[Date Prev][Date Next]
nss_ldap feature broken by changes in tls.c (ITS#1555)
Full_Name: Andrew Findlay
OS: Red Hat 7.2
Submission from: (NULL) (18.104.22.168)
A change introduced into libraries/libldap/tls.c at revision 22.214.171.124 has
the tls_checkpeer functionality in nss_ldap. This is the set of config options
that allows a client machine to verify that an LDAP server is using the correct
X.509 certificate before trusting its answers.
Among the affected config options in ldap.conf are:
In terms of OpenLDAP these set the options LDAP_OPT_X_TLS_CACERTFILE and
LDAP_OPT_X_TLS_CACERTDIR, via the function ldap_pvt_tls_set_option in tls.c
As called from recent versions of nss_ldap, the first parameter is filled in
a pointer to the LDAP association structure. This suggests that these are
per-association parameters which seems reasonable to me, though in fact they
implemented as static globals.
However, ldap_pvt_tls_set_option contains code to reject calls that try to set
the CACERT options if an association pointer is provided. Thus, nss_ldap cannot
One workaround is to modify do_ssl_options in ldap-nss.c in nss_ldap so that it
passes NULL as the first parameter to ldap_set_option. I have tested this and
works. However, I feel that this is the wrong solution.
It seems right to move the tls_opt_cacertfile and tls_opt_cacertdir (etc)
into the per-association structure in tls.c though this may break other
that assume them to be global.
An easy workaround which preserves some backwards-compatibility would be to
remove the test for (ld != NULL) in ldap_pvt_tls_set_option. This would allow
calling programs to supply the association structure, but would not require it
until/unless the variables are made non-global.