summaryrefslogtreecommitdiffabout
authorSergey Poznyakoff <gray@gnu.org.ua>2014-07-24 14:30:51 (GMT)
committer Sergey Poznyakoff <gray@gnu.org.ua>2014-07-24 14:33:10 (GMT)
commitc1059e03983d704ea79cf97d9cffb2cbaa79bcae (patch) (side-by-side diff)
tree52ee383177d53db280ac95b2165440a4ba351ab0
parentd953e91e234f4237289367699f6a277554a789c5 (diff)
downloadpam-modules-c1059e03983d704ea79cf97d9cffb2cbaa79bcae.tar.gz
pam-modules-c1059e03983d704ea79cf97d9cffb2cbaa79bcae.tar.bz2
pam_ldaphome: provide an option to specify CA certificate file for TLS
* pam_ldaphome/pam_ldaphome.c (ldap_connect): New option tls-cacert * doc/pam-modules.texi: Document tls-cacert * doc/pam_ldaphome.8in: Likewise.
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--doc/pam-modules.texi4
-rw-r--r--doc/pam_ldaphome.8in5
-rw-r--r--pam_ldaphome/pam_ldaphome.c15
3 files changed, 23 insertions, 1 deletions
diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi
index 506ec33..12c58cd 100644
--- a/doc/pam-modules.texi
+++ b/doc/pam-modules.texi
@@ -1246,6 +1246,10 @@ mandatory, and the module will not establish LDAP connection unless
@samp{StartTLS} succeeds.
@end deffn
+@deffn {pam_ldaphome config} tls-cacert @var{val}
+Full pathname to the CA certificate file. Used if TLS is enabled.
+@end deffn
+
@deffn {pam_ldaphome config} min-uid @var{n}
Sets the minimal UID. For users with UIDs less than @var{n},
@command{pam_ldaphome} returns PAM_SUCCESS immediately. This allows
diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in
index f40ee66..97f75d6 100644
--- a/doc/pam_ldaphome.8in
+++ b/doc/pam_ldaphome.8in
@@ -14,7 +14,7 @@
.\" You should have received a copy of the GNU General Public License
.\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>.
.so config.so
-.TH PAM_LDAPHOME 8 "May 21, 2014" "PAM-MODULES" "Pam-Modules User Reference"
+.TH PAM_LDAPHOME 8 "July 24, 2014" "PAM-MODULES" "Pam-Modules User Reference"
.SH NAME
pam_ldaphome \- create and populate user home directories
.SH SYNOPSIS
@@ -84,6 +84,9 @@ anyway if it fails. Finally, if \fIVAL\fR is the word \fBonly\fR, the
use of TLS becomes mandatory, and the module will not establish LDAP
connection unless \fIStartTLS\fR succeeds.
.TP
+.BI tls-cacert " VAL"
+Full pathname to the CA certificate file. Used if TLS is enabled.
+.TP
.BI uri " ARG"
Sets the URI of the LDAP server to consult for the user profile.
.SS Home directory creation
diff --git a/pam_ldaphome/pam_ldaphome.c b/pam_ldaphome/pam_ldaphome.c
index 83b9cf7..ba6494f 100644
--- a/pam_ldaphome/pam_ldaphome.c
+++ b/pam_ldaphome/pam_ldaphome.c
@@ -406,6 +406,21 @@ ldap_connect(struct gray_env *env)
}
/* try to continue anyway */
}
+
+ val = gray_env_get(env, "tls-cacert");
+ if (val) {
+ rc = ldap_set_option(ld,
+ LDAP_OPT_X_TLS_CACERTFILE,
+ val);
+ if (rc != LDAP_SUCCESS) {
+ _pam_log(LOG_ERR,
+ "setting of LDAP_OPT_X_TLS_CACERTFILE failed");
+ if (tls == tls_only) {
+ ldap_unbind(ld);
+ return NULL;
+ }
+ }
+ }
}
}

Return to:

Send suggestions and report system problems to the System administrator.