nss-pam-ldapd branch master updated. 0.9.11-11-gd9710a2
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd branch master updated. 0.9.11-11-gd9710a2
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org, nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd branch master updated. 0.9.11-11-gd9710a2
- Date: Sat, 23 Jan 2021 16:52:22 +0100 (CET)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".
The branch, master has been updated
via d9710a242d5997c0f4abac5251a4ded44381c44b (commit)
via 026f08c6ad794657e516cd97a5cadbf98b92ecaa (commit)
from 78c00f172ea4d4fd244db7f91ca7eb101efe2038 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d9710a242d5997c0f4abac5251a4ded44381c44b
commit d9710a242d5997c0f4abac5251a4ded44381c44b
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat Jan 23 16:34:17 2021 +0100
Add tls_reqsan to check certificate SAN
This option is passed to the LDAP library if it is supported.
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index c88882a..5a61f11 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -656,6 +656,19 @@
</listitem>
</varlistentry>
+ <varlistentry id="tls_reqsan"> <!-- since 0.9.12 -->
+ <term><option>tls_reqsan</option> never|allow|try|demand|hard</term>
+ <listitem>
+ <para>
+ Specifies the way server Subject Alternative Name (SAN) is checked in
+ the server-supplied certificate.
+ The meaning of the values is described in the
+
<citerefentry><refentrytitle>ldap.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ manual page.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="tls_crlcheck"> <!-- since 0.9.12 -->
<term><option>tls_crlcheck</option> none|peer|all</term>
<listitem>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 13905f6..71b3093 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -842,35 +842,30 @@ static const char *print_ssl(int ssl)
}
}
-static void handle_tls_reqcert(const char *filename, int lnr,
- const char *keyword, char *line)
+static int get_tls_reqcert(const char *filename, int lnr,
+ const char *keyword, char **line)
{
char token[16];
- int value, rc;
- /* get token */
check_argumentcount(filename, lnr, keyword,
- get_token(&line, token, sizeof(token)) != NULL);
- get_eol(filename, lnr, keyword, &line);
+ get_token(line, token, sizeof(token)) != NULL);
/* check if it is a valid value for tls_reqcert option */
if ((strcasecmp(token, "never") == 0) || (strcasecmp(token, "no") == 0))
- value = LDAP_OPT_X_TLS_NEVER;
+ return LDAP_OPT_X_TLS_NEVER;
else if (strcasecmp(token, "allow") == 0)
- value = LDAP_OPT_X_TLS_ALLOW;
+ return LDAP_OPT_X_TLS_ALLOW;
else if (strcasecmp(token, "try") == 0)
- value = LDAP_OPT_X_TLS_TRY;
+ return LDAP_OPT_X_TLS_TRY;
else if ((strcasecmp(token, "demand") == 0) ||
(strcasecmp(token, "yes") == 0))
- value = LDAP_OPT_X_TLS_DEMAND;
+ return LDAP_OPT_X_TLS_DEMAND;
else if (strcasecmp(token, "hard") == 0)
- value = LDAP_OPT_X_TLS_HARD;
+ return LDAP_OPT_X_TLS_HARD;
else
{
log_log(LOG_ERR, "%s:%d: %s: invalid argument: '%s'",
filename, lnr, keyword, token);
exit(EXIT_FAILURE);
}
- log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,%s)", token);
- LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
}
static const char *print_tls_reqcert(int value)
@@ -886,6 +881,30 @@ static const char *print_tls_reqcert(int value)
}
}
+static void handle_tls_reqcert(const char *filename, int lnr,
+ const char *keyword, char *line)
+{
+ int value, rc;
+ value = get_tls_reqcert(filename, lnr, keyword, &line);
+ get_eol(filename, lnr, keyword, &line);
+ log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,%s)",
+ print_tls_reqcert(value));
+ LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
+}
+
+#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
+static void handle_tls_reqsan(const char *filename, int lnr,
+ const char *keyword, char *line)
+{
+ int value, rc;
+ value = get_tls_reqcert(filename, lnr, keyword, &line);
+ get_eol(filename, lnr, keyword, &line);
+ log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_SAN,%s)",
+ print_tls_reqcert(value));
+ LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_SAN, &value);
+}
+#endif /* LDAP_OPT_X_TLS_REQUIRE_SAN */
+
#ifdef LDAP_OPT_X_TLS_CRLCHECK
static void handle_tls_crlcheck(const char *filename, int lnr,
const char *keyword, char *line)
