Revision efdba6ca
Added by Jim Pingle about 6 years ago
src/etc/inc/auth.inc | ||
---|---|---|
959 | 959 |
return false; |
960 | 960 |
} |
961 | 961 |
|
962 |
/* Setup CA environment if needed. */ |
|
963 |
ldap_setup_caenv($authcfg); |
|
964 |
|
|
965 | 962 |
/* connect and see if server is up */ |
966 | 963 |
$error = false; |
967 | 964 |
if (!($ldap = ldap_connect($ldapserver))) { |
... | ... | |
973 | 970 |
return false; |
974 | 971 |
} |
975 | 972 |
|
973 |
/* Setup CA environment if needed. */ |
|
974 |
ldap_setup_caenv($ldap, $authcfg); |
|
975 |
|
|
976 | 976 |
return true; |
977 | 977 |
} |
978 | 978 |
|
979 |
function ldap_setup_caenv($authcfg) { |
|
979 |
function ldap_setup_caenv($ldap, $authcfg) {
|
|
980 | 980 |
global $g; |
981 | 981 |
require_once("certs.inc"); |
982 | 982 |
|
983 | 983 |
unset($caref); |
984 | 984 |
if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) { |
985 |
putenv('LDAPTLS_REQCERT=never');
|
|
985 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
|
|
986 | 986 |
return; |
987 | 987 |
} elseif ($authcfg['ldap_caref'] == "global") { |
988 |
putenv('LDAPTLS_REQCERT=hard');
|
|
989 |
putenv("LDAPTLS_CACERTDIR=/etc/ssl/");
|
|
990 |
putenv("LDAPTLS_CACERT=/etc/ssl/cert.pem");
|
|
988 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
|
|
989 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, "/etc/ssl/");
|
|
990 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
|
|
991 | 991 |
} else { |
992 | 992 |
$caref = lookup_ca($authcfg['ldap_caref']); |
993 | 993 |
$param = array('caref' => $authcfg['ldap_caref']); |
... | ... | |
995 | 995 |
if (!$caref) { |
996 | 996 |
log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref'])); |
997 | 997 |
/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ |
998 |
putenv('LDAPTLS_REQCERT=hard');
|
|
998 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
|
|
999 | 999 |
return; |
1000 | 1000 |
} |
1001 |
if (!is_dir("{$g['varrun_path']}/certs")) { |
|
1002 |
@mkdir("{$g['varrun_path']}/certs"); |
|
1003 |
} |
|
1004 |
if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) { |
|
1005 |
@unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca"); |
|
1006 |
} |
|
1007 |
file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain); |
|
1008 |
@chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600); |
|
1009 |
putenv('LDAPTLS_REQCERT=hard'); |
|
1001 |
|
|
1002 |
safe_mkdir($cert_path); |
|
1003 |
unlink_if_exists("{$cert_path}/{$caref['refid']}.ca"); |
|
1004 |
file_put_contents("{$cert_path}/{$caref['refid']}.ca", $cachain); |
|
1005 |
@chmod("{$cert_path}/{$caref['refid']}.ca", 0600); |
|
1006 |
|
|
1007 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); |
|
1010 | 1008 |
/* XXX: Probably even the hashed link should be created for this? */ |
1011 |
putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs");
|
|
1012 |
putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca");
|
|
1009 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, $cert_path);
|
|
1010 |
ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "{$cert_path}/{$caref['refid']}.ca");
|
|
1013 | 1011 |
} |
1014 | 1012 |
} |
1015 | 1013 |
|
... | ... | |
1046 | 1044 |
return false; |
1047 | 1045 |
} |
1048 | 1046 |
|
1049 |
/* Setup CA environment if needed. */ |
|
1050 |
ldap_setup_caenv($authcfg); |
|
1051 |
|
|
1052 | 1047 |
/* connect and see if server is up */ |
1053 | 1048 |
$error = false; |
1054 | 1049 |
if (!($ldap = ldap_connect($ldapserver))) { |
... | ... | |
1060 | 1055 |
return false; |
1061 | 1056 |
} |
1062 | 1057 |
|
1058 |
/* Setup CA environment if needed. */ |
|
1059 |
ldap_setup_caenv($ldap, $authcfg); |
|
1060 |
|
|
1063 | 1061 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
1064 | 1062 |
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); |
1065 | 1063 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
... | ... | |
1134 | 1132 |
return $ous; |
1135 | 1133 |
} |
1136 | 1134 |
|
1137 |
/* Setup CA environment if needed. */ |
|
1138 |
ldap_setup_caenv($authcfg); |
|
1139 |
|
|
1140 | 1135 |
/* connect and see if server is up */ |
1141 | 1136 |
$error = false; |
1142 | 1137 |
if (!($ldap = ldap_connect($ldapserver))) { |
... | ... | |
1148 | 1143 |
return $ous; |
1149 | 1144 |
} |
1150 | 1145 |
|
1146 |
/* Setup CA environment if needed. */ |
|
1147 |
ldap_setup_caenv($ldap, $authcfg); |
|
1148 |
|
|
1151 | 1149 |
$ldapfilter = "(|(ou=*)(cn=Users))"; |
1152 | 1150 |
|
1153 | 1151 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
... | ... | |
1279 | 1277 |
$ldapgroupattribute = strtolower($ldapgroupattribute); |
1280 | 1278 |
$memberof = array(); |
1281 | 1279 |
|
1282 |
/* Setup CA environment if needed. */ |
|
1283 |
ldap_setup_caenv($authcfg); |
|
1284 |
|
|
1285 | 1280 |
/* connect and see if server is up */ |
1286 | 1281 |
$error = false; |
1287 | 1282 |
if (!($ldap = ldap_connect($ldapserver))) { |
... | ... | |
1293 | 1288 |
return $memberof; |
1294 | 1289 |
} |
1295 | 1290 |
|
1291 |
/* Setup CA environment if needed. */ |
|
1292 |
ldap_setup_caenv($ldap, $authcfg); |
|
1293 |
|
|
1296 | 1294 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
1297 | 1295 |
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); |
1298 | 1296 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
... | ... | |
1432 | 1430 |
return null; |
1433 | 1431 |
} |
1434 | 1432 |
|
1435 |
/* Setup CA environment if needed. */ |
|
1436 |
ldap_setup_caenv($authcfg); |
|
1437 |
|
|
1438 | 1433 |
/* Make sure we can connect to LDAP */ |
1439 | 1434 |
$error = false; |
1440 | 1435 |
if (!($ldap = ldap_connect($ldapserver))) { |
1441 | 1436 |
$error = true; |
1442 | 1437 |
} |
1443 | 1438 |
|
1439 |
/* Setup CA environment if needed. */ |
|
1440 |
ldap_setup_caenv($ldap, $authcfg); |
|
1441 |
|
|
1444 | 1442 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
1445 | 1443 |
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); |
1446 | 1444 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
Also available in: Unified diff
LDAP TLS option update. Implements #9417
(cherry picked from commit 996a1ad90e5682bf881bafd8b75d1b1a7e3f7831)