 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
3 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Courier-IMAP LDAP...| From | Sent On | Attachments |
|---|---|---|
| Iustin Pop | Dec 19, 2001 4:45 am | |
| Peter C. Norton | Dec 19, 2001 7:23 am | |
| Iustin Pop | Dec 19, 2001 8:15 am |  .patch |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: [courier-users] Courier-IMAP LDAP-TLS bug (and patch) | Actions... |
|---|---|---|
| From: | Iustin Pop (ius...@intensit.de) | |
| Date: | Dec 19, 2001 8:15:46 am | |
| List: | net.sourceforge.lists.courier-users | |
| Attachments: | ||
Sorry, it was my fault. The first time I didn't attach the patch and the second time I only sent it to me :) On Wed, 2001-12-19 at 17:23, Peter C. Norton wrote:
On Wed, Dec 19, 2001 at 02:43:52PM +0200, Iustin Pop wrote:
I don't know where to post this patch for inclusion (if it's ok and well done), so I posted here. Please some kind souls tell me where to forward it.
Sounds like a good patch, but this list may strip attachments. Can you post a link to it so folks (unlike me) who are using ldap+tls can look it over themselves?
-- The 5 year plan: In five years we'll make up another plan. Or just re-use this one.
_______________________________________________ courier-users mailing list cour...@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
diff -urN courier-imap-1.4.0.orig/authlib/authldaplib.c
courier-imap-1.4.0/authlib/authldaplib.c
--- courier-imap-1.4.0.orig/authlib/authldaplib.c Thu Nov 29 05:52:51 2001
+++ courier-imap-1.4.0/authlib/authldaplib.c Wed Dec 19 13:17:42 2001
@@ -26,6 +26,17 @@
*/
/* + * Modified 28/11/2001 Iustin Pop <ius...@intensit.de> + * There was a bug regarding the LDAP_TLS option: if both LDAP_TLS + * and was LDAP_AUTHBIND were enabled, the ldap_start_tls function + * was called only for the first connection, resulting in the fact + * that the bind for checking the password was done without TLS, + * sending the password in clear text over the network. Detected + * when using OpenLDAP with "security ssf=128" (which disalows any + * clear-text communication). +*/ + +/* Modified 01/21/2000 James Golovich <jam...@wwnet.net>
1. If LDAP_AUTHBIND is set in the config file, then the ldap server will @@ -467,6 +478,53 @@ return (rc); }
+/* This function takes a ldap connection and + * tries to enable TLS on it. +*/ +static int enable_tls_on(LDAP *conn) { +#if HAVE_LDAP_TLS + int version; + int ldrc; + + if (ldaperror(ldrc=ldap_get_option (conn, + LDAP_OPT_PROTOCOL_VERSION, + &version)) + != LDAP_SUCCESS) + { + const char *s=ldap_err2string(ldrc); + +#if HAVE_SYSLOG_H + syslog(LOG_DAEMON|LOG_CRIT, + "ldap_get_option failed: %s", s); +#endif + return (-1); + } + + if (version < LDAP_VERSION3) + { + version = LDAP_VERSION3; + (void)ldap_set_option (conn, + LDAP_OPT_PROTOCOL_VERSION, + &version); + } + + if (ldaperror(ldrc=ldap_start_tls_s(conn, NULL, NULL)) + != LDAP_SUCCESS) + { + const char *s=ldap_err2string(ldrc); + +#if HAVE_SYSLOG_H + syslog(LOG_DAEMON|LOG_CRIT, + "ldap_start_tls_s failed: %s", s); +#endif + return (-1); + } + return 0; +#else + return (-1); +#endif +} + static LDAP *ldapconnect() { LDAP *p; @@ -518,47 +576,11 @@ }
#if HAVE_LDAP_TLS - if (my_ldap.tls) + if (my_ldap.tls && enable_tls_on(my_ldap_fp)) { - int version; - - if (ldaperror(ldrc=ldap_get_option (my_ldap_fp, - LDAP_OPT_PROTOCOL_VERSION, - &version)) - != LDAP_SUCCESS) - { - const char *s=ldap_err2string(ldrc); - -#if HAVE_SYSLOG_H - syslog(LOG_DAEMON|LOG_CRIT, - "ldap_get_option failed: %s", s); -#endif - authldapclose(); - ldapconnfailure(); - return (-1); - } - - if (version < LDAP_VERSION3) - { - version = LDAP_VERSION3; - (void)ldap_set_option (my_ldap_fp, - LDAP_OPT_PROTOCOL_VERSION, - &version); - } - - if (ldaperror(ldrc=ldap_start_tls_s(my_ldap_fp, NULL, NULL)) - != LDAP_SUCCESS) - { - const char *s=ldap_err2string(ldrc); - -#if HAVE_SYSLOG_H - syslog(LOG_DAEMON|LOG_CRIT, - "ldap_start_tls_s failed: %s", s); -#endif - authldapclose(); - ldapconnfailure(); - return (-1); - } + authldapclose(); + ldapconnfailure(); + return (-1); } #endif
@@ -828,17 +850,28 @@
rc=1;
else
{
- switch (ldap_simple_bind_s(bindp, dn, (char *)pass))
- {
- case LDAP_SUCCESS:
- break;
- case LDAP_INVALID_CREDENTIALS:
- rc = -1;
- break;
- default:
+#if HAVE_LDAP_TLS
+ if(my_ldap.tls && enable_tls_on(bindp)) {
+#if HAVE_SYSLOG_H
+ syslog(LOG_DAEMON|LOG_CRIT, "authlib: LDAP_TLS enabled but I'm unable to
start tls, check your config\n");
+#endif
rc = 1;
- break;
+ } else {
+#endif
+ switch (ldap_simple_bind_s(bindp, dn, (char *)pass))
+ {
+ case LDAP_SUCCESS:
+ break;
+ case LDAP_INVALID_CREDENTIALS:
+ rc = -1;
+ break;
+ default:
+ rc = 1;
+ break;
+ }
+#if HAVE_LDAP_TLS
}
+#endif
ldap_unbind(bindp);
}
if (rc == 0 && newpass)