@@ -1599,6 +1618,16 @@ static void cfg_read(const char *filename, struct
ldap_config *cfg)
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_KEYFILE, value);
free(value);
}
+ else if (strcasecmp(keyword, "tls_reqsan") == 0)
+ {
+#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
+ handle_tls_reqsan(filename, lnr, keyword, line);
+#else /* not LDAP_OPT_X_TLS_REQUIRE_SAN */
+ log_log(LOG_ERR, "%s:%d: option %s not supported on platform",
+ filename, lnr, keyword);
+ exit(EXIT_FAILURE);
+#endif /* LDAP_OPT_X_TLS_REQUIRE_SAN */
+ }
else if (strcasecmp(keyword, "tls_crlcheck") == 0)
{
#ifdef LDAP_OPT_X_TLS_CRLCHECK
@@ -1916,6 +1945,13 @@ static void cfg_dump(void)
LOG_LDAP_OPT_STRING("tls_ciphers", LDAP_OPT_X_TLS_CIPHER_SUITE);
LOG_LDAP_OPT_STRING("tls_cert", LDAP_OPT_X_TLS_CERTFILE);
LOG_LDAP_OPT_STRING("tls_key", LDAP_OPT_X_TLS_KEYFILE);
+#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
+ rc = ldap_get_option(NULL, LDAP_OPT_X_TLS_REQUIRE_SAN, &i);
+ if (rc != LDAP_SUCCESS)
+ log_log(LOG_DEBUG, "CFG: # tls_reqsan ERROR: %s", ldap_err2string(rc));
+ else
+ log_log(LOG_DEBUG, "CFG: tls_reqsan %s", print_tls_reqcert(i));
+#endif /* LDAP_OPT_X_TLS_REQUIRE_SAN */
#ifdef LDAP_OPT_X_TLS_CRLCHECK
rc = ldap_get_option(NULL, LDAP_OPT_X_TLS_CRLCHECK, &i);
if (rc != LDAP_SUCCESS)
https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=026f08c6ad794657e516cd97a5cadbf98b92ecaa
commit 026f08c6ad794657e516cd97a5cadbf98b92ecaa
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat Jan 23 15:53:21 2021 +0100
Add tls_crlfile to check local CRL file
This option is passed to the LDAP library if it is supported.
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 8310718..c88882a 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -657,7 +657,7 @@
</varlistentry>
<varlistentry id="tls_crlcheck"> <!-- since 0.9.12 -->
- <term><option>tls_crlcheck</option>
<replaceable>none|peer|all</replaceable></term>
+ <term><option>tls_crlcheck</option> none|peer|all</term>
<listitem>
<para>
Specifies if the Certificate Revocation List (CRL) of the CA should
@@ -669,6 +669,19 @@
</listitem>
</varlistentry>
+ <varlistentry id="tls_crlfile"> <!-- since 0.9.12 -->
+ <term><option>tls_crlfile</option> <replaceable>PATH</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the path to the file containing a Certificate Revocation List
+ to be used to verify if the server certificates.
+ The meaning of the values is described in the
+
<citerefentry><refentrytitle>ldap.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ manual page.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index b00546c..13905f6 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -1599,12 +1599,32 @@ static void cfg_read(const char *filename, struct
ldap_config *cfg)
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_KEYFILE, value);
free(value);
}
-#ifdef LDAP_OPT_X_TLS_CRLCHECK
else if (strcasecmp(keyword, "tls_crlcheck") == 0)
{
+#ifdef LDAP_OPT_X_TLS_CRLCHECK
handle_tls_crlcheck(filename, lnr, keyword, line);
- }
+#else /* not LDAP_OPT_X_TLS_CRLCHECK */
+ log_log(LOG_ERR, "%s:%d: option %s not supported on platform",
+ filename, lnr, keyword);
+ exit(EXIT_FAILURE);
#endif /* LDAP_OPT_X_TLS_CRLCHECK */
+ }
+ else if (strcasecmp(keyword, "tls_crlfile") == 0)
+ {
+#ifdef LDAP_OPT_X_TLS_CRLFILE
+ value = get_strdup(filename, lnr, keyword, &line);
+ get_eol(filename, lnr, keyword, &line);
+ check_readable(filename, lnr, keyword, value);
+ log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CRLFILE,\"%s\")",
+ value);
+ LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CRLFILE, value);
+ free(value);
+#else /* not LDAP_OPT_X_TLS_CRLFILE */
+ log_log(LOG_ERR, "%s:%d: option %s not supported on platform",
+ filename, lnr, keyword);
+ exit(EXIT_FAILURE);
+#endif /* LDAP_OPT_X_TLS_CRLFILE */
+ }
#endif /* LDAP_OPT_X_TLS */
/* other options */
else if (strcasecmp(keyword, "pagesize") == 0)
-----------------------------------------------------------------------
Summary of changes:
man/nslcd.conf.5.xml | 28 ++++++++++++++++-
nslcd/cfg.c | 86 +++++++++++++++++++++++++++++++++++++++++++---------
2 files changed, 98 insertions(+), 16 deletions(-)
hooks/post-receive
--
nss-pam-ldapd
- nss-pam-ldapd branch master updated. 0.9.11-11-gd9710a2,
Commits of the nss-pam-ldapd project
