On Debian/Ubuntu systems with separate PAM and NSS LDAP config files, offer to link them with a new button.
---- Changes since 1.410 ----
Handle new LDAP config config file path seen on Ubuntu 8.04.
+---- Changes since 1.440 ----
+Changed the LDAP client connection code to handle both pure-SSL and TLS modes, thanks to a patch from Paul R. Ganci.
line0=LDAP browser and validation settings,11
ldap_hosts=LDAP server hosts,3,From config file,50
ldap_port=LDAP server port,3,From config file,5
-ldap_tls=Use SSL connection,1,-From config file,1-Yes,0-No
+ldap_tls=Use SSL connection,1,-From config file,1-Yes,2-Yes with TLS,0-No
ldap_user=Login with username,3,From config file
ldap_pass=Login with password,3,From config file
# SSL options
print &ui_table_hr();
-if (!$uri) {
- print &ui_table_row($text{'server_ssl'},
- &ui_radio("ssl", &find_svalue("ssl", $conf),
- [ [ "start_tls", $text{'yes'} ],
- [ "", $text{'no'} ] ]));
- }
+$ssl = &find_svalue("ssl", $conf);
+$ssl = "" if ($ssl eq "no");
+print &ui_table_row($text{'server_ssl'},
+ &ui_radio("ssl", &find_svalue("ssl", $conf),
+ [ [ "yes", $text{'yes'} ],
+ [ "start_tls", $text{'server_tls'} ],
+ [ "", $text{'no'} ] ]));
print &ui_table_row($text{'server_peer'},
&ui_radio("peer", &find_svalue("tls_checkpeer", $conf),
server_none=None
server_anon=Anonymous
server_ssl=Use encrypted connection?
+server_tls=Yes, using TLS
server_peer=Verify LDAP SSL certificate?
server_def=Default (usually $1)
server_cacert=CA certificate file
ldap_elogin=Failed to bind to LDAP server $1 as $2 : $3
ldap_anon=anonymous
ldap_eparse=Could not parse the LDAP server URI $1
+ldap_etls=Failed to switch to TLS mode : $1
browser_title=LDAP Browser
browser_econn=The LDAP browser cannot be used : $1
local $conf = &get_config();
local $uri = &find_svalue("uri", $conf);
local ($ldap, $use_ssl, $err);
+local $ssl = &find_svalue("ssl", $conf);
if ($config{'ldap_hosts'}) {
# Using hosts from module config
local @hosts = split(/\s+/, $config{'ldap_hosts'});
- $use_ssl = $config{'ldap_tls'} eq '' ?
- &find_svalue("ssl", $conf) eq "start_tls" :
- $config{'ldap_tls'};
+ if ($config{'ldap_tls'} ne '') {
+ $use_ssl = $config{'ldap_tls'};
+ }
+ else {
+ $use_ssl = $ssl eq 'yes' ? 1 :
+ $ssl eq 'start_tls' ? 2 : 0;
+ }
local $port = $config{'ldap_port'} ||
&find_svalue("port", $conf) ||
- ($use_ssl ? 636 : 389);
+ ($use_ssl == 1 ? 636 : 389);
foreach $host (@hosts) {
- $ldap = Net::LDAP->new($host, port => $port);
+ $ldap = Net::LDAP->new($host, port => $port,
+ schema => $use_ssl == 2 ? 'ldaps' : 'ldap');
${$_[1]} = $host if ($_[1]);
if (!$ldap) {
$err = &text('ldap_econn',
}
else {
$err = undef;
- $use_ssl = $proto eq "ldaps" ? 1 : 0;
+ $use_ssl = $proto eq "ldaps" ? 1 :
+ $ssl eq 'start_tls' ? 2 : 0;
last;
}
}
}
else {
# Using host and port directives
- if (&find_svalue("ssl", $conf) eq "start_tls") {
- $use_ssl = 1;
- }
+ $use_ssl = $ssl eq 'yes' ? 1 :
+ $ssl eq 'start_tls' ? 2 : 0;
local @hosts = split(/[ ,]+/, &find_svalue("host", $conf));
local $port = &find_svalue("port", $conf) ||
$use_ssl ? 636 : 389;
foreach $host (@hosts) {
$ldap = Net::LDAP->new($host, port => $port,
- schema => $use_ssl ? 'ldaps' : 'ldap');
+ schema => $use_ssl == 1 ? 'ldaps' : 'ldap');
${$_[1]} = $host if ($_[1]);
if (!$ldap) {
$err = &text('ldap_econn',
}
}
}
+
+# Start TLS if configured
+if ($use_ssl == 2 && !$err) {
+ local $mesg;
+ eval { $mesg = $ldap->start_tls; };
+ if ($@ || !$mesg || $mesg->code) {
+ $err = &text('ldap_etls', $@ ? $@ : $mesg ? $mesg->error :
+ "Unknown error");
+ }
+ }
+
if ($err) {
if ($_[0]) { return $err; }
else { &error($err); }
}
-# Start TLS if configured
-if ($use_ssl) {
- # Errors are ignored, as we may already be in SSL mode
- eval { $ldap->start_tls; };
- }
-
local ($dn, $password);
local $rootbinddn = &find_svalue("rootbinddn", $conf);
if ($config{'ldap_user'}) {
&save_rootbinddn_secret($in{'rootbindpw'});
}
-if (!$uri) {
- # SSL mode
- &save_directive($conf, "ssl", $in{'ssl'} || undef);
- }
+# SSL mode
+&save_directive($conf, "ssl", $in{'ssl'} || undef);
# Check server SSL cert
&save_directive($conf, "tls_checkpeer", $in{'peer'} || undef);