lib-ldap: Allow disabling of TLS

dovecot · Apr 13, 2016 · d3be014 · d3be014
1 parent ccaab3d
commit d3be014
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 5 deletions.
diff --git a/src/lib-dict/dict-ldap-settings.c b/src/lib-dict/dict-ldap-settings.c
@@ -209,13 +209,18 @@ parse_setting(const char *key, const char *value,
 			}
 			return NULL;
 		}
-		if (strcmp(key, "require_ssl") == 0) {
+		if (strcmp(key, "tls") == 0) {
 			if (strcasecmp(value, "yes") == 0) {
 				ctx->set->require_ssl = TRUE;
+				ctx->set->start_tls = TRUE;
 			} else if (strcasecmp(value, "no") == 0) {
 				ctx->set->require_ssl = FALSE;
+				ctx->set->start_tls = FALSE;
+			} else if (strcasecmp(value, "try") == 0) {
+				ctx->set->require_ssl = FALSE;
+				ctx->set->start_tls = TRUE;
 			} else {
-				return "require_ssl must be either yes or no";
+				return "tls must be yes, try or no";
 			}
 			return NULL;
 		}
@@ -286,6 +291,8 @@ dict_ldap_settings_read(pool_t pool, const char *path, const char **error_r)
 	p_array_init(&ctx.set->maps, pool, 8);
 
 	ctx.set->timeout = 30; /* default timeout */
+	ctx.set->require_ssl = FALSE; /* try to start SSL */
+	ctx.set->start_tls = TRUE;
 
 	if (!settings_read(path, NULL, parse_setting, parse_section,
 			   &ctx, error_r))

diff --git a/src/lib-dict/dict-ldap-settings.h b/src/lib-dict/dict-ldap-settings.h
@@ -26,6 +26,7 @@ struct dict_ldap_settings {
 	unsigned int debug;
 	unsigned int max_attribute_count;
 	bool require_ssl;
+	bool start_tls;
 	ARRAY(struct dict_ldap_map) maps;
 };
 

diff --git a/src/lib-dict/dict-ldap.c b/src/lib-dict/dict-ldap.c
@@ -161,6 +161,7 @@ int dict_ldap_connect(struct ldap_dict *dict, const char **error_r)
 	set.max_idle_time_secs = dict->set->max_idle_time;
 	set.debug = dict->set->debug;
 	set.require_ssl = dict->set->require_ssl;
+	set.start_tls = dict->set->start_tls;
 	return ldap_client_init(&set, &dict->client, error_r);
 }
 

diff --git a/src/lib-ldap/ldap-client.h b/src/lib-ldap/ldap-client.h
@@ -29,6 +29,7 @@ struct ldap_client_settings {
 	unsigned int max_idle_time_secs;
 	unsigned int debug;
 	bool require_ssl;
+	bool start_tls;
 };
 
 struct ldap_search_input {

diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c
@@ -91,12 +91,20 @@ int ldap_connection_init(struct ldap_client *client,
 			 const struct ldap_client_settings *set,
 			 struct ldap_connection **conn_r, const char **error_r)
 {
+	i_assert(set->uri != NULL);
+
+	if (set->require_ssl &&
+	    !set->start_tls &&
+	    strncmp("ldaps://",set->uri,8) != 0) {
+		*error_r = t_strdup_printf("ldap_connection_init(uri=%s) failed: %s", set->uri,
+			"uri does not start with ldaps and ssl required without start TLS");
+		return -1;
+	}
+
 	pool_t pool = pool_alloconly_create("ldap connection", 1024);
 	struct ldap_connection *conn = p_new(pool, struct ldap_connection, 1);
 	conn->pool = pool;
 
-	i_assert(set->uri != NULL);
-
 	conn->client = client;
 	conn->set = *set;
 	/* deep copy relevant strings */
@@ -385,7 +393,8 @@ ldap_connect_next_message(struct ldap_connection *conn,
 
 	switch(conn->state) {
 	case LDAP_STATE_DISCONNECT:
-		if (strstr(conn->set.uri, "ldaps://") == NULL) {
+		/* if we should not disable SSL, and the URI is not ldaps:// */
+		if (!conn->set.start_tls || strstr(conn->set.uri, "ldaps://") == NULL) {
 			ret = ldap_start_tls(conn->conn, NULL, NULL, &(req->msgid));
 			if (ret != LDAP_SUCCESS) {
 				ldap_connection_result_failure(conn, req, ret, t_strdup_printf(