[exim-cvs] Fix ldap option setting.

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Fix ldap option setting.
Gitweb: http://git.exim.org/exim.git/commitdiff/5428a9463ae1080029a84a1b33e4a8a6915c5f28
Commit:     5428a9463ae1080029a84a1b33e4a8a6915c5f28
Parent:     b0e85a8ff9297a4edab3f4b8262c933747a52e7f
Author:     Todd Lyons <tlyons@???>
AuthorDate: Thu Oct 31 09:42:15 2013 -0700
Committer:  Todd Lyons <tlyons@???>
CommitDate: Tue Nov 19 19:44:48 2013 -0800


    Fix ldap option setting.


    Some client libs set a global context, newer client libs set a global
      default which then needs to be reloaded.
---
 doc/doc-docbook/.gitignore |  3 +++
 doc/doc-docbook/spec.xfpt  | 12 ++++++++++++
 doc/doc-txt/ChangeLog      |  3 +++
 src/src/lookups/ldap.c     | 43 ++++++++++++++++++++++++++++++++++++-------
 4 files changed, 54 insertions(+), 7 deletions(-)


diff --git a/doc/doc-docbook/.gitignore b/doc/doc-docbook/.gitignore
index fdcaf8b..ae93d18 100644
--- a/doc/doc-docbook/.gitignore
+++ b/doc/doc-docbook/.gitignore
@@ -6,4 +6,7 @@ spec.txt
filter*.xml
filter.ps
filter.pdf
+filter-txt.html
+filter.txt
local_params
+exim.8
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4b9f53e..5f1c25f 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -7040,6 +7040,18 @@ With sufficiently modern LDAP libraries, Exim supports forcing TLS over regular
LDAP connections, rather than the SSL-on-connect &`ldaps`&.
See the &%ldap_start_tls%& option.

+.new
+Starting with Exim 4.83, the initialization of LDAP with TLS is more tightly
+controlled. Every part of the TLS configuration can be configured by settings in
+&_exim.conf_&. Depending on the version of the client libraries installed on
+your system, some of the initialization may have required setting options in
+&_/etc/ldap.conf_& or &_~/.ldaprc_& to get TLS working with self-signed
+certificates. This revealed a nuance where the current UID that exim was
+running as could affect which config files it read. With Exim 4.83, these
+methods become optional, only taking effect if not specifically set in
+&_exim.conf_&.
+.wen
+

 .section "LDAP quoting" "SECID68"
 .cindex "LDAP" "quoting"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index cc9238e..989ec52 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -20,6 +20,9 @@ TF/02 Portability fix for building lookup modules on Solaris when the xpg4
 JH/01 Fix memory-handling in use of acl as a conditional; avoid free of
       temporary space as the ACL may create new global variables.


+TL/01 LDAP support uses per connection or global context settings, depending
+      upon the detected version of the libraries at build time.
+


Exim version 4.82
-----------------
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index 6129b4b..a25868f 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -280,6 +280,13 @@ if (lcp == NULL)
{
LDAP *ld;

+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ int am_server = 0;
+ LDAP *ldsetctx;
+ #else
+ LDAP *ldsetctx = NULL;
+ #endif
+

/* --------------------------- OpenLDAP ------------------------ */

@@ -365,6 +372,10 @@ if (lcp == NULL)
     goto RETURN_ERROR;
     }


+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ ldsetctx = ld;
+ #endif
+
/* Set the TCP connect time limit if available. This is something that is
in Netscape SDK v4.1; I don't know about other libraries. */

@@ -461,31 +472,31 @@ if (lcp == NULL)
   #ifdef LDAP_OPT_X_TLS_CACERTFILE
   if (eldap_ca_cert_file != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_CACERTDIR
   if (eldap_ca_cert_dir != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_CERTFILE
   if (eldap_cert_file != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_KEYFILE
   if (eldap_cert_key != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
   if (eldap_cipher_suite != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
@@ -508,8 +519,26 @@ if (lcp == NULL)
       {
       cert_option = LDAP_OPT_X_TLS_TRY;
       }
-    /* Use NULL ldap handle because is a global option */
-    ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    /* This ldap handle is set at compile time based on client libs. Older
+     * versions want it to be global and newer versions can force a reload
+     * of the TLS context (to reload these settings we are changing from the
+     * default that loaded at instantiation). */
+    rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    if (rc)
+      {
+      DEBUG(D_lookup)
+        debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
+          cert_option, ldap_err2string(rc));
+      }
+    }
+  #endif
+  #ifdef LDAP_OPT_X_TLS_NEWCTX
+  rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
+  if (rc)
+    {
+    DEBUG(D_lookup)
+      debug_printf("Unable to reload TLS context %d: %s\n",
+                   rc, ldap_err2string(rc));
     }
   #endif