13 Feb
2009
13 Feb
'09
2:57 a.m.
Module: sip-router
Branch: janakj/ldap
Commit: 110dd250960f81d1aa3238255234f228604db7ff
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=110dd25…
Author: Gergely Kovacs <gergo(a)iptel.org>
Committer: Gergely Kovacs <gergo(a)iptel.org>
Date: Fri Jul 18 10:02:49 2008 +0000
tls encryption support added
---
modules/db_ldap/Makefile | 2 ++
modules/db_ldap/ld_cfg.c | 18 +++++++++++++-----
modules/db_ldap/ld_cfg.h | 3 +++
modules/db_ldap/ld_con.c | 33 ++++++++++++++++++++++++++++++++-
modules/db_ldap/ld_uri.c | 23 +++++++++++++++++++++++
modules/db_ldap/ld_uri.h | 3 +++
modules/db_ldap/ldap.cfg | 12 ++++++++++++
7 files changed, 88 insertions(+), 6 deletions(-)
diff --git a/modules/db_ldap/Makefile b/modules/db_ldap/Makefile
index f7b0507..e9309e2 100644
--- a/modules/db_ldap/Makefile
+++ b/modules/db_ldap/Makefile
@@ -8,6 +8,8 @@ NAME=ldap.so
#DEFS += -DLD_TEST
+DEFS += -Wall -DOPENLDAP23
+
# Uncomment this if you have a recent version of libldap with
# LD_SCOPE_CHILDREN defined
#DEFS += -DHAVE_SCOPE_CHILDREN
diff --git a/modules/db_ldap/ld_cfg.c b/modules/db_ldap/ld_cfg.c
index 642c0b3..d3758ab 100644
--- a/modules/db_ldap/ld_cfg.c
+++ b/modules/db_ldap/ld_cfg.c
@@ -268,11 +268,14 @@ static cfg_option_t auth_values[] = {
static cfg_option_t ldap_con_options[] = {
- {"host", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
- {"port", .f = cfg_parse_int_opt},
- {"username", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
- {"password", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
- {"authtype", .param = auth_values, .f = cfg_parse_enum_opt},
+ {"host", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+ {"port", .f = cfg_parse_int_opt},
+ {"username", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+ {"password", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+ {"authtype", .param = auth_values, .f = cfg_parse_enum_opt},
+ {"tls", .param = cfg_bool_values, .f = cfg_parse_enum_opt},
+ {"ca_list", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+ {"require_certificate", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
{0}
};
@@ -342,6 +345,11 @@ static int parse_section(void* param, cfg_parser_t* st, unsigned int
flags)
for(i = 0; auth_values[i].name; i++) {
auth_values[i].param = &con->authmech;
}
+ for(i = 0; cfg_bool_values[i].name; i++) {
+ cfg_bool_values[i].param = &con->tls;
+ }
+ ldap_con_options[6].param = &con->ca_list;
+ ldap_con_options[7].param = &con->req_cert;
} else {
BUG("%s:%d:%d: Unsupported section type %c\n",
st->file, t.start.line, t.start.col, t.type);
diff --git a/modules/db_ldap/ld_cfg.h b/modules/db_ldap/ld_cfg.h
index 1a36ee4..43abca0 100644
--- a/modules/db_ldap/ld_cfg.h
+++ b/modules/db_ldap/ld_cfg.h
@@ -49,6 +49,9 @@ struct ld_con_info {
str username;
str password;
int authmech;
+ int tls; /**< TLS encryption enabled */
+ str ca_list; /**< Path of the file that contains certificates of the CAs */
+ str req_cert; /**< LDAP level of certificate request behaviour */
struct ld_con_info* next;
};
diff --git a/modules/db_ldap/ld_con.c b/modules/db_ldap/ld_con.c
index 103f1bb..b08a62b 100644
--- a/modules/db_ldap/ld_con.c
+++ b/modules/db_ldap/ld_con.c
@@ -42,7 +42,6 @@
#include <ldap.h>
#include <stdlib.h>
#include <string.h>
-
#include <sasl/sasl.h>
/** Free all memory allocated for a ld_con structure.
