From: Marco Bettini Date: Tue, 19 Mar 2024 15:08:26 +0000 (+0000) Subject: auth: db-ldap - Use also ssl_settings X-Git-Tag: 2.4.1~774 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59c39256fdf0879cc22e0694f9d66b103f3908a7;p=thirdparty%2Fdovecot%2Fcore.git auth: db-ldap - Use also ssl_settings ldap_tls_require_cert=demand/allow has replaced by ssl_client_require_valid_cert=yes/no. The other values of the original setting are no longer supported. --- diff --git a/src/auth/db-ldap-settings.c b/src/auth/db-ldap-settings.c index c945421759..9d1aabc62d 100644 --- a/src/auth/db-ldap-settings.c +++ b/src/auth/db-ldap-settings.c @@ -29,12 +29,6 @@ static const struct setting_define ldap_setting_defines[] = { DEF(STR, sasl_mech), DEF(STR, sasl_realm), DEF(STR, sasl_authz_id), - DEF(STR, tls_ca_cert_file), - DEF(STR, tls_ca_cert_dir), - DEF(STR, tls_cert_file), - DEF(STR, tls_key_file), - DEF(STR, tls_cipher_suite), - DEF(STR, tls_require_cert), DEF(STR, deref), DEF(STR, scope), DEF(STR, base), @@ -63,12 +57,6 @@ static const struct ldap_settings ldap_default_settings = { .sasl_mech = "", .sasl_realm = "", .sasl_authz_id = "", - .tls_ca_cert_file = "", - .tls_ca_cert_dir = "", - .tls_cert_file = "", - .tls_key_file = "", - .tls_cipher_suite = "", - .tls_require_cert = "", .deref = "never", .scope = "subtree", .base = "", @@ -97,25 +85,6 @@ const struct setting_parser_info ldap_setting_parser_info = { /* */ -#ifdef OPENLDAP_TLS_OPTIONS -static int ldap_parse_tls_require_cert(const char *str, int *value_r) -{ - if (strcasecmp(str, "never") == 0) - *value_r = LDAP_OPT_X_TLS_NEVER; - else if (strcasecmp(str, "hard") == 0) - *value_r = LDAP_OPT_X_TLS_HARD; - else if (strcasecmp(str, "demand") == 0) - *value_r = LDAP_OPT_X_TLS_DEMAND; - else if (strcasecmp(str, "allow") == 0) - *value_r = LDAP_OPT_X_TLS_ALLOW; - else if (strcasecmp(str, "try") == 0) - *value_r = LDAP_OPT_X_TLS_TRY; - else - return -1; - return 1; -} -#endif - static int ldap_parse_deref(const char *str, int *ref_r) { if (strcasecmp(str, "never") == 0) @@ -161,15 +130,6 @@ static bool ldap_setting_check(void *_set, pool_t pool ATTR_UNUSED, return FALSE; } -#ifdef OPENLDAP_TLS_OPTIONS - if (ldap_parse_tls_require_cert(set->tls_require_cert, - &set->ldap_tls_require_cert_parsed) < 0) { - *error_r = t_strdup_printf("Unknown tls_require_cert value '%s'", - set->tls_require_cert); - return FALSE; - } -#endif - if (*set->base == '\0') { *error_r = "No ldap_base given"; return FALSE; diff --git a/src/auth/db-ldap-settings.h b/src/auth/db-ldap-settings.h index 9c88a7e44c..f9d80cb050 100644 --- a/src/auth/db-ldap-settings.h +++ b/src/auth/db-ldap-settings.h @@ -14,13 +14,6 @@ struct ldap_settings { const char *sasl_realm; const char *sasl_authz_id; - const char *tls_ca_cert_file; - const char *tls_ca_cert_dir; - const char *tls_cert_file; - const char *tls_key_file; - const char *tls_cipher_suite; - const char *tls_require_cert; - const char *deref; const char *scope; const char *base; @@ -38,8 +31,6 @@ struct ldap_settings { unsigned int version; - int ldap_tls_require_cert_parsed; - uid_t uid; gid_t gid; diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c index 3aefa56814..74a24a915f 100644 --- a/src/auth/db-ldap.c +++ b/src/auth/db-ldap.c @@ -14,6 +14,7 @@ #include "env-util.h" #include "var-expand.h" #include "settings.h" +#include "ssl-settings.h" #include "userdb.h" #include "db-ldap.h" @@ -846,28 +847,28 @@ db_ldap_set_opt_str(LDAP *ld, int opt, const char *value, const char *optname) static void db_ldap_set_tls_options(struct ldap_connection *conn) { #ifdef OPENLDAP_TLS_OPTIONS + if (!conn->set->starttls && strstr(conn->set->uris, "ldaps:") == NULL) + return; + db_ldap_set_opt_str(NULL, LDAP_OPT_X_TLS_CACERTFILE, - conn->set->tls_ca_cert_file, "tls_ca_cert_file"); + conn->ssl_set->ssl_client_ca_file, "ssl_client_ca_file"); db_ldap_set_opt_str(NULL, LDAP_OPT_X_TLS_CACERTDIR, - conn->set->tls_ca_cert_dir, "tls_ca_cert_dir"); + conn->ssl_set->ssl_client_ca_dir, "ssl_client_ca_dir"); db_ldap_set_opt_str(NULL, LDAP_OPT_X_TLS_CERTFILE, - conn->set->tls_cert_file, "tls_cert_file"); + conn->ssl_set->ssl_client_cert_file, "ssl_client_cert_file"); db_ldap_set_opt_str(NULL, LDAP_OPT_X_TLS_KEYFILE, - conn->set->tls_key_file, "tls_key_file"); + conn->ssl_set->ssl_client_key_file, "ssl_client_key_file"); db_ldap_set_opt_str(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, - conn->set->tls_cipher_suite, "tls_cipher_suite"); - if (conn->set->tls_require_cert != NULL) { - db_ldap_set_opt(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &conn->set->ldap_tls_require_cert_parsed, - "tls_require_cert", conn->set->tls_require_cert); - } -#else - if (conn->set->tls_ca_cert_file != NULL || - conn->set->tls_ca_cert_dir != NULL || - conn->set->tls_cert_file != NULL || - conn->set->tls_key_file != NULL || - conn->set->tls_cipher_suite != NULL) { - i_fatal("LDAP: tls_* settings aren't supported by your LDAP library - they must not be set"); - } + conn->ssl_set->ssl_cipher_list, "ssl_cipher_list"); + db_ldap_set_opt_str(NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN, + conn->ssl_set->ssl_min_protocol, "ssl_min_protocol"); + db_ldap_set_opt_str(NULL, LDAP_OPT_X_TLS_ECNAME, + conn->ssl_set->ssl_curve_list, "ssl_curve_list"); + + bool requires = conn->ssl_set->ssl_client_require_valid_cert; + int opt = requires ? LDAP_OPT_X_TLS_HARD : LDAP_OPT_X_TLS_ALLOW; + db_ldap_set_opt(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt, + "ssl_client_require_valid_cert", requires ? "yes" : "no" ); #endif } @@ -1667,11 +1668,12 @@ void db_ldap_result_iterate_deinit(struct db_ldap_result_iterate_context **_ctx) } static struct ldap_connection * -db_ldap_conn_find(const struct ldap_settings *set) +db_ldap_conn_find(const struct ldap_settings *set, const struct ssl_settings *ssl_set) { struct ldap_connection *conn; for (conn = ldap_connections; conn != NULL; conn = conn->next) { - if (settings_equal(&ldap_setting_parser_info, set, conn->set, NULL)) + if (settings_equal(&ldap_setting_parser_info, set, conn->set, NULL) && + settings_equal(&ssl_setting_parser_info, ssl_set, conn->ssl_set, NULL)) return conn; } return NULL; @@ -1680,11 +1682,15 @@ db_ldap_conn_find(const struct ldap_settings *set) struct ldap_connection *db_ldap_init(struct event *event) { const struct ldap_settings *set; - set = settings_get_or_fatal(event, &ldap_setting_parser_info); + const struct ssl_settings *ssl_set; + + set = settings_get_or_fatal(event, &ldap_setting_parser_info); + ssl_set = settings_get_or_fatal(event, &ssl_setting_parser_info); /* see if it already exists */ - struct ldap_connection *conn = db_ldap_conn_find(set); + struct ldap_connection *conn = db_ldap_conn_find(set, ssl_set); if (conn != NULL) { + settings_free(ssl_set); settings_free(set); conn->refcount++; return conn; @@ -1695,7 +1701,9 @@ struct ldap_connection *db_ldap_init(struct event *event) conn->pool = pool; conn->refcount = 1; - conn->set = set; + conn->set = set; + conn->ssl_set = ssl_set; + conn->conn_state = LDAP_CONN_STATE_DISCONNECTED; conn->default_bind_msgid = -1; conn->fd = -1; @@ -1738,6 +1746,7 @@ void db_ldap_unref(struct ldap_connection **_conn) array_free(&conn->request_array); aqueue_deinit(&conn->request_queue); + settings_free(conn->ssl_set); settings_free(conn->set); event_unref(&conn->event); diff --git a/src/auth/db-ldap.h b/src/auth/db-ldap.h index b20ec272b5..7a163ff795 100644 --- a/src/auth/db-ldap.h +++ b/src/auth/db-ldap.h @@ -116,6 +116,7 @@ struct ldap_connection { struct event *event; const struct ldap_settings *set; + const struct ssl_settings *ssl_set; LDAP *ld; enum ldap_connection_state conn_state;