Project

General

Profile

« Previous | Next » 

Revision efdba6ca

Added by Jim Pingle about 6 years ago

LDAP TLS option update. Implements #9417

(cherry picked from commit 996a1ad90e5682bf881bafd8b75d1b1a7e3f7831)

View differences:

src/etc/inc/auth.inc
959 959
		return false;
960 960
	}
961 961

  
962
	/* Setup CA environment if needed. */
963
	ldap_setup_caenv($authcfg);
964

  
965 962
	/* connect and see if server is up */
966 963
	$error = false;
967 964
	if (!($ldap = ldap_connect($ldapserver))) {
......
973 970
		return false;
974 971
	}
975 972

  
973
	/* Setup CA environment if needed. */
974
	ldap_setup_caenv($ldap, $authcfg);
975

  
976 976
	return true;
977 977
}
978 978

  
979
function ldap_setup_caenv($authcfg) {
979
function ldap_setup_caenv($ldap, $authcfg) {
980 980
	global $g;
981 981
	require_once("certs.inc");
982 982

  
983 983
	unset($caref);
984 984
	if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) {
985
		putenv('LDAPTLS_REQCERT=never');
985
		ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
986 986
		return;
987 987
	} elseif ($authcfg['ldap_caref'] == "global") {
988
		putenv('LDAPTLS_REQCERT=hard');
989
		putenv("LDAPTLS_CACERTDIR=/etc/ssl/");
990
		putenv("LDAPTLS_CACERT=/etc/ssl/cert.pem");
988
		ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
989
		ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, "/etc/ssl/");
990
		ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
991 991
	} else {
992 992
		$caref = lookup_ca($authcfg['ldap_caref']);
993 993
		$param = array('caref' => $authcfg['ldap_caref']);
......
995 995
		if (!$caref) {
996 996
			log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
997 997
			/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
998
			putenv('LDAPTLS_REQCERT=hard');
998
			ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
999 999
			return;
1000 1000
		}
1001
		if (!is_dir("{$g['varrun_path']}/certs")) {
1002
			@mkdir("{$g['varrun_path']}/certs");
1003
		}
1004
		if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
1005
			@unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
1006
		}
1007
		file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain);
1008
		@chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
1009
		putenv('LDAPTLS_REQCERT=hard');
1001

  
1002
		safe_mkdir($cert_path);
1003
		unlink_if_exists("{$cert_path}/{$caref['refid']}.ca");
1004
		file_put_contents("{$cert_path}/{$caref['refid']}.ca", $cachain);
1005
		@chmod("{$cert_path}/{$caref['refid']}.ca", 0600);
1006

  
1007
		ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
1010 1008
		/* XXX: Probably even the hashed link should be created for this? */
1011
		putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs");
1012
		putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca");
1009
		ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, $cert_path);
1010
		ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "{$cert_path}/{$caref['refid']}.ca");
1013 1011
	}
1014 1012
}
1015 1013

  
......
1046 1044
		return false;
1047 1045
	}
1048 1046

  
1049
	/* Setup CA environment if needed. */
1050
	ldap_setup_caenv($authcfg);
1051

  
1052 1047
	/* connect and see if server is up */
1053 1048
	$error = false;
1054 1049
	if (!($ldap = ldap_connect($ldapserver))) {
......
1060 1055
		return false;
1061 1056
	}
1062 1057

  
1058
	/* Setup CA environment if needed. */
1059
	ldap_setup_caenv($ldap, $authcfg);
1060

  
1063 1061
	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
1064 1062
	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
1065 1063
	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
......
1134 1132
		return $ous;
1135 1133
	}
1136 1134

  
1137
	/* Setup CA environment if needed. */
1138
	ldap_setup_caenv($authcfg);
1139

  
1140 1135
	/* connect and see if server is up */
1141 1136
	$error = false;
1142 1137
	if (!($ldap = ldap_connect($ldapserver))) {
......
1148 1143
		return $ous;
1149 1144
	}
1150 1145

  
1146
	/* Setup CA environment if needed. */
1147
	ldap_setup_caenv($ldap, $authcfg);
1148

  
1151 1149
	$ldapfilter = "(|(ou=*)(cn=Users))";
1152 1150

  
1153 1151
	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
......
1279 1277
	$ldapgroupattribute = strtolower($ldapgroupattribute);
1280 1278
	$memberof = array();
1281 1279

  
1282
	/* Setup CA environment if needed. */
1283
	ldap_setup_caenv($authcfg);
1284

  
1285 1280
	/* connect and see if server is up */
1286 1281
	$error = false;
1287 1282
	if (!($ldap = ldap_connect($ldapserver))) {
......
1293 1288
		return $memberof;
1294 1289
	}
1295 1290

  
1291
	/* Setup CA environment if needed. */
1292
	ldap_setup_caenv($ldap, $authcfg);
1293

  
1296 1294
	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
1297 1295
	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
1298 1296
	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
......
1432 1430
		return null;
1433 1431
	}
1434 1432

  
1435
	/* Setup CA environment if needed. */
1436
	ldap_setup_caenv($authcfg);
1437

  
1438 1433
	/* Make sure we can connect to LDAP */
1439 1434
	$error = false;
1440 1435
	if (!($ldap = ldap_connect($ldapserver))) {
1441 1436
		$error = true;
1442 1437
	}
1443 1438

  
1439
	/* Setup CA environment if needed. */
1440
	ldap_setup_caenv($ldap, $authcfg);
1441

  
1444 1442
	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
1445 1443
	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
1446 1444
	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);

Also available in: Unified diff