LDAP TLS mode fixes

diff --git a/ldap-client/CHANGELOG b/ldap-client/CHANGELOG
index 245668e..8884dc2 100644 (file)
--- a/ldap-client/CHANGELOG
+++ b/ldap-client/CHANGELOG
@@ -7,3 +7,5 @@ Object and attribute lists in the LDAP browser are now sorted.
 On Debian/Ubuntu systems with separate PAM and NSS LDAP config files, offer to link them with a new button.
 ---- Changes since 1.410 ----
 Handle new LDAP config config file path seen on Ubuntu 8.04.
+---- Changes since 1.440 ----
+Changed the LDAP client connection code to handle both pure-SSL and TLS modes, thanks to a patch from Paul R. Ganci.

diff --git a/ldap-client/config.info b/ldap-client/config.info
index 772aa2c..f6b0500 100644 (file)
--- a/ldap-client/config.info
+++ b/ldap-client/config.info
@@ -4,6 +4,6 @@ secret=Root LDAP client password file,8
 line0=LDAP browser and validation settings,11
 ldap_hosts=LDAP server hosts,3,From config file,50
 ldap_port=LDAP server port,3,From config file,5
-ldap_tls=Use SSL connection,1,-From config file,1-Yes,0-No
+ldap_tls=Use SSL connection,1,-From config file,1-Yes,2-Yes with TLS,0-No
 ldap_user=Login with username,3,From config file
 ldap_pass=Login with password,3,From config file

diff --git a/ldap-client/edit_server.cgi b/ldap-client/edit_server.cgi
index a9e30d9..e73412e 100755 (executable)
--- a/ldap-client/edit_server.cgi
+++ b/ldap-client/edit_server.cgi
@@ -73,12 +73,13 @@ print &ui_table_row($text{'server_rootbindpw'},
 # SSL options
 print &ui_table_hr();
 
-if (!$uri) {
-       print &ui_table_row($text{'server_ssl'},
-               &ui_radio("ssl", &find_svalue("ssl", $conf),
-                         [ [ "start_tls", $text{'yes'} ],
-                           [ "", $text{'no'} ] ]));
-       }
+$ssl = &find_svalue("ssl", $conf);
+$ssl = "" if ($ssl eq "no");
+print &ui_table_row($text{'server_ssl'},
+       &ui_radio("ssl", &find_svalue("ssl", $conf),
+                 [ [ "yes", $text{'yes'} ],
+                   [ "start_tls", $text{'server_tls'} ],
+                   [ "", $text{'no'} ] ]));
 
 print &ui_table_row($text{'server_peer'},
        &ui_radio("peer", &find_svalue("tls_checkpeer", $conf),

diff --git a/ldap-client/lang/en b/ldap-client/lang/en
index 0050b3c..5d70971 100644 (file)
--- a/ldap-client/lang/en
+++ b/ldap-client/lang/en
@@ -20,6 +20,7 @@ server_same=Same as non-<tt>root</tt>
 server_none=None
 server_anon=Anonymous
 server_ssl=Use encrypted connection?
+server_tls=Yes, using TLS
 server_peer=Verify LDAP SSL certificate?
 server_def=Default (usually $1)
 server_cacert=CA certificate file
@@ -110,6 +111,7 @@ ldap_econn=Failed to connect to LDAP server $1 port $2
 ldap_elogin=Failed to bind to LDAP server $1 as $2 : $3
 ldap_anon=anonymous
 ldap_eparse=Could not parse the LDAP server URI $1
+ldap_etls=Failed to switch to TLS mode : $1
 
