[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3791) start_tls while chasing referrals

> Hmm, this doesn't work at the moment. In this special case the
> ldap_rebind_proc of pam_ldap was fixed to start TLS on the referral when
> pam_ldap is configured to use StartTLS. This doesn't work with the current
> libldap. It errors out with LDAP_LOCAL_ERROR in ldap_start_tls_s, that's
> what
> this patch is supposed to fix.

As far as I can tell, start tls is already propagated by libldap on rebind
while chasing referrals: if you follow the path, from

request.c:ldap_new_connection() with a newly allocated Sockbuf

open.c:ldap_int_open_connection() starts TLS
        if ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
                strcmp( srv->lud_scheme, "ldaps" ) == 0 )


request.c:ldap_new_connection() calls ldap_rebind_proc().

So, ldap_rebind_proc() should start TLS only if the above test is
negative.  Since I don't expect that to be a reliable means to determine
if one should start TLS, I think a better fix would be to expose something
equivalent to ldap_pvt_tls_inplace(), something like

ldap_tls_inplace( LDAP *ld )
        Sockbuf         *sb = NULL;

        ldap_get_option( lc->lc_ld, LDAP_OPT_SOCKBUF, (void *)&sb );

        return ldap_pvt_tls_inplace( sb );

so that a possible ldap_rebind_proc() would be

rebind_proc( LDAP *ld, const char *url, ber_tag_t request,
        ber_int_t msgid, void *params )
        if ( !ldap_tls_inplace( ld ) ) {
                int     rc;

                rc = ldap_start_tls_s( ld, NULL, NULL );
                if ( rc != LDAP_SUCCESS ) {
                        return rc;

        return ldap_simple_bind_s( ld, params->dn, params->cred );

If my analysis is correct, the LDAP library is already doing what
expected, and both the rebind proc of the client and the proposed fix are
incorrect.  My suggestion would just ease writing a correct client.



Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497