diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2020-12-15 19:49:29 -0500 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2020-12-16 02:00:17 -0500 |
commit | 20b54fa918e1ce98938cac78a6e3b26c1e605f55 (patch) | |
tree | d2c3e3e63b143c6475dce0a75ad523902d4d81a9 | |
parent | 2565ad1b861db9872f3162248a81fe03178f3528 (diff) | |
download | lighttpd-git-20b54fa918e1ce98938cac78a6e3b26c1e605f55.tar.gz |
[mod_authn_ldap, mod_vhostdb_ldap] default cafile
set default cafile at startup if cafile configured in global scope
-rw-r--r-- | src/mod_authn_ldap.c | 23 | ||||
-rw-r--r-- | src/mod_vhostdb_ldap.c | 20 |
2 files changed, 39 insertions, 4 deletions
diff --git a/src/mod_authn_ldap.c b/src/mod_authn_ldap.c index 2dd41ef0..5da14e25 100644 --- a/src/mod_authn_ldap.c +++ b/src/mod_authn_ldap.c @@ -49,6 +49,8 @@ typedef struct { buffer ldap_filter; } plugin_data; +static const char *default_cafile; + static handler_t mod_authn_ldap_basic(request_st * const r, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw); INIT_FUNC(mod_authn_ldap_init) { @@ -85,6 +87,7 @@ FREE_FUNC(mod_authn_ldap_free) { } free(p->ldap_filter.ptr); + default_cafile = NULL; } static void mod_authn_ldap_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) { @@ -176,6 +179,9 @@ static void mod_authn_add_scheme (server *srv, buffer *host) } } +__attribute_cold__ +static void mod_authn_ldap_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, int err); + SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) { static const config_plugin_keys_t cpk[] = { { CONST_STR_LEN("auth.backend.ldap.hostname"), @@ -325,6 +331,17 @@ SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) { mod_authn_ldap_merge_config(&p->defaults, cpv); } + if (p->defaults.auth_ldap_starttls && p->defaults.auth_ldap_cafile) { + const int ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, + p->defaults.auth_ldap_cafile); + if (LDAP_OPT_SUCCESS != ret) { + mod_authn_ldap_err(srv->errh, __FILE__, __LINE__, + "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret); + return HANDLER_ERROR; + } + default_cafile = p->defaults.auth_ldap_cafile; + } + return HANDLER_GO_ON; } @@ -506,8 +523,10 @@ static LDAP * mod_authn_ldap_host_init(log_error_st *errh, plugin_config_ldap *s if (s->auth_ldap_starttls) { /* if no CA file is given, it is ok, as we will use encryption * if the server requires a CAfile it will tell us */ - if (s->auth_ldap_cafile) { - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, + if (s->auth_ldap_cafile + && (!default_cafile + || 0 != strcmp(s->auth_ldap_cafile, default_cafile))) { + ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, s->auth_ldap_cafile); if (LDAP_OPT_SUCCESS != ret) { mod_authn_ldap_err(errh, __FILE__, __LINE__, diff --git a/src/mod_vhostdb_ldap.c b/src/mod_vhostdb_ldap.c index dada0ffc..a8fd2299 100644 --- a/src/mod_vhostdb_ldap.c +++ b/src/mod_vhostdb_ldap.c @@ -45,6 +45,8 @@ typedef struct { plugin_config conf; } plugin_data; +static const char *default_cafile; + static void mod_vhostdb_dbconf_free (void *vdata) { vhostdb_config *dbconf = (vhostdb_config *)vdata; @@ -281,8 +283,9 @@ static LDAP * mod_authn_ldap_host_init(log_error_st *errh, vhostdb_config *s) { if (s->starttls) { /* if no CA file is given, it is ok, as we will use encryption * if the server requires a CAfile it will tell us */ - if (s->cafile) { - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, s->cafile); + if (s->cafile + && (!default_cafile || 0 != strcmp(s->cafile, default_cafile))) { + ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, s->cafile); if (LDAP_OPT_SUCCESS != ret) { mod_authn_ldap_err(errh, __FILE__, __LINE__, "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret); @@ -495,6 +498,7 @@ FREE_FUNC(mod_vhostdb_cleanup) { } } } + default_cafile = NULL; } static void mod_vhostdb_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) { @@ -564,6 +568,18 @@ SETDEFAULTS_FUNC(mod_vhostdb_set_defaults) { mod_vhostdb_merge_config(&p->defaults, cpv); } + vhostdb_config * const dbconf = (vhostdb_config *)p->defaults.vdata; + if (dbconf && dbconf->starttls && dbconf->cafile) { + const int ret = + ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, dbconf->cafile); + if (LDAP_OPT_SUCCESS != ret) { + mod_authn_ldap_err(srv->errh, __FILE__, __LINE__, + "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret); + return HANDLER_ERROR; + } + default_cafile = dbconf->cafile; + } + return HANDLER_GO_ON; } |