nss_ldap feature broken by changes in tls.c (ITS#1555)

[andrew.findlay@skills-1st.co.uk]

Full_Name: Andrew Findlay
Version: 2.0.11
OS: Red Hat 7.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (217.206.98.194)


A change introduced into libraries/libldap/tls.c at revision 1.8.2.23 has
broken
the tls_checkpeer functionality in nss_ldap. This is the set of config options
that allows a client machine to verify that an LDAP server is using the correct
X.509 certificate before trusting its answers.

Among the affected config options in ldap.conf are:

	tls_cacertfile
	tls_cacertdir

In terms of OpenLDAP these set the options LDAP_OPT_X_TLS_CACERTFILE and
LDAP_OPT_X_TLS_CACERTDIR, via the function ldap_pvt_tls_set_option in tls.c

As called from recent versions of nss_ldap, the first parameter is filled in
with
a pointer to the LDAP association structure. This suggests that these are
per-association parameters which seems reasonable to me, though in fact they
are
implemented as static globals.

However, ldap_pvt_tls_set_option contains code to reject calls that try to set
the CACERT options if an association pointer is provided. Thus, nss_ldap cannot
check certificates.

One workaround is to modify do_ssl_options in ldap-nss.c in nss_ldap so that it
passes NULL as the first parameter to ldap_set_option. I have tested this and
it
works. However, I feel that this is the wrong solution.

It seems right to move the tls_opt_cacertfile and tls_opt_cacertdir (etc)
variables
into the per-association structure in tls.c though this may break other
programs
that assume them to be global.

An easy workaround which preserves some backwards-compatibility would be to
simply
remove the test for (ld != NULL) in ldap_pvt_tls_set_option. This would allow
calling programs to supply the association structure, but would not require it
until/unless the variables are made non-global.

Andrew