Commit 9ba7bda1 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#6642

parent 52ad705e
......@@ -26,6 +26,7 @@ OpenLDAP 2.4.24 Engineering
Fixed slapd-bdb error propogation to overlays (ITS#6633)
Fixed slapd-ldap debug output of timeout (ITS#6721)
Fixed slapd-ldap DNSSRV referral chaining (ITS#6565)
Fixed slapd-ldap with SASL/EXTERNAL (ITS#6642)
Fixed slapd-ndb to honor rootpw setting (ITS#6661)
Fixed slapd-meta anon retry with failed auth method (ITS#6643)
Fixed slapd-meta rebind proc (ITS#6665)
......
......@@ -668,6 +668,7 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
LDAP *ld = NULL;
#ifdef HAVE_TLS
int is_tls = op->o_conn->c_is_tls;
int flags = li->li_flags;
time_t lctime = (time_t)(-1);
slap_bindconf *sb;
#endif /* HAVE_TLS */
......@@ -727,11 +728,18 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
}
/* if required by the bindconf configuration, force TLS */
if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) &&
sb->sb_tls_ctx )
{
flags |= LDAP_BACK_F_USE_TLS;
}
ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
assert( li->li_uri_mutex_do_not_lock == 0 );
li->li_uri_mutex_do_not_lock = 1;
rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls,
li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text );
li->li_uri, flags, li->li_nretries, &rs->sr_text );
li->li_uri_mutex_do_not_lock = 0;
ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex );
if ( rs->sr_err != LDAP_SUCCESS ) {
......
......@@ -274,6 +274,9 @@ typedef struct metatarget_t {
struct berval mt_binddn;
struct berval mt_bindpw;
/* we only care about the TLS options here */
slap_bindconf mt_tls;
slap_idassert_t mt_idassert;
#define mt_idassert_mode mt_idassert.si_mode
#define mt_idassert_authcID mt_idassert.si_bc.sb_authcId
......
......@@ -620,7 +620,7 @@ meta_back_db_config(
fname, lineno, 0 );
return 1;
}
if ( argc != 2 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: missing password in \"bindpw <password>\" line\n",
......@@ -709,13 +709,6 @@ meta_back_db_config(
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
: &mi->mi_flags;
if ( argc != 2 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"tls <what>\" needs 1 argument.\n",
fname, lineno, 0 );
return( 1 );
}
/* start */
if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
*flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
......@@ -741,6 +734,26 @@ meta_back_db_config(
return( 1 );
}
if ( argc > 2 ) {
metatarget_t *mt = NULL;
int i;
if ( mi->mi_ntargets - 1 < 0 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: need \"uri\" directive first\n",
fname, lineno, 0 );
return 1;
}
mt = mi->mi_targets[ mi->mi_ntargets - 1 ];
for ( i = 2; i < argc; i++ ) {
if ( bindconf_tls_parse( argv[i], &mt->mt_tls ))
return 1;
}
bindconf_tls_defaults( &mt->mt_tls );
}
} else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
unsigned *flagsp = mi->mi_ntargets ?
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
......
......@@ -281,6 +281,7 @@ meta_back_init_one_conn(
int do_return = 0;
#ifdef HAVE_TLS
int is_ldaps = 0;
int do_start_tls = 0;
#endif /* HAVE_TLS */
/* if the server is quarantined, and
......@@ -421,12 +422,33 @@ retry_lock:;
META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
#ifdef HAVE_TLS
if ( !is_ldaps ) {
slap_bindconf *sb = NULL;
if ( ispriv ) {
sb = &mt->mt_idassert.si_bc;
} else {
sb = &mt->mt_tls;
}
if ( sb->sb_tls_do_init ) {
bindconf_tls_set( sb, msc->msc_ld );
} else if ( sb->sb_tls_ctx ) {
ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
}
if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
do_start_tls = 1;
} else if ( META_BACK_TGT_USE_TLS( mt )
|| ( op->o_conn->c_is_tls && META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
{
do_start_tls = 1;
}
}
/* start TLS ("tls [try-]{start|propagate}" statement) */
if ( ( META_BACK_TGT_USE_TLS( mt )
|| ( op->o_conn->c_is_tls
&& META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
&& !is_ldaps )
{
if ( do_start_tls ) {
#ifdef SLAP_STARTTLS_ASYNCHRONOUS
/*
* use asynchronous StartTLS; in case, chase referral
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment