From: Todd Lyons <tlyons@exim.org>
Date: Thu, 31 Oct 2013 16:42:15 +0000 (-0700)
Subject: Fix ldap option setting.
X-Git-Tag: exim-4_83_RC1~98
X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=commitdiff_plain;h=5428a9463ae1080029a84a1b33e4a8a6915c5f28

Fix ldap option setting.

Some client libs set a global context, newer client libs set a global
  default which then needs to be reloaded.
---

diff --git a/doc/doc-docbook/.gitignore b/doc/doc-docbook/.gitignore
index fdcaf8b27..ae93d1875 100644
--- a/doc/doc-docbook/.gitignore
+++ b/doc/doc-docbook/.gitignore
@@ -6,4 +6,7 @@ spec.txt
 filter*.xml
 filter.ps
 filter.pdf
+filter-txt.html
+filter.txt
 local_params
+exim.8
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4b9f53ed1..5f1c25f41 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -7040,6 +7040,18 @@ With sufficiently modern LDAP libraries, Exim supports forcing TLS over regular
 LDAP connections, rather than the SSL-on-connect &`ldaps`&.
 See the &%ldap_start_tls%& option.
 
+.new
+Starting with Exim 4.83, the initialization of LDAP with TLS is more tightly
+controlled. Every part of the TLS configuration can be configured by settings in
+&_exim.conf_&. Depending on the version of the client libraries installed on
+your system, some of the initialization may have required setting options in
+&_/etc/ldap.conf_& or &_~/.ldaprc_& to get TLS working with self-signed
+certificates. This revealed a nuance where the current UID that exim was
+running as could affect which config files it read. With Exim 4.83, these
+methods become optional, only taking effect if not specifically set in
+&_exim.conf_&.
+.wen
+
 
 .section "LDAP quoting" "SECID68"
 .cindex "LDAP" "quoting"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index cc9238e04..989ec52c5 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -20,6 +20,9 @@ TF/02 Portability fix for building lookup modules on Solaris when the xpg4
 JH/01 Fix memory-handling in use of acl as a conditional; avoid free of
       temporary space as the ACL may create new global variables.
 
+TL/01 LDAP support uses per connection or global context settings, depending
+      upon the detected version of the libraries at build time.
+
 
 Exim version 4.82
 -----------------
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index 6129b4bfe..a25868f59 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -280,6 +280,13 @@ if (lcp == NULL)
   {
   LDAP *ld;
 
+  #ifdef LDAP_OPT_X_TLS_NEWCTX
+  int  am_server = 0;
+  LDAP *ldsetctx;
+  #else
+  LDAP *ldsetctx = NULL;
+  #endif
+
 
   /* --------------------------- OpenLDAP ------------------------ */
 
@@ -365,6 +372,10 @@ if (lcp == NULL)
     goto RETURN_ERROR;
     }
 
+  #ifdef LDAP_OPT_X_TLS_NEWCTX
+  ldsetctx = ld;
+  #endif
+
   /* Set the TCP connect time limit if available. This is something that is
   in Netscape SDK v4.1; I don't know about other libraries. */
 
@@ -461,31 +472,31 @@ if (lcp == NULL)
   #ifdef LDAP_OPT_X_TLS_CACERTFILE
   if (eldap_ca_cert_file != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_CACERTDIR
   if (eldap_ca_cert_dir != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_CERTFILE
   if (eldap_cert_file != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_KEYFILE
   if (eldap_cert_key != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
   if (eldap_cipher_suite != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
@@ -508,8 +519,26 @@ if (lcp == NULL)
       {
       cert_option = LDAP_OPT_X_TLS_TRY;
       }
-    /* Use NULL ldap handle because is a global option */
-    ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    /* This ldap handle is set at compile time based on client libs. Older
+     * versions want it to be global and newer versions can force a reload
+     * of the TLS context (to reload these settings we are changing from the
+     * default that loaded at instantiation). */
+    rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    if (rc)
+      {
+      DEBUG(D_lookup)
+        debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
+          cert_option, ldap_err2string(rc));
+      }
+    }
+  #endif
+  #ifdef LDAP_OPT_X_TLS_NEWCTX
+  rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
+  if (rc)
+    {
+    DEBUG(D_lookup)
+      debug_printf("Unable to reload TLS context %d: %s\n",
+                   rc, ldap_err2string(rc));
     }
   #endif