summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@netgate.com>2019-03-21 15:17:08 -0400
committerjim-p <jimp@netgate.com>2019-05-10 15:55:12 -0400
commitefdba6ca75e001e8426b2ecab49f71b53d5c9e30 (patch)
treeca2a5fc368ba9f98ccefda3ca1b036e322da281e
parent4a762cf05dd1c18fd133833c556f2a7956cf40f4 (diff)
downloadpfsense-efdba6ca75e001e8426b2ecab49f71b53d5c9e30.zip
pfsense-efdba6ca75e001e8426b2ecab49f71b53d5c9e30.tar.gz
LDAP TLS option update. Implements #9417
(cherry picked from commit 996a1ad90e5682bf881bafd8b75d1b1a7e3f7831)
-rw-r--r--src/etc/inc/auth.inc62
1 files changed, 30 insertions, 32 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 0ba3a5d..d8620b8 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -959,9 +959,6 @@ function ldap_test_connection($authcfg) {
return false;
}
- /* Setup CA environment if needed. */
- ldap_setup_caenv($authcfg);
-
/* connect and see if server is up */
$error = false;
if (!($ldap = ldap_connect($ldapserver))) {
@@ -973,21 +970,24 @@ function ldap_test_connection($authcfg) {
return false;
}
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($ldap, $authcfg);
+
return true;
}
-function ldap_setup_caenv($authcfg) {
+function ldap_setup_caenv($ldap, $authcfg) {
global $g;
require_once("certs.inc");
unset($caref);
if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) {
- putenv('LDAPTLS_REQCERT=never');
+ ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
return;
} elseif ($authcfg['ldap_caref'] == "global") {
- putenv('LDAPTLS_REQCERT=hard');
- putenv("LDAPTLS_CACERTDIR=/etc/ssl/");
- putenv("LDAPTLS_CACERT=/etc/ssl/cert.pem");
+ ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
+ ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, "/etc/ssl/");
+ ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
} else {
$caref = lookup_ca($authcfg['ldap_caref']);
$param = array('caref' => $authcfg['ldap_caref']);
@@ -995,21 +995,19 @@ function ldap_setup_caenv($authcfg) {
if (!$caref) {
log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
- putenv('LDAPTLS_REQCERT=hard');
+ ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
return;
}
- if (!is_dir("{$g['varrun_path']}/certs")) {
- @mkdir("{$g['varrun_path']}/certs");
- }
- if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
- @unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
- }
- file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain);
- @chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
- putenv('LDAPTLS_REQCERT=hard');
+
+ safe_mkdir($cert_path);
+ unlink_if_exists("{$cert_path}/{$caref['refid']}.ca");
+ file_put_contents("{$cert_path}/{$caref['refid']}.ca", $cachain);
+ @chmod("{$cert_path}/{$caref['refid']}.ca", 0600);
+
+ ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
/* XXX: Probably even the hashed link should be created for this? */
- putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs");
- putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca");
+ ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, $cert_path);
+ ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "{$cert_path}/{$caref['refid']}.ca");
}
}
@@ -1046,9 +1044,6 @@ function ldap_test_bind($authcfg) {
return false;
}
- /* Setup CA environment if needed. */
- ldap_setup_caenv($authcfg);
-
/* connect and see if server is up */
$error = false;
if (!($ldap = ldap_connect($ldapserver))) {
@@ -1060,6 +1055,9 @@ function ldap_test_bind($authcfg) {
return false;
}
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($ldap, $authcfg);
+
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
@@ -1134,9 +1132,6 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
return $ous;
}
- /* Setup CA environment if needed. */
- ldap_setup_caenv($authcfg);
-
/* connect and see if server is up */
$error = false;
if (!($ldap = ldap_connect($ldapserver))) {
@@ -1148,6 +1143,9 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
return $ous;
}
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($ldap, $authcfg);
+
$ldapfilter = "(|(ou=*)(cn=Users))";
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
@@ -1279,9 +1277,6 @@ function ldap_get_groups($username, $authcfg) {
$ldapgroupattribute = strtolower($ldapgroupattribute);
$memberof = array();
- /* Setup CA environment if needed. */
- ldap_setup_caenv($authcfg);
-
/* connect and see if server is up */
$error = false;
if (!($ldap = ldap_connect($ldapserver))) {
@@ -1293,6 +1288,9 @@ function ldap_get_groups($username, $authcfg) {
return $memberof;
}
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($ldap, $authcfg);
+
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
@@ -1432,15 +1430,15 @@ function ldap_backed($username, $passwd, $authcfg, &$attributes = array()) {
return null;
}
- /* Setup CA environment if needed. */
- ldap_setup_caenv($authcfg);
-
/* Make sure we can connect to LDAP */
$error = false;
if (!($ldap = ldap_connect($ldapserver))) {
$error = true;
}
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($ldap, $authcfg);
+
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
OpenPOWER on IntegriCloud