rename the tls_checkpeer option to tls_reqcert, deprecating the old name and supporting all options that OpenLDAP supports for that value

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd@805 ef36b2f9-881f-0410-afb5-c4e39611909c
author: Arthur de Jong <arthur@arthurdejong.org> 2008-12-06 16:58:04 +0000
committer: Arthur de Jong <arthur@arthurdejong.org> 2008-12-06 16:58:04 +0000
commit: e783e175116ae0f7093ae5822ca4950039a7be75 (patch)
tree: 5996c56c0ea7606a362d635d1fa85b345ae95534
parent: c0f408747204aba0050d4545b7da90ea7961063d (diff)
5 files changed, 51 insertions, 37 deletions
diff --git a/man/nss-ldapd.conf.5.xml b/man/nss-ldapd.conf.5.xml
index 95cbd1e..a0ff7c4 100644
--- a/man/nss-ldapd.conf.5.xml
+++ b/man/nss-ldapd.conf.5.xml
@@ -503,19 +503,16 @@
     </varlistentry>
 
     <varlistentry>
-     <term><option>tls_checkpeer</option> yes|no</term>
-     <listitem>
-      <para>
-       Specifies whether to require and verify the server certificate
-       or not, when using <acronym>SSL</acronym>/<acronym>TLS</acronym>
-       with the OpenLDAP client library.
-       The default is to use the default behaviour of the client
-       library; for OpenLDAP 2.0 and earlier it is "no", for OpenLDAP
-       2.1 and later it is "yes". At least one of
-       <option>tls_cacertdir</option>
-       and
-       <option>tls_cacertfile</option>
-       is required if peer verification is enabled.
+     <term><option>tls_reqcert</option> never|allow|try|demand|hard</term>
+     <listitem>
+      <para>
+       Specifies what checks to perform on a server-supplied certificate.
+       The meaning of the values is described in the
+       <citerefentry><refentrytitle>ldap.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+       manual page.
+       At least one of <option>tls_cacertdir</option> and
+       <option>tls_cacertfile</option> is required if peer verification is
+       enabled.
       </para>
      </listitem>
     </varlistentry>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 50ecc99..97ddf5f 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -98,7 +98,7 @@ static void cfg_defaults(struct ldap_config *cfg)
   cfg->ldc_reconnect_maxsleeptime=30;
 #ifdef LDAP_OPT_X_TLS
   cfg->ldc_ssl_on=SSL_OFF;
-  cfg->ldc_tls_checkpeer=-1;
+  cfg->ldc_tls_reqcert=-1;
   cfg->ldc_tls_cacertdir=NULL;
   cfg->ldc_tls_cacertfile=NULL;
   cfg->ldc_tls_randfile=NULL;
@@ -453,6 +453,33 @@ static void get_gid(const char *filename,int lnr,
   exit(EXIT_FAILURE);
 }
 
