From 5428a9463ae1080029a84a1b33e4a8a6915c5f28 Mon Sep 17 00:00:00 2001 From: Todd Lyons Date: Thu, 31 Oct 2013 09:42:15 -0700 Subject: [PATCH] Fix ldap option setting. Some client libs set a global context, newer client libs set a global default which then needs to be reloaded. --- doc/doc-docbook/.gitignore | 3 +++ doc/doc-docbook/spec.xfpt | 12 +++++++++++ doc/doc-txt/ChangeLog | 3 +++ src/src/lookups/ldap.c | 43 +++++++++++++++++++++++++++++++------- 4 files changed, 54 insertions(+), 7 deletions(-) diff --git a/doc/doc-docbook/.gitignore b/doc/doc-docbook/.gitignore index fdcaf8b27..ae93d1875 100644 --- a/doc/doc-docbook/.gitignore +++ b/doc/doc-docbook/.gitignore @@ -6,4 +6,7 @@ spec.txt filter*.xml filter.ps filter.pdf +filter-txt.html +filter.txt local_params +exim.8 diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4b9f53ed1..5f1c25f41 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -7040,6 +7040,18 @@ With sufficiently modern LDAP libraries, Exim supports forcing TLS over regular LDAP connections, rather than the SSL-on-connect &`ldaps`&. See the &%ldap_start_tls%& option. +.new +Starting with Exim 4.83, the initialization of LDAP with TLS is more tightly +controlled. Every part of the TLS configuration can be configured by settings in +&_exim.conf_&. Depending on the version of the client libraries installed on +your system, some of the initialization may have required setting options in +&_/etc/ldap.conf_& or &_~/.ldaprc_& to get TLS working with self-signed +certificates. This revealed a nuance where the current UID that exim was +running as could affect which config files it read. With Exim 4.83, these +methods become optional, only taking effect if not specifically set in +&_exim.conf_&. +.wen + .section "LDAP quoting" "SECID68" .cindex "LDAP" "quoting" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index cc9238e04..989ec52c5 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -20,6 +20,9 @@ TF/02 Portability fix for building lookup modules on Solaris when the xpg4 JH/01 Fix memory-handling in use of acl as a conditional; avoid free of temporary space as the ACL may create new global variables. +TL/01 LDAP support uses per connection or global context settings, depending + upon the detected version of the libraries at build time. + Exim version 4.82 ----------------- diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c index 6129b4bfe..a25868f59 100644 --- a/src/src/lookups/ldap.c +++ b/src/src/lookups/ldap.c @@ -280,6 +280,13 @@ if (lcp == NULL) { LDAP *ld; + #ifdef LDAP_OPT_X_TLS_NEWCTX + int am_server = 0; + LDAP *ldsetctx; + #else + LDAP *ldsetctx = NULL; + #endif + /* --------------------------- OpenLDAP ------------------------ */ @@ -365,6 +372,10 @@ if (lcp == NULL) goto RETURN_ERROR; } + #ifdef LDAP_OPT_X_TLS_NEWCTX + ldsetctx = ld; + #endif + /* Set the TCP connect time limit if available. This is something that is in Netscape SDK v4.1; I don't know about other libraries. */ @@ -461,31 +472,31 @@ if (lcp == NULL) #ifdef LDAP_OPT_X_TLS_CACERTFILE if (eldap_ca_cert_file != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); } #endif #ifdef LDAP_OPT_X_TLS_CACERTDIR if (eldap_ca_cert_dir != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); } #endif #ifdef LDAP_OPT_X_TLS_CERTFILE if (eldap_cert_file != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); } #endif #ifdef LDAP_OPT_X_TLS_KEYFILE if (eldap_cert_key != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); } #endif #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE if (eldap_cipher_suite != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); } #endif #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT @@ -508,8 +519,26 @@ if (lcp == NULL) { cert_option = LDAP_OPT_X_TLS_TRY; } - /* Use NULL ldap handle because is a global option */ - ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); + /* This ldap handle is set at compile time based on client libs. Older + * versions want it to be global and newer versions can force a reload + * of the TLS context (to reload these settings we are changing from the + * default that loaded at instantiation). */ + rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); + if (rc) + { + DEBUG(D_lookup) + debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n", + cert_option, ldap_err2string(rc)); + } + } + #endif + #ifdef LDAP_OPT_X_TLS_NEWCTX + rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server); + if (rc) + { + DEBUG(D_lookup) + debug_printf("Unable to reload TLS context %d: %s\n", + rc, ldap_err2string(rc)); } #endif -- 2.25.1