Hello,
OpenLDAP changed their default setting for LDAP_OPT_X_TLS_REQUIRE_CERT
from 0 to 2 in recent versions (haven't checked when). This breaks the
expected effect of ldap_tls_check_peer. The function lak_connect() in
lak.c only changes the default value of LDAP_OPT_X_TLS_REQUIRE_CERT if
lak->conf->tls_check_peer is not 0. So when i set ldap_tls_check_peer to
"no" (aka 0) in /etc/saslauthd.conf, LDAP_OPT_X_TLS_REQUIRE_CERT keeps
its default value of 2 ("demand"). Attached patch solves this problem
at least on debian lenny and squeeze.
Cheers, Mario
--
"Kauft die taz!"
Seit 1992 ist die taz eine Genossenschaft. Mittlerweile sichern
mehr als 10.000 GenossInnen die Unabhängigkeit der Zeitung.
Infos unter www.taz.de, geno@xxxxxx, Tel: 0 30 - 2 59 02 - 213
diff --git a/saslauthd/lak.c b/saslauthd/lak.c
index 92c2116..1e5c044 100644
--- a/saslauthd/lak.c
+++ b/saslauthd/lak.c
@@ -773,11 +773,9 @@ static int lak_connect(
}
}
- if (lak->conf->tls_check_peer != 0) {
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &lak->conf->tls_check_peer);
- if (rc != LDAP_SUCCESS) {
- syslog (LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_X_TLS_REQUIRE_CERT (%s).", ldap_err2string (rc));
- }
+ rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &lak->conf->tls_check_peer);
+ if (rc != LDAP_SUCCESS) {
+ syslog (LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_X_TLS_REQUIRE_CERT (%s).", ldap_err2string (rc));
}
if (ISSET(lak->conf->tls_ciphers)) {
Attachment:
signature.asc
Description: Digital signature
