Revision efdba6ca
Added by Jim Pingle about 6 years ago
| src/etc/inc/auth.inc | ||
|---|---|---|
| 959 | 959 |
return false; |
| 960 | 960 |
} |
| 961 | 961 |
|
| 962 |
/* Setup CA environment if needed. */ |
|
| 963 |
ldap_setup_caenv($authcfg); |
|
| 964 |
|
|
| 965 | 962 |
/* connect and see if server is up */ |
| 966 | 963 |
$error = false; |
| 967 | 964 |
if (!($ldap = ldap_connect($ldapserver))) {
|
| ... | ... | |
| 973 | 970 |
return false; |
| 974 | 971 |
} |
| 975 | 972 |
|
| 973 |
/* Setup CA environment if needed. */ |
|
| 974 |
ldap_setup_caenv($ldap, $authcfg); |
|
| 975 |
|
|
| 976 | 976 |
return true; |
| 977 | 977 |
} |
| 978 | 978 |
|
| 979 |
function ldap_setup_caenv($authcfg) {
|
|
| 979 |
function ldap_setup_caenv($ldap, $authcfg) {
|
|
| 980 | 980 |
global $g; |
| 981 | 981 |
require_once("certs.inc");
|
| 982 | 982 |
|
| 983 | 983 |
unset($caref); |
| 984 | 984 |
if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) {
|
| 985 |
putenv('LDAPTLS_REQCERT=never');
|
|
| 985 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
|
|
| 986 | 986 |
return; |
| 987 | 987 |
} elseif ($authcfg['ldap_caref'] == "global") {
|
| 988 |
putenv('LDAPTLS_REQCERT=hard');
|
|
| 989 |
putenv("LDAPTLS_CACERTDIR=/etc/ssl/");
|
|
| 990 |
putenv("LDAPTLS_CACERT=/etc/ssl/cert.pem");
|
|
| 988 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
|
|
| 989 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, "/etc/ssl/");
|
|
| 990 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
|
|
| 991 | 991 |
} else {
|
| 992 | 992 |
$caref = lookup_ca($authcfg['ldap_caref']); |
| 993 | 993 |
$param = array('caref' => $authcfg['ldap_caref']);
|
| ... | ... | |
| 995 | 995 |
if (!$caref) {
|
| 996 | 996 |
log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
|
| 997 | 997 |
/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ |
| 998 |
putenv('LDAPTLS_REQCERT=hard');
|
|
| 998 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
|
|
| 999 | 999 |
return; |
| 1000 | 1000 |
} |
| 1001 |
if (!is_dir("{$g['varrun_path']}/certs")) {
|
|
| 1002 |
@mkdir("{$g['varrun_path']}/certs");
|
|
| 1003 |
} |
|
| 1004 |
if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
|
|
| 1005 |
@unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
|
|
| 1006 |
} |
|
| 1007 |
file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain);
|
|
| 1008 |
@chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
|
|
| 1009 |
putenv('LDAPTLS_REQCERT=hard');
|
|
| 1001 |
|
|
| 1002 |
safe_mkdir($cert_path); |
|
| 1003 |
unlink_if_exists("{$cert_path}/{$caref['refid']}.ca");
|
|
| 1004 |
file_put_contents("{$cert_path}/{$caref['refid']}.ca", $cachain);
|
|
| 1005 |
@chmod("{$cert_path}/{$caref['refid']}.ca", 0600);
|
|
| 1006 |
|
|
| 1007 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); |
|
| 1010 | 1008 |
/* XXX: Probably even the hashed link should be created for this? */ |
| 1011 |
putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs");
|
|
| 1012 |
putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca");
|
|
| 1009 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, $cert_path);
|
|
| 1010 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "{$cert_path}/{$caref['refid']}.ca");
