diff options
author | jim-p <jimp@pfsense.org> | 2017-08-30 14:07:35 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-08-30 14:08:27 -0400 |
commit | 389020e313919bb8f8cbb3204921befe928f9891 (patch) | |
tree | 991930b76cbf537022b17d2bf29a1109b1577a8d /src/etc/inc | |
parent | 56de61a7ddffafd326bff1a79359178347eda1c9 (diff) | |
download | pfsense-389020e313919bb8f8cbb3204921befe928f9891.zip pfsense-389020e313919bb8f8cbb3204921befe928f9891.tar.gz |
Use the full CA chain when sending an LDAP SSL query. Fixes #7830
While here, fix a couple more ldap_start_tls() calls that need a preceding @.
(cherry picked from commit ff500c90646c8db5abe77d7efb02c7d191df6902)
Diffstat (limited to 'src/etc/inc')
-rw-r--r-- | src/etc/inc/auth.inc | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index aa658f3..52a3dc3 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -883,6 +883,8 @@ function ldap_setup_caenv($authcfg) { return; } else { $caref = lookup_ca($authcfg['ldap_caref']); + $param = array('caref' => $authcfg['ldap_caref']); + $cachain = ca_chain($param); if (!$caref) { log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref'])); /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ @@ -895,7 +897,7 @@ function ldap_setup_caenv($authcfg) { if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) { @unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca"); } - file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", base64_decode($caref['crt'])); + file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain); @chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600); putenv('LDAPTLS_REQCERT=hard'); /* XXX: Probably even the hashed link should be created for this? */ @@ -958,7 +960,7 @@ function ldap_test_bind($authcfg) { ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { - if (!(ldap_start_tls($ldap))) { + if (!(@ldap_start_tls($ldap))) { log_error(sprintf(gettext("ERROR! ldap_test_bind() could not STARTTLS to server %s."), $ldapname)); @ldap_close($ldap); return false; @@ -1048,7 +1050,7 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { - if (!(ldap_start_tls($ldap))) { + if (!(@ldap_start_tls($ldap))) { log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not STARTTLS to server %s."), $ldapname)); @ldap_close($ldap); return false; @@ -1191,7 +1193,7 @@ function ldap_get_groups($username, $authcfg) { ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { - if (!(ldap_start_tls($ldap))) { + if (!(@ldap_start_tls($ldap))) { log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname)); @ldap_close($ldap); return false; |