From 6fb9bc86b7722a5acf9ed88f34368bef8c635cbd Mon Sep 17 00:00:00 2001 From: Landon Fuller Date: Fri, 19 Apr 2013 16:27:59 -0400 Subject: [PATCH] Add a configuration option to enable LDAP Start TLS. Signed-off-by: Love Hornquist Astrand --- doc/setup.texi | 1 + lib/hdb/hdb-ldap.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/doc/setup.texi b/doc/setup.texi index cc8014ee4..2516e684a 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -1126,6 +1126,7 @@ enter the path to the kadmin acl file: hdb-ldap-structural-object = inetOrgPerson hdb-ldap-url = ldapi:/// (default), ldap://hostname or ldaps://hostname hdb-ldap-secret-file = /path/to/file/containing/ldap/credentials + hdb-ldap-start-tls = false database = @{ dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c index c0dfe84a2..d748e0760 100644 --- a/lib/hdb/hdb-ldap.c +++ b/lib/hdb/hdb-ldap.c @@ -60,6 +60,7 @@ struct hdbldapdb { char *h_url; char *h_bind_dn; char *h_bind_password; + krb5_boolean h_start_tls; char *h_createbase; }; @@ -1590,6 +1591,17 @@ LDAP__connect(krb5_context context, HDB * db) return HDB_ERR_BADVERSION; } + if (((struct hdbldapdb *)db->hdb_db)->h_start_tls) { + rc = ldap_start_tls_s(HDB2LDAP(db), NULL, NULL); + + if (rc != LDAP_SUCCESS) { + krb5_set_error_message(context, HDB_ERR_BADVERSION, + "ldap_start_tls_s: %s", ldap_err2string(rc)); + LDAP_close(context, db); + return HDB_ERR_BADVERSION; + } + } + rc = ldap_sasl_bind_s(HDB2LDAP(db), bind_dn, sasl_method, &bv, NULL, NULL, NULL); if (rc != LDAP_SUCCESS) { @@ -1913,6 +1925,10 @@ hdb_ldap_common(krb5_context context, krb5_config_file_free(context, tmp); } + h->h_start_tls = + krb5_config_get_bool_default(context, NULL, FALSE, + "kdc", "hdb-ldap-start-tls", NULL); + create_base = krb5_config_get_string(context, NULL, "kdc", "hdb-ldap-create-base", NULL); if (create_base == NULL)