Revert "LDAP TLS option update. Implements #9417"

This reverts commit efdba6c.
jzadir · May 15, 2019 · 2bf6d43 · 2bf6d43
1 parent 657ab39
commit 2bf6d43
Showing 1 changed file with 32 additions and 30 deletions.
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
@@ -959,6 +959,9 @@ function ldap_test_connection($authcfg) {
 		return false;
 	}
 
+	/* Setup CA environment if needed. */
+	ldap_setup_caenv($authcfg);
+
 	/* connect and see if server is up */
 	$error = false;
 	if (!($ldap = ldap_connect($ldapserver))) {
@@ -970,44 +973,43 @@ function ldap_test_connection($authcfg) {
 		return false;
 	}
 
-	/* Setup CA environment if needed. */
-	ldap_setup_caenv($ldap, $authcfg);
-
 	return true;
 }
 
-function ldap_setup_caenv($ldap, $authcfg) {
+function ldap_setup_caenv($authcfg) {
 	global $g;
 	require_once("certs.inc");
 
 	unset($caref);
 	if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) {
-		ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
+		putenv('LDAPTLS_REQCERT=never');
 		return;
 	} elseif ($authcfg['ldap_caref'] == "global") {
-		ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
-		ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, "/etc/ssl/");
-		ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
+		putenv('LDAPTLS_REQCERT=hard');
+		putenv("LDAPTLS_CACERTDIR=/etc/ssl/");
+		putenv("LDAPTLS_CACERT=/etc/ssl/cert.pem");
 	} else {
 		$caref = lookup_ca($authcfg['ldap_caref']);
 		$param = array('caref' => $authcfg['ldap_caref']);
 		$cachain = ca_chain($param);
 		if (!$caref) {
 			log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
 			/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
-			ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
+			putenv('LDAPTLS_REQCERT=hard');
 			return;
 		}
-
-		safe_mkdir($cert_path);
-		unlink_if_exists("{$cert_path}/{$caref['refid']}.ca");
-		file_put_contents("{$cert_path}/{$caref['refid']}.ca", $cachain);
-		@chmod("{$cert_path}/{$caref['refid']}.ca", 0600);
-
-		ldap_set_option($ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
+		if (!is_dir("{$g['varrun_path']}/certs")) {
+			@mkdir("{$g['varrun_path']}/certs");
+		}
+		if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
+			@unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
+		}
+		file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain);
+		@chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
+		putenv('LDAPTLS_REQCERT=hard');
 		/* XXX: Probably even the hashed link should be created for this? */
-		ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTDIR, $cert_path);
-		ldap_set_option($ldap, LDAP_OPT_X_TLS_CACERTFILE, "{$cert_path}/{$caref['refid']}.ca");
+		putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs");
+		putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca");
 	}
 }
 
@@ -1044,6 +1046,9 @@ function ldap_test_bind($authcfg) {
 		return false;
 	}
 
+	/* Setup CA environment if needed. */
+	ldap_setup_caenv($authcfg);
+
 	/* connect and see if server is up */
 	$error = false;
 	if (!($ldap = ldap_connect($ldapserver))) {
@@ -1055,9 +1060,6 @@ function ldap_test_bind($authcfg) {
 		return false;
 	}
 
-	/* Setup CA environment if needed. */
-	ldap_setup_caenv($ldap, $authcfg);
-
 	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
 	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
 	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
@@ -1132,6 +1134,9 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
 		return $ous;
 	}
 
+	/* Setup CA environment if needed. */
+	ldap_setup_caenv($authcfg);
+
 	/* connect and see if server is up */
 	$error = false;
 	if (!($ldap = ldap_connect($ldapserver))) {
@@ -1143,9 +1148,6 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
 		return $ous;
 	}
 
-	/* Setup CA environment if needed. */
-	ldap_setup_caenv($ldap, $authcfg);
-
 	$ldapfilter = "(|(ou=*)(cn=Users))";
 
 	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
@@ -1277,6 +1279,9 @@ function ldap_get_groups($username, $authcfg) {
 	$ldapgroupattribute = strtolower($ldapgroupattribute);
 	$memberof = array();
 
+	/* Setup CA environment if needed. */
+	ldap_setup_caenv($authcfg);
+
 	/* connect and see if server is up */
 	$error = false;
 	if (!($ldap = ldap_connect($ldapserver))) {
@@ -1288,9 +1293,6 @@ function ldap_get_groups($username, $authcfg) {
 		return $memberof;
 	}
 
-	/* Setup CA environment if needed. */
-	ldap_setup_caenv($ldap, $authcfg);
-
 	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
 	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
 	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
@@ -1430,15 +1432,15 @@ function ldap_backed($username, $passwd, $authcfg, &$attributes = array()) {
 		return null;
 	}
 
+	/* Setup CA environment if needed. */
+	ldap_setup_caenv($authcfg);
+
 	/* Make sure we can connect to LDAP */
 	$error = false;
 	if (!($ldap = ldap_connect($ldapserver))) {
 		$error = true;
 	}
 
-	/* Setup CA environment if needed. */
-	ldap_setup_caenv($ldap, $authcfg);
-
 	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
 	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
 	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);