=== modified file 'src/acl/external/kerberos_ldap_group/kerberos_ldap_group.cc' --- src/acl/external/kerberos_ldap_group/kerberos_ldap_group.cc 2016-01-30 06:24:40 +0000 +++ src/acl/external/kerberos_ldap_group/kerberos_ldap_group.cc 2016-07-01 22:46:21 +0000 @@ -214,7 +214,7 @@ margs.rc_allow = 1; break; case 's': - margs.ssl = (char *) "yes"; + margs.ssl = xstrdup("yes"); break; case 'n': margs.nokerberos = 1; === modified file 'src/acl/external/kerberos_ldap_group/support_ldap.cc' --- src/acl/external/kerberos_ldap_group/support_ldap.cc 2016-01-01 00:12:18 +0000 +++ src/acl/external/kerberos_ldap_group/support_ldap.cc 2016-07-02 16:50:16 +0000 @@ -527,6 +527,7 @@ #if HAVE_OPENLDAP if (!margs->rc_allow) { char *ssl_cacertfile = NULL; + char *ssl_cacertdir = NULL; int free_path; debug((char *) "%s| %s: DEBUG: Enable server certificate check for ldap server.\n", LogTime(), PROGRAM); val = LDAP_OPT_X_TLS_DEMAND; @@ -541,14 +542,44 @@ ssl_cacertfile = xstrdup("/etc/ssl/certs/cert.pem"); free_path = 1; } - debug((char *) "%s| %s: DEBUG: Set certificate file for ldap server to %s.(Changeable through setting environment variable TLS_CACERTFILE)\n", LogTime(), PROGRAM, ssl_cacertfile); - rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile); - if (ssl_cacertfile && free_path) { - xfree(ssl_cacertfile); - } - if (rc != LDAP_OPT_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - return rc; + if (access(ssl_cacertfile, R_OK) == 0) { + debug((char *) "%s| %s: DEBUG: Set certificate file for ldap server to %s.(Changeable through setting environment variable TLS_CACERTFILE)\n", LogTime(), PROGRAM, ssl_cacertfile); + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile); + if (ssl_cacertfile && free_path) { + xfree(ssl_cacertfile); + } + if (rc != LDAP_OPT_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } + } else { + debug((char *) "%s| %s: DEBUG: Set certificate file for ldap server to %s failed (%s). (Changeable through setting environment variable TLS_CACERTFILE) Trying db certificate directory\n", LogTime(), PROGRAM, ssl_cacertfile, strerror(errno)); + if (ssl_cacertfile && free_path) { + xfree(ssl_cacertfile); + } + ssl_cacertdir = getenv("TLS_CACERTDIR"); + free_path = 0; + if (!ssl_cacertdir) { + ssl_cacertdir= xstrdup("/etc/ssl/certs"); + free_path = 1; + } + if (access(ssl_cacertdir, R_OK) == 0) { + debug((char *) "%s| %s: DEBUG: Set certificate database path for ldap server to %s.(Changeable through setting environment variable TLS_CACERTDIR)\n", LogTime(), PROGRAM, ssl_cacertdir); + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, ssl_cacertdir); + if (ssl_cacertdir && free_path) { + xfree(ssl_cacertdir); + } + if (rc != LDAP_OPT_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTDIR for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } + } else { + debug((char *) "%s| %s: DEBUG: Set certificate database path for ldap server to %s failed (%s).(Changeable through setting environment variable TLS_CACERTDIR)\n", LogTime(), PROGRAM, ssl_cacertdir, strerror(errno)); + if (ssl_cacertdir && free_path) { + xfree(ssl_cacertdir); + } + return errno; + } } } else { debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM); @@ -797,7 +828,7 @@ */ rc = ldap_start_tls_s(ld, NULL, NULL); if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + debug((char *) "%s| %s: WARNING: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); ldap_unbind_ext(ld, NULL, NULL); ld = NULL; url = (LDAPURLDesc *) xmalloc(sizeof(*url));