+static void get_reqcert(const char *filename,int lnr,
+                        const char *keyword,char **line,
+                        int *var)
+{
+  char token[16];
+  /* get token */
+  check_argumentcount(filename,lnr,keyword,get_token(line,token,sizeof(token))!=NULL);
+  /* check if it is a valid value for tls_reqcert option */
+  if ( (strcasecmp(token,"never")==0) ||
+       (strcasecmp(token,"no")==0) )
+    *var=LDAP_OPT_X_TLS_NEVER;
+  else if (strcasecmp(token,"allow")==0)
+    *var=LDAP_OPT_X_TLS_ALLOW;
+  else if (strcasecmp(token,"try")==0)
+    *var=LDAP_OPT_X_TLS_TRY;
+  else if ( (strcasecmp(token,"demand")==0) ||
+       (strcasecmp(token,"yes")==0) )
+    *var=LDAP_OPT_X_TLS_DEMAND;
+  else if (strcasecmp(token,"hard")==0)
+    *var=LDAP_OPT_X_TLS_HARD;
+  else
+  {
+    log_log(LOG_ERR,"%s:%d: %s: invalid argument: '%s'",filename,lnr,keyword,token);
+    exit(EXIT_FAILURE);
+  }
+}
+
 static void parse_krb5_ccname_statement(const char *filename,int lnr,
                                         const char *keyword,char *line)
 {
@@ -820,8 +847,14 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     }
     else if (strcasecmp(keyword,"tls_checkpeer")==0)
     {
+      log_log(LOG_WARNING,"%s:%d: option %s is deprecated (and will be removed in an upcoming release), use tls_reqcert instead",filename,lnr,keyword);
+      get_reqcert(filename,lnr,keyword,&line,&cfg->ldc_tls_reqcert);
+      get_eol(filename,lnr,keyword,&line);
+    }
+    else if (strcasecmp(keyword,"tls_reqcert")==0)
+    {
       log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_boolean(filename,lnr,keyword,&line,&cfg->ldc_tls_checkpeer);
+      get_reqcert(filename,lnr,keyword,&line,&cfg->ldc_tls_reqcert);
       get_eol(filename,lnr,keyword,&line);
     }
     else if (strcasecmp(keyword,"tls_cacertdir")==0)
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 31258d5..e55b0e8 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -121,7 +121,7 @@ struct ldap_config
   /* SSL enabled */
   enum ldap_ssl_options ldc_ssl_on;
   /* tls check peer */
-  int ldc_tls_checkpeer;
+  int ldc_tls_reqcert;
   /* tls ca certificate dir */
   char *ldc_tls_cacertdir;
   /* tls ca certificate file */
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 10bda00..3790d0a 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -516,11 +516,10 @@ static int do_set_options(MYLDAP_SESSION *session)
   {
     LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_CACERTDIR,nslcd_cfg->ldc_tls_cacertdir);
   }
-  /* require cert? */
-  if (nslcd_cfg->ldc_tls_checkpeer>-1)
+  /* require cert? (certificate validation) */
+  if (nslcd_cfg->ldc_tls_reqcert>=0)
   {
-    i=nslcd_cfg->ldc_tls_checkpeer?LDAP_OPT_X_TLS_DEMAND:LDAP_OPT_X_TLS_NEVER;
-    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_REQUIRE_CERT,&i);
+    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_REQUIRE_CERT,&nslcd_cfg->ldc_tls_reqcert);
   }
   /* set cipher suite, certificate and private key */
   if (nslcd_cfg->ldc_tls_ciphers!=NULL)
diff --git a/nss-ldapd.conf b/nss-ldapd.conf
index a7bcb07..94d6898 100644
--- a/nss-ldapd.conf
+++ b/nss-ldapd.conf
@@ -50,26 +50,11 @@ base dc=example,dc=net
 # server has not been contacted for the number of seconds.
 #idle_timelimit 3600
 
-# Netscape SDK LDAPS
-#ssl on
-
-# Netscape SDK SSL options
-#sslpath /etc/ssl/certs
-
-# OpenLDAP SSL mechanism
-# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+# Use StartTLS without verifying the server certificate.
 #ssl start_tls
-#ssl on
-
-# OpenLDAP SSL options
-# Require and verify server certificate (yes/no)
-# Default is to use libldap's default behavior, which can be configured in
-# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
-# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
-#tls_checkpeer yes
+#tls_reqcert never
 
 # CA certificates for server certificate verification
-# At least one of these are required if tls_checkpeer is "yes"
 #tls_cacertdir /etc/ssl/certs
 #tls_cacertfile /etc/ssl/ca.cert
author	Arthur de Jong <arthur@arthurdejong.org>	2008-12-06 16:58:04 +0000
committer	Arthur de Jong <arthur@arthurdejong.org>	2008-12-06 16:58:04 +0000
commit	e783e175116ae0f7093ae5822ca4950039a7be75 (patch)
tree	5996c56c0ea7606a362d635d1fa85b345ae95534
parent	c0f408747204aba0050d4545b7da90ea7961063d (diff)