@@ -176,6 +175,7 @@ int ld_con_connect(db_con_t* con)
struct ld_con* lcon;
struct ld_uri* luri;
int ret, version = 3;
+ char* err_str = NULL;
lcon = DB_GET_PAYLOAD(con);
luri = DB_GET_PAYLOAD(con->uri);
@@ -193,6 +193,19 @@ int ld_con_connect(db_con_t* con)
}
}
+ /* we pass the TLS_REQCERT and TLS_REQCERT attributes over environment
+ variables to ldap library */
+ if (luri->tls) {
+ if (setenv("LDAPTLS_CACERT", luri->ca_list, 1)) {
+ ERR("ldap: Can't set environment variable 'LDAPTLS_CACERT'\n");
+ goto error;
+ }
+ if (setenv("LDAPTLS_REQCERT", luri->req_cert, 1)) {
+ ERR("ldap: Can't set environment variable
'LDAPTLS_REQCERT'\n");
+ goto error;
+ }
+ }
+
ret = ldap_initialize(&lcon->con, luri->uri);
if (lcon->con == NULL) {
ERR("ldap: Error while initializing new LDAP connection to %s\n",
@@ -207,6 +220,24 @@ int ld_con_connect(db_con_t* con)
goto error;
}
+ if (luri->tls) {
+ ret = ldap_start_tls_s(lcon->con, NULL, NULL);
+ if (ret != LDAP_SUCCESS) {
+ /* get addition info of this error */
+#ifdef OPENLDAP23
+ ldap_get_option(lcon->con, LDAP_OPT_ERROR_STRING, &err_str);
+#elif OPENLDAP24
+ ldap_get_option(lcon->con, LDAP_OPT_DIAGNOSTIC_MESSAGE, &err_str);
+#endif
+ ERR("ldap: Error while starting TLS: %s\n", ldap_err2string(ret));
+ if (err_str) {
+ ERR("ldap: %s\n", err_str);
+ ldap_memfree(err_str);
+ }
+ goto error;
+ }
+ }
+
switch (luri->authmech) {
case LDAP_AUTHMECH_NONE:
ret = ldap_simple_bind_s(lcon->con, NULL, NULL);
diff --git a/modules/db_ldap/ld_uri.c b/modules/db_ldap/ld_uri.c
index 5476e51..1b18879 100644
--- a/modules/db_ldap/ld_uri.c
+++ b/modules/db_ldap/ld_uri.c
@@ -285,6 +285,19 @@ int parse_ldap_uri(struct ld_uri* res, str* scheme, str* uri)
}
res->authmech = cfg_conn_info->authmech;
+ res->tls = cfg_conn_info->tls;
+ if (cfg_conn_info->ca_list.s) {
+ if (!(res->ca_list = pkgstrdup(&cfg_conn_info->ca_list))) {
+ ERR("ldap: No memory left\n");
+ goto err;
+ }
+ }
+ if (cfg_conn_info->req_cert.s) {
+ if (!(res->req_cert = pkgstrdup(&cfg_conn_info->req_cert))) {
+ ERR("ldap: No memory left\n");
+ goto err;
+ }
+ }
break;
default:
@@ -304,6 +317,14 @@ int parse_ldap_uri(struct ld_uri* res, str* scheme, str* uri)
pkg_free(res->password);
res->password = NULL;
}
+ if (res->ca_list) {
+ pkg_free(res->ca_list);
+ res->ca_list = NULL;
+ }
+ if (res->req_cert) {
+ pkg_free(res->req_cert);
+ res->req_cert = NULL;
+ }
return -1;
}
@@ -314,6 +335,8 @@ static void ld_uri_free(db_uri_t* uri, struct ld_uri* payload)
if (payload->uri) pkg_free(payload->uri);
if (payload->username) pkg_free(payload->username);
if (payload->password) pkg_free(payload->password);
+ if (payload->ca_list) pkg_free(payload->ca_list);
+ if (payload->req_cert) pkg_free(payload->req_cert);
db_drv_free(&payload->drv);
pkg_free(payload);
}
diff --git a/modules/db_ldap/ld_uri.h b/modules/db_ldap/ld_uri.h
index 27bfa15..43155f3 100644
--- a/modules/db_ldap/ld_uri.h
+++ b/modules/db_ldap/ld_uri.h
@@ -61,6 +61,9 @@ struct ld_uri {
char* password;
char* uri; /**< The whole URI, including scheme */
int authmech;
+ int tls; /**< TLS encryption enabled */
+ char* ca_list; /**< Path of the file that contains certificates of the CAs */
+ char* req_cert; /**< LDAP level of certificate request behaviour */
LDAPURLDesc* ldap_url; /**< URI parsed by the ldap client library */
};
diff --git a/modules/db_ldap/ldap.cfg b/modules/db_ldap/ldap.cfg
index c21da52..d113bfb 100644
--- a/modules/db_ldap/ldap.cfg
+++ b/modules/db_ldap/ldap.cfg
@@ -24,6 +24,18 @@ password=heslo
# Allowed values: none (default), simple, digest-md5, external
authtype=simple
+# tls encryption
+tls=off
+
+# Specifies the file that contains certificates for all of the Certificate
+# Authorities the ldap module will recognize.
+ca_list=/home/kg/work/openssl/demoCA/cacert.pem
+
+# Specifies what checks to perform on server certificates in a TLS session
+# allowed values are never/allow/try/demand
+# see the TLS_REQCERT tls option part of ldap.conf(8) man page for more details
+require_certificate=demand
+
#
# Table credentials contains SIP digest authentication credentials.
#
5752
days inactive
5752
days old
0 comments
1 participants
participants (1)
-
Jan Janak