|
|
| 1013 | 1011 |
} |
| 1014 | 1012 |
} |
| 1015 | 1013 |
|
| ... | ... | |
| 1046 | 1044 |
return false; |
| 1047 | 1045 |
} |
| 1048 | 1046 |
|
| 1049 |
/* Setup CA environment if needed. */ |
|
| 1050 |
ldap_setup_caenv($authcfg); |
|
| 1051 |
|
|
| 1052 | 1047 |
/* connect and see if server is up */ |
| 1053 | 1048 |
$error = false; |
| 1054 | 1049 |
if (!($ldap = ldap_connect($ldapserver))) {
|
| ... | ... | |
| 1060 | 1055 |
return false; |
| 1061 | 1056 |
} |
| 1062 | 1057 |
|
| 1058 |
/* Setup CA environment if needed. */ |
|
| 1059 |
ldap_setup_caenv($ldap, $authcfg); |
|
| 1060 |
|
|
| 1063 | 1061 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
| 1064 | 1062 |
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); |
| 1065 | 1063 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
| ... | ... | |
| 1134 | 1132 |
return $ous; |
| 1135 | 1133 |
} |
| 1136 | 1134 |
|
| 1137 |
/* Setup CA environment if needed. */ |
|
| 1138 |
ldap_setup_caenv($authcfg); |
|
| 1139 |
|
|
| 1140 | 1135 |
/* connect and see if server is up */ |
| 1141 | 1136 |
$error = false; |
| 1142 | 1137 |
if (!($ldap = ldap_connect($ldapserver))) {
|
| ... | ... | |
| 1148 | 1143 |
return $ous; |
| 1149 | 1144 |
} |
| 1150 | 1145 |
|
| 1146 |
/* Setup CA environment if needed. */ |
|
| 1147 |
ldap_setup_caenv($ldap, $authcfg); |
|
| 1148 |
|
|
| 1151 | 1149 |
$ldapfilter = "(|(ou=*)(cn=Users))"; |
| 1152 | 1150 |
|
| 1153 | 1151 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
| ... | ... | |
| 1279 | 1277 |
$ldapgroupattribute = strtolower($ldapgroupattribute); |
| 1280 | 1278 |
$memberof = array(); |
| 1281 | 1279 |
|
| 1282 |
/* Setup CA environment if needed. */ |
|
| 1283 |
ldap_setup_caenv($authcfg); |
|
| 1284 |
|
|
| 1285 | 1280 |
/* connect and see if server is up */ |
| 1286 | 1281 |
$error = false; |
| 1287 | 1282 |
if (!($ldap = ldap_connect($ldapserver))) {
|
| ... | ... | |
| 1293 | 1288 |
return $memberof; |
| 1294 | 1289 |
} |
| 1295 | 1290 |
|
| 1291 |
/* Setup CA environment if needed. */ |
|
| 1292 |
ldap_setup_caenv($ldap, $authcfg); |
|
| 1293 |
|
|
| 1296 | 1294 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
| 1297 | 1295 |
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); |
| 1298 | 1296 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
| ... | ... | |
| 1432 | 1430 |
return null; |
| 1433 | 1431 |
} |
| 1434 | 1432 |
|
| 1435 |
/* Setup CA environment if needed. */ |
|
| 1436 |
ldap_setup_caenv($authcfg); |
|
| 1437 |
|
|
| 1438 | 1433 |
/* Make sure we can connect to LDAP */ |
| 1439 | 1434 |
$error = false; |
| 1440 | 1435 |
if (!($ldap = ldap_connect($ldapserver))) {
|
| 1441 | 1436 |
$error = true; |
| 1442 | 1437 |
} |
| 1443 | 1438 |
|
| 1439 |
/* Setup CA environment if needed. */ |
|
| 1440 |
ldap_setup_caenv($ldap, $authcfg); |
|
| 1441 |
|
|
| 1444 | 1442 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
| 1445 | 1443 |
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); |
| 1446 | 1444 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
Also available in: Unified diff
LDAP TLS option update. Implements #9417
(cherry picked from commit 996a1ad90e5682bf881bafd8b75d1b1a7e3f7831)