diff options
author | Ermal <eri@pfsense.org> | 2011-07-15 13:10:40 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2011-07-15 16:46:54 +0000 |
commit | b473da5f65e8c80ed7b1942a93fdcf1b06a8c2f3 (patch) | |
tree | 8d1f8fa9c259fb911f6f7334c09cfa4e3346dd49 /etc/inc/auth.inc | |
parent | 1852870ce67812aa8ab9c80ce7e7edb49634d4d5 (diff) | |
download | pfsense-b473da5f65e8c80ed7b1942a93fdcf1b06a8c2f3.zip pfsense-b473da5f65e8c80ed7b1942a93fdcf1b06a8c2f3.tar.gz |
Ticket #1052. Enforce certificates if they are present for authenticating to ldap. Allow to select a CA under ldap type authentication backend to be used for this.
Diffstat (limited to 'etc/inc/auth.inc')
-rw-r--r-- | etc/inc/auth.inc | 48 |
1 files changed, 43 insertions, 5 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 92c3538..7b70671 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -620,8 +620,10 @@ function ldap_test_connection($authcfg) { if(!$ldapserver) return false; + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -637,6 +639,34 @@ function ldap_test_connection($authcfg) { return true; } +function ldap_setup_caenv($authcfg) { + global $g; + + unset($caref); + if (empty($authcfg['ldap_cacert']) || !strstr($authcfg['ldap_urltype'], "SSL")) { + putenv('LDAPTLS_REQCERT=never'); + return; + } else { + $caref = lookup_ca($authcfg['ldap_cacert']); + if (!$caref) { + log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_cacert'])); + /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ + putenv('LDAPTLS_REQCERT=hard'); + return; + } + if (!is_dir("{$g['varrun_path']}/certs")) + @mkdir("{$g['varrun_path']}/certs"); + if (file_exists("{$g['varrun_path']}/certs/{$authcfg['name']}.ca")) + @unlink("{$g['varrun_path']}/certs/{$authcfg['name']}.ca"); + file_put_contents("{$g['varrun_path']}/certs/{$authcfg['name']}.ca", base64_decode($caref['crt'])); + @chmod("{$g['varrun_path']}/certs/{$authcfg['name']}.ca", 0600); + putenv('LDAPTLS_REQCERT=hard'); + /* XXX: Probably even the hashed link should be created for this? */ + putenv("TLS_CACERTDIR={$g['varrun_path']}/certs"); + putenv("TLS_CACERT={$g['varrun_path']}/certs/{$authcfg['name']}.ca"); + } +} + function ldap_test_bind($authcfg) { global $debug, $config, $g; @@ -662,8 +692,10 @@ function ldap_test_bind($authcfg) { if(!$ldapserver) return false; + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -729,8 +761,10 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { return $ous; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -840,8 +874,10 @@ function ldap_get_groups($username, $authcfg) { $ldapgroupattribute = strtolower($ldapgroupattribute); $memberof = array(); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -960,8 +996,10 @@ function ldap_backed($username, $passwd, $authcfg) { ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* Make sure we can connect to LDAP */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) |