Revision ff500c90
Added by Jim Pingle about 8 years ago
| src/etc/inc/auth.inc | ||
|---|---|---|
| 883 | 883 |
return; |
| 884 | 884 |
} else {
|
| 885 | 885 |
$caref = lookup_ca($authcfg['ldap_caref']); |
| 886 |
$param = array('caref' => $authcfg['ldap_caref']);
|
|
| 887 |
$cachain = ca_chain($param); |
|
| 886 | 888 |
if (!$caref) {
|
| 887 | 889 |
log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
|
| 888 | 890 |
/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ |
| ... | ... | |
| 895 | 897 |
if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
|
| 896 | 898 |
@unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
|
| 897 | 899 |
} |
| 898 |
file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", base64_decode($caref['crt']));
|
|
| 900 |
file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain);
|
|
| 899 | 901 |
@chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
|
| 900 | 902 |
putenv('LDAPTLS_REQCERT=hard');
|
| 901 | 903 |
/* XXX: Probably even the hashed link should be created for this? */ |
| ... | ... | |
| 958 | 960 |
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); |
| 959 | 961 |
|
| 960 | 962 |
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
|
| 961 |
if (!(ldap_start_tls($ldap))) {
|
|
| 963 |
if (!(@ldap_start_tls($ldap))) {
|
|
| 962 | 964 |
log_error(sprintf(gettext("ERROR! ldap_test_bind() could not STARTTLS to server %s."), $ldapname));
|
| 963 | 965 |
@ldap_close($ldap); |
| 964 | 966 |
return false; |
| ... | ... | |
| 1048 | 1050 |
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); |
| 1049 | 1051 |
|
| 1050 | 1052 |
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
|
| 1051 |
if (!(ldap_start_tls($ldap))) {
|
|
| 1053 |
if (!(@ldap_start_tls($ldap))) {
|
|
| 1052 | 1054 |
log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not STARTTLS to server %s."), $ldapname));
|
| 1053 | 1055 |
@ldap_close($ldap); |
| 1054 | 1056 |
return false; |
| ... | ... | |
| 1191 | 1193 |
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); |
| 1192 | 1194 |
|
| 1193 | 1195 |
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
|
| 1194 |
if (!(ldap_start_tls($ldap))) {
|
|
| 1196 |
if (!(@ldap_start_tls($ldap))) {
|
|
| 1195 | 1197 |
log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname));
|
| 1196 | 1198 |
@ldap_close($ldap); |
| 1197 | 1199 |
return false; |
Also available in: Unified diff
Use the full CA chain when sending an LDAP SSL query. Fixes #7830
While here, fix a couple more ldap_start_tls() calls that need a preceding @.