From d13cdd3049b0191bbb275f9a6cf11dc0917a1f0c Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Mon, 10 Jun 2013 02:50:18 -0400 Subject: Guard LDAP TLS usage against Solaris LDAP variant. PP/22 Report from Prashanth Katuri. This variant ensures that if TLS won't be activated because of compile-time guards, but was requested, then we at least debug-log _why_ we're not doing anything. --- doc/doc-txt/ChangeLog | 3 +++ src/src/lookups/ldap.c | 25 ++++++++++++++++--------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index e0411bab6..d84e2aa5d 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -202,6 +202,9 @@ PP/21 Fix eximon continuous updating with timestamped log-files. Report and fix from Heiko Schlichting. Bugzilla 1363. +PP/22 Guard LDAP TLS usage against Solaris LDAP variant. + Report from Prashanth Katuri. + Exim version 4.80.1 ------------------- diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c index 244d67561..40345bafc 100644 --- a/src/src/lookups/ldap.c +++ b/src/src/lookups/ldap.c @@ -519,18 +519,25 @@ if (!lcp->bound || { DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n", (lcp->bound)? "re-" : "", user, password); -#ifdef LDAP_OPT_X_TLS - /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this: */ if (eldap_start_tls) { - if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS) { - *errmsg = string_sprintf("failed to initiate TLS processing on an " - "LDAP session to server %s%s - ldap_start_tls_s() returned %d:" - " %s", host, porttext, rc, ldap_err2string(rc)); - goto RETURN_ERROR; - } - } +#if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS) + /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this. + * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not + * export an ldap_start_tls_s symbol. + */ + if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS) + { + *errmsg = string_sprintf("failed to initiate TLS processing on an " + "LDAP session to server %s%s - ldap_start_tls_s() returned %d:" + " %s", host, porttext, rc, ldap_err2string(rc)); + goto RETURN_ERROR; + } +#else + DEBUG(D_lookup) + debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n"); #endif + } if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE)) == -1) { -- cgit v1.2.3