@ ldap_connection_connect_parse(struct ldap_connection *conn,
 				}
 			}
 			if (ret != LDAP_SUCCESS) {
-				if (conn->set->require_ssl) {
-					ldap_connection_result_failure(conn, req, ret, t_strdup_printf(
-						"ldap_start_tls(uris=%s) failed: %s",
-						conn->set->uris, ldap_err2string(ret)));
-					return LDAP_UNAVAILABLE;
-				}
+				ldap_connection_result_failure(conn, req, ret, t_strdup_printf(
+					"ldap_start_tls(uris=%s) failed: %s",
+					conn->set->uris, ldap_err2string(ret)));
+				return LDAP_UNAVAILABLE;
 			} else {
 				if (conn->set->debug_level > 0)
 					e_debug(conn->event,
@@ -429,8 +417,7 @@ ldap_connect_next_message(struct ldap_connection *conn,
 
 	switch(conn->state) {
 	case LDAP_STATE_DISCONNECT:
-		/* if we should not disable SSL, and the URI is not ldaps:// */
-		if (!conn->set->starttls || strstr(conn->set->uris, "ldaps://") == NULL) {
+		if (conn->set->starttls && strstr(conn->set->uris, "ldaps://") == NULL) {
 			ret = ldap_start_tls(conn->conn, NULL, NULL, &req->msgid);
 			if (ret != LDAP_SUCCESS) {
 				ldap_connection_result_failure(conn, req, ret, t_strdup_printf(
diff --git a/src/lib-ldap/ldap-private.h b/src/lib-ldap/ldap-private.h
index 4d78f190d8..8ec31f86d1 100644
--- a/src/lib-ldap/ldap-private.h
+++ b/src/lib-ldap/ldap-private.h
@@ -1,7 +1,7 @@
 #ifndef LDAP_PRIVATE_H
 #define LDAP_PRIVATE_H
 
-#include "iostream-ssl.h"
+#include "ssl-settings.h"
 #include "ldap-client.h"
 
 #include <ldap.h>
diff --git a/src/lib-ldap/ldap-settings.c b/src/lib-ldap/ldap-settings.c
index fb21199710..7f7ef46cfa 100644
--- a/src/lib-ldap/ldap-settings.c
+++ b/src/lib-ldap/ldap-settings.c
@@ -21,7 +21,6 @@ static const struct setting_define ldap_client_setting_defines[] = {
 	DEFN(TIME, timeout_secs, ldap_timeout),
 	DEFN(TIME, max_idle_time_secs, ldap_max_idle_time),
 	DEF(UINT, debug_level),
-	DEF(BOOL, require_ssl),
 	DEF(BOOL, starttls),
 	SETTING_DEFINE_LIST_END
 };
@@ -33,7 +32,6 @@ static const struct ldap_client_settings ldap_client_default_settings = {
 	.timeout_secs = 30,
 	.max_idle_time_secs = 0,
 	.debug_level = 0,
-	.require_ssl = FALSE,
 	.starttls = FALSE,
 };
 
diff --git a/src/lib-ldap/ldap-settings.h b/src/lib-ldap/ldap-settings.h
index 9f21122535..4505884440 100644
--- a/src/lib-ldap/ldap-settings.h
+++ b/src/lib-ldap/ldap-settings.h
@@ -13,7 +13,6 @@ struct ldap_client_settings {
 	unsigned int timeout_secs;
 	unsigned int max_idle_time_secs;
 	unsigned int debug_level;
-	bool require_ssl;
 	bool starttls;
 };