nss-pam-ldapd branch master updated. 0.9.11-9-g78c00f1
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd branch master updated. 0.9.11-9-g78c00f1
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org, nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd branch master updated. 0.9.11-9-g78c00f1
- Date: Tue, 19 Jan 2021 00:00:26 +0100 (CET)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".
The branch, master has been updated
via 78c00f172ea4d4fd244db7f91ca7eb101efe2038 (commit)
from d55bdb2cff8d62f99dc186165cff552f796fdfd5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=78c00f172ea4d4fd244db7f91ca7eb101efe2038
commit 78c00f172ea4d4fd244db7f91ca7eb101efe2038
Author: sebastienblavier <72022031+sebastienblavier@users.noreply.github.com>
Date: Mon Jan 18 22:41:08 2021 +0100
Add tls_crlcheck to check Certificate Revocation List
This option is passed to the LDAP library if it is supported.
Closes https://github.com/arthurdejong/nss-pam-ldapd/pull/41
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 4e81645..8310718 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -656,6 +656,19 @@
</listitem>
</varlistentry>
+ <varlistentry id="tls_crlcheck"> <!-- since 0.9.12 -->
+ <term><option>tls_crlcheck</option>
<replaceable>none|peer|all</replaceable></term>
+ <listitem>
+ <para>
+ Specifies if the Certificate Revocation List (CRL) of the CA should
+ be used to verify if the server certificates have not been revoked.
+ The meaning of the values is described in the
+
<citerefentry><refentrytitle>ldap.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ manual page.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
diff --git a/nslcd.conf b/nslcd.conf
index 7b1bcf3..d45b57c 100644
--- a/nslcd.conf
+++ b/nslcd.conf
@@ -66,6 +66,9 @@ base dc=example,dc=com
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
+# Certificate Revocation List (CRL), requires TLS_CACERTDIR parameter to be set
+#tls_crlcheck all
+
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 404ffda..b00546c 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -885,6 +885,45 @@ static const char *print_tls_reqcert(int value)
default: return "???";
}
}
+
+#ifdef LDAP_OPT_X_TLS_CRLCHECK
+static void handle_tls_crlcheck(const char *filename, int lnr,
+ const char *keyword, char *line)
+{
+ char token[16];
+ int value, rc;
+ /* get token */
+ check_argumentcount(filename, lnr, keyword,
+ get_token(&line, token, sizeof(token)) != NULL);
+ get_eol(filename, lnr, keyword, &line);
+ /* check if it is a valid value for tls_crlcheck option */
+ if (strcasecmp(token, "none") == 0)
+ value = LDAP_OPT_X_TLS_CRL_NONE;
+ else if (strcasecmp(token, "peer") == 0)
+ value = LDAP_OPT_X_TLS_CRL_PEER;
+ else if (strcasecmp(token, "all") == 0)
+ value = LDAP_OPT_X_TLS_CRL_ALL;
+ else
+ {
+ log_log(LOG_ERR, "%s:%d: %s: invalid argument: '%s'",
+ filename, lnr, keyword, token);
+ exit(EXIT_FAILURE);
+ }
+ log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CRLCHECK,%s)", token);
+ LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CRLCHECK, &value);
+}
+
+static const char *print_tls_crlcheck(int value)
+{
+ switch (value)
+ {
+ case LDAP_OPT_X_TLS_CRL_NONE: return "none";
+ case LDAP_OPT_X_TLS_CRL_PEER: return "peer";
+ case LDAP_OPT_X_TLS_CRL_ALL: return "all";
+ default: return "???";
+ }
+}
+#endif /* LDAP_OPT_X_TLS_CRLCHECK */
#endif /* LDAP_OPT_X_TLS */
/* this function modifies the line argument passed */
@@ -1560,6 +1599,12 @@ static void cfg_read(const char *filename, struct
ldap_config *cfg)
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_KEYFILE, value);
free(value);
}
+#ifdef LDAP_OPT_X_TLS_CRLCHECK
+ else if (strcasecmp(keyword, "tls_crlcheck") == 0)
+ {
+ handle_tls_crlcheck(filename, lnr, keyword, line);
+ }
+#endif /* LDAP_OPT_X_TLS_CRLCHECK */
#endif /* LDAP_OPT_X_TLS */
/* other options */
else if (strcasecmp(keyword, "pagesize") == 0)
@@ -1851,6 +1896,13 @@ static void cfg_dump(void)
LOG_LDAP_OPT_STRING("tls_ciphers", LDAP_OPT_X_TLS_CIPHER_SUITE);
LOG_LDAP_OPT_STRING("tls_cert", LDAP_OPT_X_TLS_CERTFILE);
LOG_LDAP_OPT_STRING("tls_key", LDAP_OPT_X_TLS_KEYFILE);
+#ifdef LDAP_OPT_X_TLS_CRLCHECK
+ rc = ldap_get_option(NULL, LDAP_OPT_X_TLS_CRLCHECK, &i);
+ if (rc != LDAP_SUCCESS)
+ log_log(LOG_DEBUG, "CFG: # tls_crlcheck ERROR: %s", ldap_err2string(rc));
+ else
+ log_log(LOG_DEBUG, "CFG: tls_crlcheck %s", print_tls_crlcheck(i));
+#endif /* LDAP_OPT_X_TLS_CRLCHECK */
#endif /* LDAP_OPT_X_TLS */
log_log(LOG_DEBUG, "CFG: pagesize %d", nslcd_cfg->pagesize);
if (nslcd_cfg->nss_initgroups_ignoreusers != NULL)
-----------------------------------------------------------------------
Summary of changes:
man/nslcd.conf.5.xml | 13 +++++++++++++
nslcd.conf | 3 +++
nslcd/cfg.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 68 insertions(+)
hooks/post-receive
--
nss-pam-ldapd
- nss-pam-ldapd branch master updated. 0.9.11-9-g78c00f1,
Commits of the nss-pam-ldapd project
