Date: Wed, 27 Jul 2005 14:42:47 +0700 (NOVST) From: Dmitry A Grigorovich <odip@bionet.nsc.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: mharo@FreeBSD.org Subject: ports/84160: [patch] proftpd - module mod_ldap - tls and ssl not worked Message-ID: <20050727074247.E33572173F@manticore.bionet.nsc.ru> Resent-Message-ID: <200507270750.j6R7oPtL072586@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 84160
>Category: ports
>Synopsis: [patch] proftpd - module mod_ldap - tls and ssl not worked
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 27 07:50:25 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dmitry A Grigorovich
>Release: FreeBSD 5.4-RELEASE-p2 i386
>Organization:
ICiG SB RAS, Russia
>Environment:
System: FreeBSD manticore.bionet.nsc.ru 5.4-RELEASE-p2 FreeBSD 5.4-RELEASE-p2 #0: Thu Jul 21 12:14:26 NOVST 2005 root@manticore.bionet.nsc.ru:/usr/obj/usr/src/sys/ODIP i386
>Description:
ftp/proftpd when builded with openssl and mod_ldap
can't work with tls or ssl in ldap connections!
tls not worked due to lost define
ssl not worked because mod_ldap using old ldap API
>How-To-Repeat:
cd /usr/ports/net/proftpd
make config
Select LDAP and OpenSSL
In /usr/local/etc/rc.d/proftpd.conf add directive:
LDAPUseTLS off
Start proftpd:
echo "proftpd=YES" >>/etc/rc.conf
/usr/local/etc/rc.d/proftpd.sh start
You see message:
Starting proftpd.
- Fatal: LDAPUseTLS: LDAPUseTLS: You must edit mod_ldap.c and recompile \
with USE_LDAPV3_TLS enabled in order to use TLS. on line 43 \
of '/usr/local/etc/proftpd.conf'
>Fix:
TLS fix is simple, but we need SSL to work !
To fix I add new directive LDAPServerURI to proftpd.conf
If LDAPServerURI found, then we always use ldap_initialize()
instead of ldap_init().
Only when LDAPServerURI not found, then we use ldap_init().
Also ldap protocol version 3 used.
Same as in new mod_ldap 2.15.
######################################################################
# New LDAPServerURI directive in proftpd.conf
# This is URI for ldap server, e.g. "ldap://127.0.0.1", "ldaps://server".
#
If you are not need tls/ssl you have two ways:
LDAPServer ldap.servet.net
or
LDAPServerURI ldap://ldap.server.net
If you need tls you have two ways:
LDAPServer ldap.server.net
LDAPUseTLS on
or
LDAPServerURI ldap://ldap.server.net
LDAPUseTLS on
But if you need ssl you have only one way:
LDAPServerURI ldaps://ldap.server.net
======================================================================
To fix apply follow patch to /usr/ports/ftp/proftpd.
Copy opt-patch-basic.conf and opt-patch-mod_ldap.c
to /usr/ports/ftp/proftpd/files
Reinstall port.
Add directive LDAPServerURI to proftpd.conf - see above.
Start proftpd and use.
--- patch-proftpd begins here ---
diff -ur proftpd/Makefile proftpd.new/Makefile
--- proftpd/Makefile Wed Jul 27 02:46:51 2005
+++ proftpd.new/Makefile Wed Jul 27 14:12:15 2005
@@ -120,7 +120,7 @@
.endif
.if defined(WITH_OPENSSL)
-CFLAGS+= -DHAVE_OPENSSL
+CFLAGS+= -DHAVE_OPENSSL -DUSE_LDAPV3_TLS
USE_OPENSSL= yes
.include <${PORTSDIR}/Mk/bsd.openssl.mk>
PROFTPD_LIBS+= -lssl -lcrypto -L${LOCALBASE}/lib
@@ -170,6 +170,10 @@
-e 's:/usr/bin:${PREFIX}/bin:' \
${WRKSRC}/src/proftpd.8 ${WRKSRC}/utils/ftpshut.8 \
${WRKSRC}/utils/ftpcount.1
+.if defined(WITH_OPENSSL)
+ ${PATCH} ${PATCH_ARGS} <${FILESDIR}/opt-patch-mod_ldap.c
+ ${PATCH} ${PATCH_ARGS} <${FILESDIR}/opt-patch-basic.conf
+.endif
post-install:
[ -f ${PREFIX}/etc/proftpd.conf ] || \
Only in proftpd.new/files: opt-patch-basic.conf
Only in proftpd.new/files: opt-patch-mod_ldap.c
--- patch-proftpd ends here ---