 browser_title=LDAP Browser
 browser_econn=The LDAP browser cannot be used : $1

diff --git a/ldap-client/ldap-client-lib.pl b/ldap-client/ldap-client-lib.pl
index 6ee5aa0..57a0f22 100644 (file)
--- a/ldap-client/ldap-client-lib.pl
+++ b/ldap-client/ldap-client-lib.pl
@@ -160,17 +160,23 @@ if ($@) {
 local $conf = &get_config();
 local $uri = &find_svalue("uri", $conf);
 local ($ldap, $use_ssl, $err);
+local $ssl = &find_svalue("ssl", $conf);
 if ($config{'ldap_hosts'}) {
        # Using hosts from module config
        local @hosts = split(/\s+/, $config{'ldap_hosts'});
-       $use_ssl = $config{'ldap_tls'} eq '' ?
-                       &find_svalue("ssl", $conf) eq "start_tls" :
-                       $config{'ldap_tls'};
+       if ($config{'ldap_tls'} ne '') {
+               $use_ssl = $config{'ldap_tls'};
+               }
+       else {
+               $use_ssl = $ssl eq 'yes' ? 1 :
+                          $ssl eq 'start_tls' ? 2 : 0;
+               }
        local $port = $config{'ldap_port'} ||
                      &find_svalue("port", $conf) ||
-                     ($use_ssl ? 636 : 389);
+                     ($use_ssl == 1 ? 636 : 389);
        foreach $host (@hosts) {
-               $ldap = Net::LDAP->new($host, port => $port);
+               $ldap = Net::LDAP->new($host, port => $port,
+                               schema => $use_ssl == 2 ? 'ldaps' : 'ldap');
                ${$_[1]} = $host if ($_[1]);
                if (!$ldap) {
                        $err = &text('ldap_econn',
@@ -202,7 +208,8 @@ elsif ($uri) {
                                }
                        else {
                                $err = undef;
-                               $use_ssl = $proto eq "ldaps" ? 1 : 0;
+                               $use_ssl = $proto eq "ldaps" ? 1 :
+                                          $ssl eq 'start_tls' ? 2 : 0;
                                last;
                                }
                        }
@@ -213,9 +220,8 @@ elsif ($uri) {
        }
 else {
        # Using host and port directives
-       if (&find_svalue("ssl", $conf) eq "start_tls") {
-               $use_ssl = 1;
-               }
+       $use_ssl = $ssl eq 'yes' ? 1 :
+                  $ssl eq 'start_tls' ? 2 : 0;
        local @hosts = split(/[ ,]+/, &find_svalue("host", $conf));
        local $port = &find_svalue("port", $conf) ||
                      $use_ssl ? 636 : 389;
@@ -223,7 +229,7 @@ else {
 
        foreach $host (@hosts) {
                $ldap = Net::LDAP->new($host, port => $port,
-                                      schema => $use_ssl ? 'ldaps' : 'ldap');
+                              schema => $use_ssl == 1 ? 'ldaps' : 'ldap');
                ${$_[1]} = $host if ($_[1]);
                if (!$ldap) {
                        $err = &text('ldap_econn',
@@ -235,17 +241,22 @@ else {
                        }
                }
        }
+
+# Start TLS if configured
+if ($use_ssl == 2 && !$err) {
+       local $mesg;
+       eval { $mesg = $ldap->start_tls; };
+       if ($@ || !$mesg || $mesg->code) {
+               $err = &text('ldap_etls', $@ ? $@ : $mesg ? $mesg->error :
+                                         "Unknown error");
+               }
+       }
+
 if ($err) {
        if ($_[0]) { return $err; }
        else { &error($err); }
        }
 
-# Start TLS if configured
-if ($use_ssl) {
-       # Errors are ignored, as we may already be in SSL mode
-       eval { $ldap->start_tls; };
-       }
-
 local ($dn, $password);
 local $rootbinddn = &find_svalue("rootbinddn", $conf);
 if ($config{'ldap_user'}) {

diff --git a/ldap-client/save_server.cgi b/ldap-client/save_server.cgi
index 1b55af9..7c0b355 100755 (executable)
--- a/ldap-client/save_server.cgi
+++ b/ldap-client/save_server.cgi
@@ -96,10 +96,8 @@ else {
        &save_rootbinddn_secret($in{'rootbindpw'});
        }
 
-if (!$uri) {
-       # SSL mode
-       &save_directive($conf, "ssl", $in{'ssl'} || undef);
-       }
+# SSL mode
+&save_directive($conf, "ssl", $in{'ssl'} || undef);
 
 # Check server SSL cert
 &save_directive($conf, "tls_checkpeer", $in{'peer'} || undef);