diff options
| author | Ermal <eri@pfsense.org> | 2011-07-15 13:10:40 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2011-07-15 13:10:40 +0000 |
| commit | fe2031ab18b967b31f95d865db07011a39ce6fcc (patch) | |
| tree | 06759c005e263b681a21098a8273a84dc473beb1 /etc/inc/auth.inc | |
| parent | e6bd231242cb43ad7e8fca8635d6adcb17f38186 (diff) | |
| download | pfsense-fe2031ab18b967b31f95d865db07011a39ce6fcc.zip pfsense-fe2031ab18b967b31f95d865db07011a39ce6fcc.tar.gz | |
Ticket #1052. Enforce certificates if they are present for authenticating to ldap. Allow to select a CA under ldap type authentication backend to be used for this.
Diffstat (limited to 'etc/inc/auth.inc')
| -rw-r--r-- | etc/inc/auth.inc | 48 |
1 files changed, 43 insertions, 5 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index e284943..e93bf02 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -627,8 +627,10 @@ function ldap_test_connection($authcfg) { if(!$ldapserver) return false; + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -644,6 +646,34 @@ function ldap_test_connection($authcfg) { return true; } +function ldap_setup_caenv($authcfg) { + global $g; + + unset($caref); + if (empty($authcfg['ldap_cacert']) || !strstr($authcfg['ldap_urltype'], "SSL")) { + putenv('LDAPTLS_REQCERT=never'); + return; + } else { + $caref = lookup_ca($authcfg['ldap_cacert']); + if (!$caref) { + log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_cacert'])); + /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ + putenv('LDAPTLS_REQCERT=hard'); + return; + } + if (!is_dir("{$g['varrun_path']}/certs")) + @mkdir("{$g['varrun_path']}/certs"); + if (file_exists("{$g['varrun_path']}/certs/{$authcfg['name']}.ca")) + @unlink("{$g['varrun_path']}/certs/{$authcfg['name']}.ca"); + file_put_contents("{$g['varrun_path']}/certs/{$authcfg['name']}.ca", base64_decode($caref['crt'])); + @chmod("{$g['varrun_path']}/certs/{$authcfg['name']}.ca", 0600); + putenv('LDAPTLS_REQCERT=hard'); + /* XXX: Probably even the hashed link should be created for this? */ + putenv("TLS_CACERTDIR={$g['varrun_path']}/certs"); + putenv("TLS_CACERT={$g['varrun_path']}/certs/{$authcfg['name']}.ca"); + } +} + function ldap_test_bind($authcfg) { global $debug, $config, $g; @@ -669,8 +699,10 @@ function ldap_test_bind($authcfg) { if(!$ldapserver) return false; + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -736,8 +768,10 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { return $ous; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -847,8 +881,10 @@ function ldap_get_groups($username, $authcfg) { $ldapgroupattribute = strtolower($ldapgroupattribute); $memberof = array(); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -967,8 +1003,10 @@ function ldap_backed($username, $passwd, $authcfg) { ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* Make sure we can connect to LDAP */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) |