--- opt-patch-basic.conf begins here ---
--- sample-configurations/basic.conf.orig Wed Jul 27 13:13:22 2005
+++ sample-configurations/basic.conf Wed Jul 27 14:04:35 2005
@@ -31,6 +31,13 @@
User nobody
Group nogroup
+# LDAP SSL
+#LDAPServerURI ldaps://ldap.server.net
+
+# LDAP TLS
+#LDAPServerURI ldap://ldap.server.net
+#LDAPUseTLS on
+
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
--- opt-patch-basic.conf ends here ---
--- opt-patch-mod_ldap.c begins here ---
--- contrib/mod_ldap.c.orig Thu Jul 22 07:11:22 2004
+++ contrib/mod_ldap.c Wed Jul 27 13:12:45 2005
@@ -122,6 +122,7 @@
#include <unistd.h> /* seteuid() */
#include <lber.h>
+#define LDAP_DEPRECATED 1
#include <ldap.h>
/* Sun fucks my shit right up. */
@@ -157,7 +158,7 @@
static xaset_t *gid_table[HASH_TABLE_SIZE];
/* Config entries */
-static char *ldap_server, *ldap_dn, *ldap_dnpass,
+static char *ldap_server_uri, *ldap_server, *ldap_dn, *ldap_dnpass,
*ldap_auth_filter, *ldap_uid_filter,
*ldap_group_gid_filter, *ldap_group_name_filter,
*ldap_group_member_filter, *ldap_quota_filter,
@@ -240,27 +241,51 @@
int version = LDAP_VERSION3;
#endif
- if ((ld = ldap_init(ldap_server, LDAP_PORT)) == NULL) {
- pr_log_pri(PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): ldap_init() to %s failed: %s", ldap_server, strerror(errno));
- return -1;
- }
-
#ifdef USE_LDAPV3_TLS
- if (ldap_use_tls == 1) {
- if ((ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_OPT_SUCCESS) {
- pr_log_pri(PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): Setting LDAP version option failed: %s", ldap_err2string(ret));
- pr_ldap_unbind();
+
+ /* Init connection, switch by LDAPServerURI */
+ if ( ldap_server_uri != NULL ) {
+ ldap_initialize( &ld, ldap_server_uri );
+ if ( ld == NULL ) {
+ pr_log_pri( PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): ldap_initialize() to %s failed: %s", ldap_server_uri, strerror( errno ) );
return -1;
}
-
- pr_log_debug(DEBUG2, "mod_ldap: Starting TLS for this connection.");
- if ((ret = ldap_start_tls_s(ld, NULL, NULL)) != LDAP_SUCCESS) {
- pr_log_pri(PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): Starting TLS failed: %s", ldap_err2string(ret));
+ } else {
+ ld= ldap_init( ldap_server, LDAP_PORT );
+ if ( ld == NULL ) {
+ pr_log_pri( PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): ldap_init() to %s failed: %s", ldap_server, strerror( errno ) );
+ return -1;
+ }
+ }
+
+ /* Always setup new ldap version */
+ ret= ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
+ if ( ret != LDAP_OPT_SUCCESS ) {
+ pr_log_pri( PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): Setting LDAP version option failed: %s", ldap_err2string( ret ) );
+ pr_ldap_unbind();
+ return -1;
+ }
+
+ /* Start tls only wheen needed */
+ if ( ldap_use_tls == 1 ) {
+ pr_log_debug( DEBUG2, "mod_ldap: Starting TLS for this connection." );
+ ret= ldap_start_tls_s( ld, NULL, NULL );
+ if ( ret != LDAP_SUCCESS ) {
+ pr_log_pri( PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): Starting TLS failed: %s", ldap_err2string( ret ) );
pr_ldap_unbind();
return -1;
}
}
-#endif /* USE_LDAPV3_TLS */
+
+#else
+
+ /* Old code */
+ if ((ld = ldap_init(ldap_server, LDAP_PORT)) == NULL) {
+ pr_log_pri(PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): ldap_init() to %s failed: %s", ldap_server, strerror(errno));
+ return -1;
+ }
+
+#endif
if ((ret = ldap_simple_bind_s(ld, ldap_dn, ldap_dnpass) != LDAP_SUCCESS)) {
pr_log_pri(PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): ldap_simple_bind() as %s failed: %s", ldap_dn, ldap_err2string(ret));
