--- pam_ldap.c.orig Fri Dec 1 18:13:18 2000 +++ pam_ldap.c Fri Dec 1 18:24:29 2000 @@ -113,6 +113,10 @@ #include #endif +#define SSL_OFF 0 +#define SSL_YES 1 +#define SSL_START_TLS 2 + #ifdef YPLDAPD #include #include @@ -406,7 +410,7 @@ result->bindpw = NULL; result->rootbinddn = NULL; result->rootbindpw = NULL; - result->ssl_on = 0; + result->ssl_on = SSL_OFF; result->sslpath = NULL; result->filter = NULL; result->userattr = NULL; @@ -645,7 +650,14 @@ } else if (!strcasecmp (k, "ssl")) { - result->ssl_on = !strcasecmp (v, "yes"); + if (!strcasecmp (v, "yes")) + { + result->ssl_on = SSL_YES; + } + else if (!strcasecmp (v, "start_tls")) + { + result->ssl_on = SSL_START_TLS; + } } else if (!strcasecmp (k, "pam_filter")) { @@ -715,8 +727,8 @@ if (result->port == 0) { -#ifdef HAVE_LDAPSSL_INIT - if (result->ssl_on) +#if (HAVE_LDAPSSL_INIT || LDAP_OPT_X_TLS) + if (result->ssl_on == SSL_YES) { result->port = LDAPS_PORT; } @@ -766,7 +778,7 @@ #ifdef HAVE_LDAPSSL_INIT int rc; - if (session->conf->ssl_on && ssl_initialized == 0) + if (session->conf->ssl_on == SSL_YES && ssl_initialized == 0) { rc = ldapssl_client_init (session->conf->sslpath, NULL); if (rc != LDAP_SUCCESS) @@ -788,6 +800,16 @@ { #ifdef HAVE_LDAP_INIT session->ld = ldap_init (session->conf->host, session->conf->port); +#ifdef LDAP_OPT_X_TLS + if (session->conf->ssl_on == SSL_YES) + { + int tls = LDAP_OPT_X_TLS_HARD; + if (ldap_set_option(session->ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) + { + ldap_perror(session->ld,"ldap_set_option(LDAP_OPT_X_TLS)"); + } + } +#endif /* LDAP_OPT_X_TLS */ #else session->ld = ldap_open (session->conf->host, session->conf->port); #endif /* HAVE_LDAP_INIT */ @@ -818,7 +840,7 @@ #ifdef HAVE_LDAP_START_TLS_S - if (session->conf->ssl_on) + if (session->conf->ssl_on == SSL_START_TLS) { if (ldap_start_tls_s( session->ld, NULL, NULL ) != LDAP_SUCCESS) ldap_perror(session->ld,"ldap_start_tls");