diff options
| author | jim-p <jimp@netgate.com> | 2019-03-21 15:17:08 -0400 |
|---|---|---|
| committer | jim-p <jimp@netgate.com> | 2019-05-10 15:55:12 -0400 |
| commit | efdba6ca75e001e8426b2ecab49f71b53d5c9e30 (patch) | |
| tree | ca2a5fc368ba9f98ccefda3ca1b036e322da281e | |
| parent | 4a762cf05dd1c18fd133833c556f2a7956cf40f4 (diff) | |
| download | pfsense-efdba6ca75e001e8426b2ecab49f71b53d5c9e30.zip pfsense-efdba6ca75e001e8426b2ecab49f71b53d5c9e30.tar.gz | |
LDAP TLS option update. Implements #9417
(cherry picked from commit 996a1ad90e5682bf881bafd8b75d1b1a7e3f7831)
| -rw-r--r-- | src/etc/inc/auth.inc | 62 |
1 files changed, 30 insertions, 32 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 0ba3a5d..d8620b8 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -959,9 +959,6 @@ function ldap_test_connection($authcfg) { return false; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($authcfg); - /* connect and see if server is up */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { @@ -973,21 +970,24 @@ function ldap_test_connection($authcfg) { return false; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + return true; } -function ldap_setup_caenv($authcfg) { +function ldap_setup_caenv($ldap, $authcfg) { global $g; require_once("certs.inc"); unset($caref); if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) { - putenv('LDAPTLS_REQCERT=never'); + ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER); return; } elseif ($authcfg['ldap_caref'] == "global") { - putenv('LDAPTLS_REQCERT=hard'); - putenv("LDAPTLS_CACERTDIR=/etc/ssl/"); - putenv("LDAPTLS_CACERT=/etc/ssl/cert.pem"); + ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); + ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, "/etc/ssl/"); + ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem"); } else { $caref = lookup_ca($authcfg['ldap_caref']); $param = array('caref' => $authcfg['ldap_caref']); @@ -995,21 +995,19 @@ function ldap_setup_caenv($authcfg) { if (!$caref) { log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref'])); /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ - putenv('LDAPTLS_REQCERT=hard'); + ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); return; } - if (!is_dir("{$g['varrun_path']}/certs")) { - @mkdir("{$g['varrun_path']}/certs"); - } - if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) { - @unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca"); - } - file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain); - @chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600); - putenv('LDAPTLS_REQCERT=hard'); + + safe_mkdir($cert_path); + unlink_if_exists("{$cert_path}/{$caref['refid']}.ca"); + file_put_contents("{$cert_path}/{$caref['refid']}.ca", $cachain); + @chmod("{$cert_path}/{$caref['refid']}.ca", 0600); + + ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); /* XXX: Probably even the hashed link should be created for this? */ - putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs"); - putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca"); + ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, $cert_path); + ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "{$cert_path}/{$caref['refid']}.ca"); } } @@ -1046,9 +1044,6 @@ function ldap_test_bind($authcfg) { return false; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($authcfg); - /* connect and see if server is up */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { @@ -1060,6 +1055,9 @@ function ldap_test_bind($authcfg) { return false; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); @@ -1134,9 +1132,6 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { return $ous; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($authcfg); - /* connect and see if server is up */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { @@ -1148,6 +1143,9 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { return $ous; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + $ldapfilter = "(|(ou=*)(cn=Users))"; ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); @@ -1279,9 +1277,6 @@ function ldap_get_groups($username, $authcfg) { $ldapgroupattribute = strtolower($ldapgroupattribute); $memberof = array(); - /* Setup CA environment if needed. */ - ldap_setup_caenv($authcfg); - /* connect and see if server is up */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { @@ -1293,6 +1288,9 @@ function ldap_get_groups($username, $authcfg) { return $memberof; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); @@ -1432,15 +1430,15 @@ function ldap_backed($username, $passwd, $authcfg, &$attributes = array()) { return null; } - /* Setup CA environment if needed. */ - ldap_setup_caenv($authcfg); - /* Make sure we can connect to LDAP */ $error = false; if (!($ldap = ldap_connect($ldapserver))) { $error = true; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($ldap, $authcfg); + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
