From c1059e03983d704ea79cf97d9cffb2cbaa79bcae Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Thu, 24 Jul 2014 17:30:51 +0300 Subject: pam_ldaphome: provide an option to specify CA certificate file for TLS * pam_ldaphome/pam_ldaphome.c (ldap_connect): New option tls-cacert * doc/pam-modules.texi: Document tls-cacert * doc/pam_ldaphome.8in: Likewise. --- doc/pam-modules.texi | 4 ++++ doc/pam_ldaphome.8in | 5 ++++- pam_ldaphome/pam_ldaphome.c | 15 +++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi index 506ec33..12c58cd 100644 --- a/doc/pam-modules.texi +++ b/doc/pam-modules.texi @@ -1246,6 +1246,10 @@ mandatory, and the module will not establish LDAP connection unless @samp{StartTLS} succeeds. @end deffn +@deffn {pam_ldaphome config} tls-cacert @var{val} +Full pathname to the CA certificate file. Used if TLS is enabled. +@end deffn + @deffn {pam_ldaphome config} min-uid @var{n} Sets the minimal UID. For users with UIDs less than @var{n}, @command{pam_ldaphome} returns PAM_SUCCESS immediately. This allows diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in index f40ee66..97f75d6 100644 --- a/doc/pam_ldaphome.8in +++ b/doc/pam_ldaphome.8in @@ -14,7 +14,7 @@ .\" You should have received a copy of the GNU General Public License .\" along with PAM-Modules. If not, see . .so config.so -.TH PAM_LDAPHOME 8 "May 21, 2014" "PAM-MODULES" "Pam-Modules User Reference" +.TH PAM_LDAPHOME 8 "July 24, 2014" "PAM-MODULES" "Pam-Modules User Reference" .SH NAME pam_ldaphome \- create and populate user home directories .SH SYNOPSIS @@ -84,6 +84,9 @@ anyway if it fails. Finally, if \fIVAL\fR is the word \fBonly\fR, the use of TLS becomes mandatory, and the module will not establish LDAP connection unless \fIStartTLS\fR succeeds. .TP +.BI tls-cacert " VAL" +Full pathname to the CA certificate file. Used if TLS is enabled. +.TP .BI uri " ARG" Sets the URI of the LDAP server to consult for the user profile. .SS Home directory creation diff --git a/pam_ldaphome/pam_ldaphome.c b/pam_ldaphome/pam_ldaphome.c index 83b9cf7..ba6494f 100644 --- a/pam_ldaphome/pam_ldaphome.c +++ b/pam_ldaphome/pam_ldaphome.c @@ -406,6 +406,21 @@ ldap_connect(struct gray_env *env) } /* try to continue anyway */ } + + val = gray_env_get(env, "tls-cacert"); + if (val) { + rc = ldap_set_option(ld, + LDAP_OPT_X_TLS_CACERTFILE, + val); + if (rc != LDAP_SUCCESS) { + _pam_log(LOG_ERR, + "setting of LDAP_OPT_X_TLS_CACERTFILE failed"); + if (tls == tls_only) { + ldap_unbind(ld); + return NULL; + } + } + } } } -- cgit v1.2.1