Gitweb:
http://git.exim.org/exim.git/commitdiff/5428a9463ae1080029a84a1b33e4a8a6915c5f28
Commit: 5428a9463ae1080029a84a1b33e4a8a6915c5f28
Parent: b0e85a8ff9297a4edab3f4b8262c933747a52e7f
Author: Todd Lyons <tlyons@???>
AuthorDate: Thu Oct 31 09:42:15 2013 -0700
Committer: Todd Lyons <tlyons@???>
CommitDate: Tue Nov 19 19:44:48 2013 -0800
Fix ldap option setting.
Some client libs set a global context, newer client libs set a global
default which then needs to be reloaded.
---
doc/doc-docbook/.gitignore | 3 +++
doc/doc-docbook/spec.xfpt | 12 ++++++++++++
doc/doc-txt/ChangeLog | 3 +++
src/src/lookups/ldap.c | 43 ++++++++++++++++++++++++++++++++++++-------
4 files changed, 54 insertions(+), 7 deletions(-)
diff --git a/doc/doc-docbook/.gitignore b/doc/doc-docbook/.gitignore
index fdcaf8b..ae93d18 100644
--- a/doc/doc-docbook/.gitignore
+++ b/doc/doc-docbook/.gitignore
@@ -6,4 +6,7 @@ spec.txt
filter*.xml
filter.ps
filter.pdf
+filter-txt.html
+filter.txt
local_params
+exim.8
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4b9f53e..5f1c25f 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -7040,6 +7040,18 @@ With sufficiently modern LDAP libraries, Exim supports forcing TLS over regular
LDAP connections, rather than the SSL-on-connect &`ldaps`&.
See the &%ldap_start_tls%& option.
+.new
+Starting with Exim 4.83, the initialization of LDAP with TLS is more tightly
+controlled. Every part of the TLS configuration can be configured by settings in
+&_exim.conf_&. Depending on the version of the client libraries installed on
+your system, some of the initialization may have required setting options in
+&_/etc/ldap.conf_& or &_~/.ldaprc_& to get TLS working with self-signed
+certificates. This revealed a nuance where the current UID that exim was
+running as could affect which config files it read. With Exim 4.83, these
+methods become optional, only taking effect if not specifically set in
+&_exim.conf_&.
+.wen
+
.section "LDAP quoting" "SECID68"
.cindex "LDAP" "quoting"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index cc9238e..989ec52 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -20,6 +20,9 @@ TF/02 Portability fix for building lookup modules on Solaris when the xpg4
JH/01 Fix memory-handling in use of acl as a conditional; avoid free of
temporary space as the ACL may create new global variables.
+TL/01 LDAP support uses per connection or global context settings, depending
+ upon the detected version of the libraries at build time.
+
Exim version 4.82
-----------------
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index 6129b4b..a25868f 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -280,6 +280,13 @@ if (lcp == NULL)
{
LDAP *ld;
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ int am_server = 0;
+ LDAP *ldsetctx;
+ #else
+ LDAP *ldsetctx = NULL;
+ #endif
+
/* --------------------------- OpenLDAP ------------------------ */
@@ -365,6 +372,10 @@ if (lcp == NULL)
goto RETURN_ERROR;
}
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ ldsetctx = ld;
+ #endif
+
/* Set the TCP connect time limit if available. This is something that is
in Netscape SDK v4.1; I don't know about other libraries. */
@@ -461,31 +472,31 @@ if (lcp == NULL)
#ifdef LDAP_OPT_X_TLS_CACERTFILE
if (eldap_ca_cert_file != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
}
#endif
#ifdef LDAP_OPT_X_TLS_CACERTDIR
if (eldap_ca_cert_dir != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
}
#endif
#ifdef LDAP_OPT_X_TLS_CERTFILE
if (eldap_cert_file != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
}
#endif
#ifdef LDAP_OPT_X_TLS_KEYFILE
if (eldap_cert_key != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
}
#endif
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
if (eldap_cipher_suite != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
}
#endif
#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
@@ -508,8 +519,26 @@ if (lcp == NULL)
{
cert_option = LDAP_OPT_X_TLS_TRY;
}
- /* Use NULL ldap handle because is a global option */
- ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+ /* This ldap handle is set at compile time based on client libs. Older
+ * versions want it to be global and newer versions can force a reload
+ * of the TLS context (to reload these settings we are changing from the
+ * default that loaded at instantiation). */
+ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+ if (rc)
+ {
+ DEBUG(D_lookup)
+ debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
+ cert_option, ldap_err2string(rc));
+ }
+ }
+ #endif
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
+ if (rc)
+ {
+ DEBUG(D_lookup)
+ debug_printf("Unable to reload TLS context %d: %s\n",
+ rc, ldap_err2string(rc));
}
#endif
