Imported Debian patch 1.6.9p12-1

[debian/sudo] / ldap.c

diff --git a/ldap.c b/ldap.c
index c4fbfbf6008bb8383f234ab359aa1d306f2d2d25..9097310cbf9354c96596a085ac46eba7c733fea8 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -61,12 +61,17 @@
 # include <lber.h>
 #endif
 #include <ldap.h>
+#if defined(HAVE_LDAP_SSL_H)
+# include <ldap_ssl.h>
+#elif defined(HAVE_MPS_LDAP_SSL_H)
+# include <mps/ldap_ssl.h>
+#endif
 
 #include "sudo.h"
 #include "parse.h"
 
 #ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.32 2008/01/05 23:27:10 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $";
 #endif /* lint */
 
 #ifndef LINE_MAX
@@ -136,6 +141,8 @@ struct ldap_config_table ldap_conf_table[] = {
 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
     { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
        &ldap_conf.tls_checkpeer },
+#else
+    { "tls_checkpeer", CONF_BOOL, FALSE, -1, &ldap_conf.tls_checkpeer },
 #endif
 #ifdef LDAP_OPT_X_TLS_CACERTFILE
     { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
@@ -810,12 +817,19 @@ sudo_ldap_read_config()
      * Interpret SSL option
      */
     if (ldap_conf.ssl != NULL) {
-           if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
-               ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
-           else if (_atobool(ldap_conf.ssl))
-               ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+       if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
+           ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
+       else if (_atobool(ldap_conf.ssl))
+           ldap_conf.ssl_mode = SUDO_LDAP_SSL;
     }
 
+#if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
+    if (ldap_conf.tls_checkpeer != -1) {
+       ldapssl_set_strength(NULL,
+           ldap_conf.tls_checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK);
+    }
+#endif
+
 #ifndef HAVE_LDAP_INITIALIZE
     /* Convert uri list to host list if no ldap_initialize(). */
     if (ldap_conf.uri) {