diff options
| author | jim-p <jimp@netgate.com> | 2019-05-15 16:18:56 -0400 |
|---|---|---|
| committer | jim-p <jimp@netgate.com> | 2019-05-15 16:18:56 -0400 |
| commit | 2bf6d4322622765bd1ce6ca8915ff75890885566 (patch) | |
| tree | 13591276859f3e584fc60737d0ac8248074a6bf1 | |
| parent | 657ab3933ad0b69e232282cb38eabd81d21dadad (diff) | |
| download | pfsense-2bf6d4322622765bd1ce6ca8915ff75890885566.zip pfsense-2bf6d4322622765bd1ce6ca8915ff75890885566.tar.gz | |
Revert "LDAP TLS option update. Implements #9417"
This reverts commit efdba6ca75e001e8426b2ecab49f71b53d5c9e30.
| -rw-r--r-- | src/etc/inc/auth.inc | 62 |
1 files changed, 32 insertions, 30 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index d8620b8..0ba3a5d 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -959,6 +959,9 @@ function ldap_test_connection($authcfg) { return false; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { @@ -970,24 +973,21 @@ function ldap_test_connection($authcfg) { return false; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($ldap, $authcfg); - return true; } -function ldap_setup_caenv($ldap, $authcfg) { +function ldap_setup_caenv($authcfg) { global $g; require_once("certs.inc"); unset($caref); if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) { - ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER); + putenv('LDAPTLS_REQCERT=never'); return; } elseif ($authcfg['ldap_caref'] == "global") { - ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); - ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, "/etc/ssl/"); - ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem"); + putenv('LDAPTLS_REQCERT=hard'); + putenv("LDAPTLS_CACERTDIR=/etc/ssl/"); + putenv("LDAPTLS_CACERT=/etc/ssl/cert.pem"); } else { $caref = lookup_ca($authcfg['ldap_caref']); $param = array('caref' => $authcfg['ldap_caref']); @@ -995,19 +995,21 @@ function ldap_setup_caenv($ldap, $authcfg) { if (!$caref) { log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref'])); /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ - ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); + putenv('LDAPTLS_REQCERT=hard'); return; } - - safe_mkdir($cert_path); - unlink_if_exists("{$cert_path}/{$caref['refid']}.ca"); - file_put_contents("{$cert_path}/{$caref['refid']}.ca", $cachain); - @chmod("{$cert_path}/{$caref['refid']}.ca", 0600); - - ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); + if (!is_dir("{$g['varrun_path']}/certs")) { + @mkdir("{$g['varrun_path']}/certs"); + } + if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) { + @unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca"); + } + file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain); + @chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600); + putenv('LDAPTLS_REQCERT=hard'); /* XXX: Probably even the hashed link should be created for this? */ - ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, $cert_path); - ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "{$cert_path}/{$caref['refid']}.ca"); + putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs"); + putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca"); } } @@ -1044,6 +1046,9 @@ function ldap_test_bind($authcfg) { return false; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { @@ -1055,9 +1060,6 @@ function ldap_test_bind($authcfg) { return false; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($ldap, $authcfg); - ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); @@ -1132,6 +1134,9 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { return $ous; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { @@ -1143,9 +1148,6 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { return $ous; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($ldap, $authcfg); - $ldapfilter = "(|(ou=*)(cn=Users))"; ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); @@ -1277,6 +1279,9 @@ function ldap_get_groups($username, $authcfg) { $ldapgroupattribute = strtolower($ldapgroupattribute); $memberof = array(); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { @@ -1288,9 +1293,6 @@ function ldap_get_groups($username, $authcfg) { return $memberof; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($ldap, $authcfg); - ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); @@ -1430,15 +1432,15 @@ function ldap_backed($username, $passwd, $authcfg, &$attributes = array()) { return null; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* Make sure we can connect to LDAP */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { $error = true; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($ldap, $authcfg); - ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
