Module Name: src
Committed By: bouyer
Date: Wed Nov 25 18:11:00 UTC 2020
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5
Log Message:
Add ldap parameters debug and timeout.
Fix bug when using URI (use correct len for malloc)
document ldap parameters uri, debug and timeout.
To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.32 -r1.33 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.68 -r1.69 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.53
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52 Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $ */
+/* $NetBSD: cfparse.y,v 1.53 2020/11/25 18:11:00 bouyer Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -296,7 +296,7 @@ static const char error_message_dpd_not_
/* listen */
%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
/* ldap config */
-%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_DEBUG LDAP_TIMEOUT LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
/* radius config */
%token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -773,6 +773,24 @@ ldapcfg_stmt
#endif
}
EOS
+ | LDAP_DEBUG NUMBER
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ xauth_ldap_config.debug = $2;
+#endif
+#endif
+ }
+ EOS
+ | LDAP_TIMEOUT NUMBER
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ xauth_ldap_config.timeout = $2;
+#endif
+#endif
+ }
+ EOS
| LDAP_URI QUOTEDSTRING
{
#ifdef ENABLE_HYBRID
Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28 Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $ */
+/* $NetBSD: cftoken.l,v 1.29 2020/11/25 18:11:00 bouyer Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -224,6 +224,8 @@ hexstring 0x{hexdigit}+
<S_INI>ldapcfg { BEGIN S_LDAP; YYDB; return(LDAPCFG); }
<S_LDAP>{bcl} { return(BOC); }
<S_LDAP>version { YYD; return(LDAP_PVER); }
+<S_LDAP>debug { YYD; return(LDAP_DEBUG); }
+<S_LDAP>timeout { YYD; return(LDAP_TIMEOUT); }
<S_LDAP>uri { YYD; return(LDAP_URI); }
<S_LDAP>host { YYD; return(LDAP_HOST); }
<S_LDAP>port { YYD; return(LDAP_PORT); }
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.33
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32 Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.33 2020/11/25 18:11:00 bouyer Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -803,6 +803,8 @@ xauth_ldap_init_conf(void)
int error = -1;
xauth_ldap_config.pver = 3;
+ xauth_ldap_config.debug = 0;
+ xauth_ldap_config.timeout = -1;
xauth_ldap_config.uri = NULL;
xauth_ldap_config.host = NULL;
xauth_ldap_config.port = LDAP_PORT;
@@ -896,7 +898,7 @@ xauth_login_ldap(iph1, usr, pwd)
atlist[2] = NULL;
if (xauth_ldap_config.uri != NULL) {
- tmplen = strlen(xauth_ldap_config.host->v);
+ tmplen = strlen(xauth_ldap_config.uri->v);
init = racoon_malloc(tmplen);
if (init == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
@@ -918,6 +920,9 @@ xauth_login_ldap(iph1, usr, pwd)
xauth_ldap_config.host->v,
xauth_ldap_config.port );
}
+ /* initialize the debug level */
+ ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
+ ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init);
/* initialize the ldap handle */
@@ -933,12 +938,26 @@ xauth_login_ldap(iph1, usr, pwd)
if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&xauth_ldap_config.pver)) != LDAP_OPT_SUCCESS) {
plog(LLV_ERROR, LOCATION, NULL,
- "LDAP_OPT_PROTOCOL_VERSION %s failed: %s\n",
+ "LDAP_OPT_PROTOCOL_VERSION %d failed: %s\n",
xauth_ldap_config.pver,
ldap_err2string(res));
goto ldap_end;
}
-
+
+ if (xauth_ldap_config.timeout > 0) {
+ static struct timeval timeout;
+ timeout.tv_sec = xauth_ldap_config.timeout;
+ timeout.tv_usec = 0;
+ if ((res = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT,
+ (void *)&timeout)) != LDAP_OPT_SUCCESS) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "LDAP_OPT_NETWORK_TIMEOUT %d failed: %s\n",
+ xauth_ldap_config.timeout,
+ ldap_err2string(res));
+ goto ldap_end;
+ }
+ }
+
/* Enable TLS */
if (xauth_ldap_config.tls) {
res = ldap_start_tls_s(ld, NULL, NULL);
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.10
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.9 Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.h,v 1.9 2020/11/25 16:42:53 bouyer Exp $ */
+/* $NetBSD: isakmp_xauth.h,v 1.10 2020/11/25 18:11:00 bouyer Exp $ */
/* $KAME$ */
@@ -158,6 +158,8 @@ int xauth_login_radius(struct ph1handle
struct xauth_ldap_config {
int pver;
+ int debug;
+ int timeout;
vchar_t *uri;
vchar_t *host;
int port;
Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.68 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.69
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.68 Sat Oct 13 15:38:28 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-.\" $NetBSD: racoon.conf.5,v 1.68 2018/10/13 15:38:28 maxv Exp $
+.\" $NetBSD: racoon.conf.5,v 1.69 2020/11/25 18:11:00 bouyer Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@@ -29,7 +29,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd October 13, 2018
+.Dd November 25, 2020
.Dt RACOON.CONF 5
.Os
.\"
@@ -1349,6 +1349,14 @@ The default is
The port that the ldap server is configured to listen on.
The default is
.Ic 389 .
+.It Ic uri Ar (ldapuri) ;
+URI(s) referring to the ldap server(s); a list of URI, separated by
+whitespace or commas.
+It takes precedence over
+.Ic host/port .
+.It Ic timeout Ar (number) ;
+network timeout connecting to the ldap server(s).
+The default is the default connect timeout from the underlying protocol.
.It Ic tls (on | off) ;
Use TLS with the ldap server.
The default is
@@ -1393,6 +1401,9 @@ The default value is
The attribute used to specify group membership in an ldap directory.
The default value is
.Ic member .
+.It Ic debug Ar (number) ;
+Set ldap debug level.
+The default value is 0.
.El
.El
.Ss Radius configuration settings
