Folks,
With a lot of pain I was able to create this
patch to squid_ldap_auth.c that adds in TLS support.
It works well buts its ugly:) Havent coded C in years..
Feel free to clean it up and include it in the next
release if you want. Should probably include plain old
ssl support as well but I dont need to at the moment.
Thanks.. Mike Cunningham
###########################################################
*** squid_ldap_auth.c.orig Wed Dec 12 16:38:23 2001
--- squid_ldap_auth.c Wed Dec 12 20:08:53 2001
***************
*** 11,20 ****
*
* Usage: squid_ldap_auth -b basedn [-s searchscope]
* [-f searchfilter] [-D binddn -w bindpasswd]
! * [-u attr] [-p] [-R] <ldap_server_name>
*
* Dependencies: You need to get the OpenLDAP libraries
! * from http://www.openldap.org
*
* License: squid_ldap_auth is free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public License
--- 11,23 ----
*
* Usage: squid_ldap_auth -b basedn [-s searchscope]
* [-f searchfilter] [-D binddn -w bindpasswd]
! * [-u attr] [-p] [-R] [-v] [-z] <ldap_server_name>
*
* Dependencies: You need to get the OpenLDAP libraries
! * from http://www.openldap.org,
! *
! * If you want to make a TLS enabled
! * connection you will also need the openssl libraries linked into openldap
*
* License: squid_ldap_auth is free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public License
***************
*** 22,27 ****
--- 25,32 ----
* or (at your option) any later version.
*
* Changes:
+ * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
+ - Added TLS support and partial ldap version 3 support.
* 2001-10-04: Henrik Nordstrom <hno@squid-cache.org>
* - Be consistent with the other helpers in how
* spaces are managed. If there is space characters
***************
*** 62,67 ****
--- 67,76 ----
static int noreferrals = 0;
static int aliasderef = LDAP_DEREF_NEVER;
+ /* Added for TLS support and version 3 */
+ static int use_tls = 0;
+ static int version = -1;
+
static int checkLDAP(LDAP * ld, char *userid, char *password);
/* Yuck.. we need to glue to different versions of the API */
***************
*** 117,122 ****
--- 126,132 ----
switch(option) {
case 'p':
case 'R':
+ case 'z':
break;
default:
if (strlen(argv[1]) > 2) {
***************
*** 175,183 ****
--- 185,215 ----
case 'p':
persistent = !persistent;
break;
+ case 'v':
+ switch( atoi(value) ) {
+ case 2:
+ version = LDAP_VERSION2;
+ break;
+ case 3:
+ version = LDAP_VERSION3;
+ break;
+ default:
+ fprintf( stderr, "Protocol version should be 2 or 3\n");
+ exit(1);
+ } break;
+
case 'R':
noreferrals = !noreferrals;
break;
+ case 'z':
+ if ( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "-z incompatible with version %d\n",
+ version );
+ exit(1);
+ }
+ version = LDAP_VERSION3;
+ use_tls = !use_tls;
+ break;
default:
fprintf(stderr, "squid_ldap_auth: ERROR: Unknown command line option '%c'\n", option);
exit(1);
***************
*** 193,199 ****
--- 225,233 ----
fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
fprintf(stderr, "\t-p\t\t\tpersistent LDAP connection\n");
+ fprintf(stderr, "\t-v\t\t\tProtocol version - defaults to 2\n");
fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
+ fprintf(stderr, "\t-z\t\t\tUse TLS for the LDAP connection - requires protocol ver 3\n");
fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
fprintf(stderr, "\n");
fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
***************
*** 218,223 ****
--- 252,275 ----
ldapServer, LDAP_PORT);
exit(1);
}
+
+ if (version == -1 ) {
+ version = LDAP_VERSION2;
+ }
+
+ if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
+ != LDAP_OPT_SUCCESS )
+ {
+ fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
+ version );
+ exit(1);
+ }
+
+ if ( use_tls && ( version == LDAP_VERSION3 ) && ( ldap_start_tls_s( ld, NULL, NULL ) == LDAP_SUCCESS )) {
+ fprintf( stderr, "Could not Activate TLS connection\n");
+ exit(1);
+ }
+
squid_ldap_set_referrals(ld, !noreferrals);
squid_ldap_set_aliasderef(ld, aliasderef);
}
Received on Wed Dec 12 2001 - 18:33:48 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:20 MST