From ff500c90646c8db5abe77d7efb02c7d191df6902 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 30 Aug 2017 14:07:35 -0400 Subject: Use the full CA chain when sending an LDAP SSL query. Fixes #7830 While here, fix a couple more ldap_start_tls() calls that need a preceding @. --- src/etc/inc/auth.inc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index aa658f3..52a3dc3 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -883,6 +883,8 @@ function ldap_setup_caenv($authcfg) { return; } else { $caref = lookup_ca($authcfg['ldap_caref']); + $param = array('caref' => $authcfg['ldap_caref']); + $cachain = ca_chain($param); if (!$caref) { log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref'])); /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ @@ -895,7 +897,7 @@ function ldap_setup_caenv($authcfg) { if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) { @unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca"); } - file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", base64_decode($caref['crt'])); + file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain); @chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600); putenv('LDAPTLS_REQCERT=hard'); /* XXX: Probably even the hashed link should be created for this? */ @@ -958,7 +960,7 @@ function ldap_test_bind($authcfg) { ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { - if (!(ldap_start_tls($ldap))) { + if (!(@ldap_start_tls($ldap))) { log_error(sprintf(gettext("ERROR! ldap_test_bind() could not STARTTLS to server %s."), $ldapname)); @ldap_close($ldap); return false; @@ -1048,7 +1050,7 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { - if (!(ldap_start_tls($ldap))) { + if (!(@ldap_start_tls($ldap))) { log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not STARTTLS to server %s."), $ldapname)); @ldap_close($ldap); return false; @@ -1191,7 +1193,7 @@ function ldap_get_groups($username, $authcfg) { ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { - if (!(ldap_start_tls($ldap))) { + if (!(@ldap_start_tls($ldap))) { log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname)); @ldap_close($ldap); return false; -- cgit v1.1