aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--doc/pam-modules.texi4
-rw-r--r--doc/pam_ldaphome.8in5
-rw-r--r--pam_ldaphome/pam_ldaphome.c15
3 files changed, 23 insertions, 1 deletions
diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi
index 506ec33..12c58cd 100644
--- a/doc/pam-modules.texi
+++ b/doc/pam-modules.texi
@@ -1246,6 +1246,10 @@ mandatory, and the module will not establish LDAP connection unless
@samp{StartTLS} succeeds.
@end deffn
+@deffn {pam_ldaphome config} tls-cacert @var{val}
+Full pathname to the CA certificate file. Used if TLS is enabled.
+@end deffn
+
@deffn {pam_ldaphome config} min-uid @var{n}
Sets the minimal UID. For users with UIDs less than @var{n},
@command{pam_ldaphome} returns PAM_SUCCESS immediately. This allows
diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in
index f40ee66..97f75d6 100644
--- a/doc/pam_ldaphome.8in
+++ b/doc/pam_ldaphome.8in
@@ -14,7 +14,7 @@
.\" You should have received a copy of the GNU General Public License
.\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>.
.so config.so
-.TH PAM_LDAPHOME 8 "May 21, 2014" "PAM-MODULES" "Pam-Modules User Reference"
+.TH PAM_LDAPHOME 8 "July 24, 2014" "PAM-MODULES" "Pam-Modules User Reference"
.SH NAME
pam_ldaphome \- create and populate user home directories
.SH SYNOPSIS
@@ -84,6 +84,9 @@ anyway if it fails. Finally, if \fIVAL\fR is the word \fBonly\fR, the
use of TLS becomes mandatory, and the module will not establish LDAP
connection unless \fIStartTLS\fR succeeds.
.TP
+.BI tls-cacert " VAL"
+Full pathname to the CA certificate file. Used if TLS is enabled.
+.TP
.BI uri " ARG"
Sets the URI of the LDAP server to consult for the user profile.
.SS Home directory creation
diff --git a/pam_ldaphome/pam_ldaphome.c b/pam_ldaphome/pam_ldaphome.c
index 83b9cf7..ba6494f 100644
--- a/pam_ldaphome/pam_ldaphome.c
+++ b/pam_ldaphome/pam_ldaphome.c
@@ -406,6 +406,21 @@ ldap_connect(struct gray_env *env)
}
/* try to continue anyway */
}
+
+ val = gray_env_get(env, "tls-cacert");
+ if (val) {
+ rc = ldap_set_option(ld,
+ LDAP_OPT_X_TLS_CACERTFILE,
+ val);
+ if (rc != LDAP_SUCCESS) {
+ _pam_log(LOG_ERR,
+ "setting of LDAP_OPT_X_TLS_CACERTFILE failed");
+ if (tls == tls_only) {
+ ldap_unbind(ld);
+ return NULL;
+ }
+ }
+ }
}
}

Return to:

Send suggestions and report system problems to the System administrator.

Generated by cgit.