@@ -1230,27 +1255,51 @@
(ldap_authbind_dn == NULL) || (strlen(ldap_authbind_dn) == 0) )
return DECLINED(cmd);
- if ((ld_auth = ldap_init(ldap_server, LDAP_PORT)) == NULL) {
- pr_log_pri(PR_LOG_ERR, "mod_ldap: ldap_is_auth(): ldap_init() to %s failed", ldap_server);
- return DECLINED(cmd);
- }
-
#ifdef USE_LDAPV3_TLS
- if (ldap_use_tls == 1) {
- if ((ret = ldap_set_option(ld_auth, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_OPT_SUCCESS) {
- pr_log_pri(PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): Setting LDAP version option on rebind failed: %s", ldap_err2string(ret));
+
+ /* Init connection, switch by LDAPServerURI */
+ if ( ldap_server_uri != NULL ) {
+ ldap_initialize( &ld_auth, ldap_server_uri );
+ if ( ld == NULL ) {
+ pr_log_pri( PR_LOG_ERR, "mod_ldap: ldap_check(): ldap_initialize() to %s failed: %s", ldap_server_uri, strerror( errno ) );
+ return DECLINED( cmd );
+ }
+ } else {
+ ld_auth= ldap_init( ldap_server, LDAP_PORT );
+ if ( ld_auth == NULL ) {
+ pr_log_pri( PR_LOG_ERR, "mod_ldap: ldap_check(): ldap_init() to %s failed: %s", ldap_server, strerror( errno ) );
+ return DECLINED( cmd );
+ }
+ }
+
+ /* Always setup new ldap version */
+ ret= ldap_set_option( ld_auth, LDAP_OPT_PROTOCOL_VERSION, &version );
+ if ( ret != LDAP_OPT_SUCCESS ) {
+ pr_log_pri( PR_LOG_ERR, "mod_ldap: ldap_check(): Setting LDAP version option on rebind failed: %s", ldap_err2string( ret ) );
pr_ldap_unbind();
- return ERROR(cmd);
+ return ERROR( cmd );
+ }
+
+ /* Start tls only wheen needed */
+ if ( ldap_use_tls == 1 ) {
+ pr_log_debug( DEBUG2, "mod_ldap: Starting TLS for rebind connection." );
+ ret= ldap_start_tls_s( ld_auth, NULL, NULL );
+ if ( ret != LDAP_SUCCESS ) {
+ pr_log_pri( PR_LOG_ERR, "mod_ldap: ldap_check(): Starting TLS for rebind failed: %s", ldap_err2string( ret ) );
+ pr_ldap_unbind();
+ return ERROR(cmd);
+ }
}
- pr_log_debug(DEBUG2, "mod_ldap: Starting TLS for rebind connection.");
- if ((ret = ldap_start_tls_s(ld_auth, NULL, NULL)) != LDAP_SUCCESS) {
- pr_log_pri(PR_LOG_ERR, "mod_ldap: pr_ldap_connect(): Starting TLS for rebind failed: %s", ldap_err2string(ret));
- pr_ldap_unbind();
- return ERROR(cmd);
+#else
+
+ /* Old code */
+ if ((ld_auth = ldap_init(ldap_server, LDAP_PORT)) == NULL) {
+ pr_log_pri(PR_LOG_ERR, "mod_ldap: ldap_is_auth(): ldap_init() to %s failed", ldap_server);
+ return DECLINED(cmd);
}
- }
-#endif /* USE_LDAPV3_TLS */
+
+#endif
if (ldap_simple_bind_s(ld_auth, ldap_authbind_dn, cmd->argv[2]) != LDAP_SUCCESS) {
ldap_unbind(ld_auth);
@@ -1447,6 +1496,16 @@
}
MODRET
+set_ldap_server_uri(cmd_rec *cmd)
+{
+ CHECK_ARGS(cmd, 1);
+ CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL);
+
+ add_config_param_str("LDAPServerURI", 1, cmd->argv[1]);
+ return HANDLED(cmd);
+}
+
+MODRET
set_ldap_dninfo(cmd_rec *cmd)
{
CHECK_ARGS(cmd, 1);
@@ -1771,6 +1830,11 @@
char *scope;
config_rec *c;
+ /* To "LDAPServer" added variable "LDAPServerURI"
+ * LDAPServerURI have URI syntax
+ */
+ ldap_server_uri= (char*)get_param_ptr( main_server->conf, "LDAPServerURI", FALSE );
+
/* If ldap_server is NULL, ldap_init() will connect to your LDAP SDK's
* default.
*/
@@ -1905,6 +1969,7 @@
static conftable ldap_config[] = {
{ "LDAPServer", set_ldap_server, NULL },
+ { "LDAPServerURI", set_ldap_server_uri, NULL },
{ "LDAPDNInfo", set_ldap_dninfo, NULL },
{ "LDAPAuthBinds", set_ldap_authbinds, NULL },
{ "LDAPQueryTimeout", set_ldap_querytimeout, NULL },
--- opt-patch-mod_ldap.c ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050727074247.E33572173F>