isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Provide a more useful error message if using a Mozilla-style LDAP

Browse Source 
SDK and you forgot to specify TLS_CERT in ldap.conf.
This commit is contained in:
Todd C. Miller
2012-04-23 15:30:34 -04:00
parent ce9863358a
commit cde9f8aa12
1 changed files with 28 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
plugins/sudoers/ldap.c
View File

@@ -529,32 +529,42 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
/* /*
* Mozilla-derived SDKs have a bug starting with version 5.0 * Starting with version 5.0, Mozilla-derived LDAP SDKs require
* where the path can no longer be a file name and must be a dir. * the cert and key paths to be a directory, not a file.
* If the user specified a file and it fails, try the parent dir.
*/ */
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
char *cp; bool retry = false;
if (ldap_conf.tls_certfile) { if (ldap_conf.tls_certfile != NULL) {
cp = strrchr(ldap_conf.tls_certfile, '/'); char *cp = strrchr(ldap_conf.tls_certfile, '/');
if (cp != NULL && strncmp(cp + 1, "cert", 4) == 0) if (cp != NULL && strncmp(cp + 1, "cert", 4) == 0) {
*cp = '\0'; *cp = '\0';
retry = true;
}
} }
if (ldap_conf.tls_keyfile) { if (ldap_conf.tls_keyfile != NULL) {
cp = strrchr(ldap_conf.tls_keyfile, '/'); char *cp = strrchr(ldap_conf.tls_keyfile, '/');
if (cp != NULL && strncmp(cp + 1, "key", 3) == 0) if (cp != NULL && strncmp(cp + 1, "key", 3) == 0) {
*cp = '\0'; *cp = '\0';
retry = true;
}
} }
DPRINTF(("ldapssl_clientauth_init(%s, %s)", if (retry) {
ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", DPRINTF(("ldapssl_clientauth_init(%s, %s)",
ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
if (rc != LDAP_SUCCESS) { ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
warningx(_("unable to initialize SSL cert and key db: %s"),
ldapssl_err2string(rc));
goto done;
} }
} }
if (rc != LDAP_SUCCESS) {
warningx(_("unable to initialize SSL cert and key db: %s"),
ldapssl_err2string(rc));
if (ldap_conf.tls_certfile == NULL)
warningx(_("you must set TLS_CERT in %s to use SSL"),
_PATH_LDAP_CONF);
goto done;
}
DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2); DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
if ((ld = ldapssl_init(host, port, 1)) != NULL) if ((ld = ldapssl_init(host, port, 1)) != NULL)