diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2011-02-11 13:10:27 -0500 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-02-16 09:38:29 -0500 |
commit | 6ec9dde85ced5e53256b417b7f2040e5464d2a62 (patch) | |
tree | 097a061852e695e658da72e9be8ed7d5e28d9280 /src/providers/ldap/ldap_auth.c | |
parent | dcb7d0b2beebb72cbede4d712bde07c1e1fd334e (diff) | |
download | sssd-6ec9dde85ced5e53256b417b7f2040e5464d2a62.tar.gz sssd-6ec9dde85ced5e53256b417b7f2040e5464d2a62.tar.xz sssd-6ec9dde85ced5e53256b417b7f2040e5464d2a62.zip |
Do not attempt to use START_TLS on SSL connections
Not all LDAP servers are capable of handling dual-encryption with
both TLS and SSL.
https://fedorahosted.org/sssd/ticket/795
Diffstat (limited to 'src/providers/ldap/ldap_auth.c')
-rw-r--r-- | src/providers/ldap/ldap_auth.c | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index f4bbabf6b..e45d5b3ed 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -547,15 +547,23 @@ static void auth_resolve_done(struct tevent_req *subreq) return; } - /* Check for undocumented debugging feature to disable TLS - * for authentication. This should never be used in production - * for obvious reasons. - */ - use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS); - if (!use_tls) { - sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over " - "insecure connection. This should be done " - "for debugging purposes only."); + /* Determine whether we need to use TLS */ + if (sdap_is_secure_uri(state->ctx->service->uri)) { + DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n", + state->ctx->service->uri)); + use_tls = false; + } else { + + /* Check for undocumented debugging feature to disable TLS + * for authentication. This should never be used in production + * for obvious reasons. + */ + use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS); + if (!use_tls) { + sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over " + "insecure connection. This should be done " + "for debugging purposes only."); + } } subreq = sdap_connect_send(state, state->ev, state->ctx->opts, |