Le samedi 2 mars 2013 09:34:32, Jason a écrit : > I think we've already figured it out. The problem is that DSPAM currently > only supports TLS via STARTTLS but I'm using ldaps which is a different > protocol. I would have submitted a patch already but I currently don't > have a Linux dev environment to do the build on (only a server which, for > security reasons I don't want things like compilers on).
I think *you* had already figured it out ;) > > All that needs to happen is the field where you specify "ldap" or > "database" needs to also accept "ldaps" and put what ever is in that field > as the schema. Then the ldap library will do the right thing. So here's the patch. I'll open a bug upstream to ask them to integrate it. Don't expect miracles though: the last commit in the upstream git repository was in august 2012. If nobody answer within 2 months, I might consider to include it in Debian anyway given the small size of the patch (most of the diff is just increasing the indentation). Any testing on your side would be appreciated. I can provide you deb packages in my personal repository if you need. Best regards, Thomas
diff --git a/src/external_lookup.c b/src/external_lookup.c
index 4f8e10e..eaf48e0 100644
--- a/src/external_lookup.c
+++ b/src/external_lookup.c
@@ -164,7 +164,7 @@ ldap_lookup(config_t agent_config, const char *username, char *external_uid)
struct timeval ldaptimeout = {.tv_sec = BIND_TIMEOUT, .tv_usec = 0};
int i, rc=0, num_entries=0;
char *transcoded_query = NULL;
- char *ldap_uri = NULL;
+ char *ldap_uris[2] = {NULL, NULL}; // 0 = ldap, 1 = ldaps
char *end_ptr;
char *ldap_host = _ds_read_attribute(agent_config, "ExtLookupServer");
char *port = _ds_read_attribute(agent_config, "ExtLookupPort");
@@ -249,30 +249,43 @@ ldap_lookup(config_t agent_config, const char *username, char *external_uid)
url.lud_port = ldap_port;
url.lud_scope = LDAP_SCOPE_SUBTREE;
- ldap_uri = ldap_url_desc2str( &url );
- }
+ ldap_uris[0] = ldap_url_desc2str( &url );
- rc = ldap_initialize( &ld, ldap_uri );
- if( rc != LDAP_SUCCESS ) {
- LOG(LOG_ERR, "External Lookup: Could not create LDAP session handle for URI=%s (%d): %s\n", ldap_uri, rc, ldap_err2string(rc));
- return NULL;
- }
+ url.lud_scheme = "ldaps";
+ url.lud_host = ldap_host;
+ url.lud_port = ldap_port;
+ url.lud_scope = LDAP_SCOPE_SUBTREE;
- if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version ) != LDAP_OPT_SUCCESS ) {
- LOG(LOG_ERR, "External Lookup: Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", ldap_version );
- return NULL;
+ ldap_uris[1] = ldap_url_desc2str( &url );
}
- /* use TLS if configured */
- if ( _ds_match_attribute(agent_config, "ExtLookupCrypto", "tls" )) {
- if (ldap_version != 3) {
- LOG(LOG_ERR, "External Lookup: TLS only supported with LDAP protocol version 3");
+ /* Try ldap then ldaps */
+ for (i = 0; i < 2; i++) {
+ rc = ldap_initialize( &ld, ldap_uris[i] );
+ if( rc != LDAP_SUCCESS ) {
+ LOG(LOG_ERR, "External Lookup: Could not create LDAP session handle for URI=%s (%d): %s\n", ldap_uris[i], rc, ldap_err2string(rc));
return NULL;
}
- if ( ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) {
- LOG(LOG_ERR, "External Lookup: %s: %s (%d)", ERR_EXT_LOOKUP_INIT_FAIL, strerror(errno), errno);
+
+ if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version ) != LDAP_OPT_SUCCESS ) {
+ LOG(LOG_ERR, "External Lookup: Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", ldap_version );
return NULL;
}
+
+ /* use TLS if configured */
+ if ( _ds_match_attribute(agent_config, "ExtLookupCrypto", "tls" )) {
+ if (ldap_version != 3) {
+ LOG(LOG_ERR, "External Lookup: TLS only supported with LDAP protocol version 3");
+ return NULL;
+ }
+ if ( ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) {
+ if (!i)
+ continue;
+ LOG(LOG_ERR, "External Lookup: %s: %s (%d)", ERR_EXT_LOOKUP_INIT_FAIL, strerror(errno), errno);
+ return NULL;
+ }
+ }
+ break;
}
/* schedules alarm */
signature.asc
Description: This is a digitally signed message part.
