summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2017-08-30 14:07:35 -0400
committerjim-p <jimp@pfsense.org>2017-08-30 14:07:35 -0400
commitff500c90646c8db5abe77d7efb02c7d191df6902 (patch)
treedf5109e40d66e84acb32b29afbf41fb8d4ff00bc /src
parentca44a37cad5e905e3a76b6ce862de6ec5d3bcb06 (diff)
downloadpfsense-ff500c90646c8db5abe77d7efb02c7d191df6902.zip
pfsense-ff500c90646c8db5abe77d7efb02c7d191df6902.tar.gz
Use the full CA chain when sending an LDAP SSL query. Fixes #7830
While here, fix a couple more ldap_start_tls() calls that need a preceding @.
Diffstat (limited to 'src')
-rw-r--r--src/etc/inc/auth.inc10
1 files changed, 6 insertions, 4 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index aa658f3..52a3dc3 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -883,6 +883,8 @@ function ldap_setup_caenv($authcfg) {
return;
} else {
$caref = lookup_ca($authcfg['ldap_caref']);
+ $param = array('caref' => $authcfg['ldap_caref']);
+ $cachain = ca_chain($param);
if (!$caref) {
log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
@@ -895,7 +897,7 @@ function ldap_setup_caenv($authcfg) {
if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
@unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
}
- file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", base64_decode($caref['crt']));
+ file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain);
@chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
putenv('LDAPTLS_REQCERT=hard');
/* XXX: Probably even the hashed link should be created for this? */
@@ -958,7 +960,7 @@ function ldap_test_bind($authcfg) {
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout);
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
- if (!(ldap_start_tls($ldap))) {
+ if (!(@ldap_start_tls($ldap))) {
log_error(sprintf(gettext("ERROR! ldap_test_bind() could not STARTTLS to server %s."), $ldapname));
@ldap_close($ldap);
return false;
@@ -1048,7 +1050,7 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout);
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
- if (!(ldap_start_tls($ldap))) {
+ if (!(@ldap_start_tls($ldap))) {
log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not STARTTLS to server %s."), $ldapname));
@ldap_close($ldap);
return false;
@@ -1191,7 +1193,7 @@ function ldap_get_groups($username, $authcfg) {
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout);
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
- if (!(ldap_start_tls($ldap))) {
+ if (!(@ldap_start_tls($ldap))) {
log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname));
@ldap_close($ldap);
return false;
OpenPOWER on IntegriCloud