>From e9bc0629a27fa1bc983e2a8ea687ff9529a0757a Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Mon, 6 May 2013 12:33:35 -0400
Subject: [PATCH] Replace deprecated ldap_int_tls_config with new TLS context
 setting.
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

ldap_int_tls_config was deprecated many years ago, it was *never*
a supported public API. The TLS configuration parameters are now
collected into a new configuration area and must be enabled via
LDAP_OPT_X_TLS_NEWCTX to take effect.

* Remove compile time test for HAVE_LDAP_INT_TLS_CONFIG.
* Remove call to ldap_int_tls_config with LDAP_OPT_X_TLS_REQUIRE_CERT
* Enable new TLS configuration via LDAP_OPT_X_TLS_NEWCTX.
* Translate string value of require_cert to LDAP enumeration
  then pass require_cert enumeration to ldap_set_option via the
  do_ldap_option macro.
---
 src/modules/rlm_ldap/configure.in |  2 --
 src/modules/rlm_ldap/ldap.c       | 44 ++++++++++++++++++++++++++++++++-------
 2 files changed, 36 insertions(+), 10 deletions(-)

diff --git a/src/modules/rlm_ldap/configure.in b/src/modules/rlm_ldap/configure.in
index dd5ec4c..00a10bb 100644
--- a/src/modules/rlm_ldap/configure.in
+++ b/src/modules/rlm_ldap/configure.in
@@ -122,8 +122,6 @@ if test x$with_[]modname != xno; then
 		[ SMART_CFLAGS="$SMART_CFLAGS -DHAVE_LDAP_START_TLS" ])
 	    AC_CHECK_FUNC(ldap_initialize,
 		[ SMART_CFLAGS="$SMART_CFLAGS -DHAVE_LDAP_INITIALIZE" ])
-	    AC_CHECK_FUNC(ldap_int_tls_config,
-		[ SMART_CFLAGS="$SMART_CFLAGS -DHAVE_LDAP_INT_TLS_CONFIG" ])
 
 
         AC_CHECK_FUNCS(ldap_set_rebind_proc)
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index 6d58f60..2ce928b 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -1107,6 +1107,16 @@ void *mod_conn_create(void *instance)
 	/*
 	 *	Set all of the TLS options
 	 */
+
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+	{
+		/* Always use the new TLS configuration context */
+		int is_server = 0;
+		do_ldap_option(LDAP_OPT_X_TLS_NEWCTX, "new TLS context", &is_server);
+
+	}
+#endif
+
 	if (inst->tls_mode) {
 		do_ldap_option(LDAP_OPT_X_TLS, "tls_mode", &(inst->tls_mode));
 	}
@@ -1117,14 +1127,6 @@ void *mod_conn_create(void *instance)
 	maybe_ldap_option(LDAP_OPT_X_TLS_CACERTFILE, "cacertfile", inst->tls_cacertfile);
 	maybe_ldap_option(LDAP_OPT_X_TLS_CACERTDIR, "cacertdir", inst->tls_cacertdir);
 
-#  ifdef HAVE_LDAP_INT_TLS_CONFIG
-	if (ldap_int_tls_config(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, inst->tls_require_cert) != LDAP_OPT_SUCCESS) {
-		ldap_get_option(handle, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
-		
-		LDAP_ERR("Could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to %s: %s", inst->tls_require_cert,
-			 ldap_err2string(ldap_errno));
-	}
-#  endif
 
 	/*
 	 *	Set certificate options
@@ -1133,6 +1135,32 @@ void *mod_conn_create(void *instance)
 	maybe_ldap_option(LDAP_OPT_X_TLS_KEYFILE, "keyfile", inst->tls_keyfile);
 	maybe_ldap_option(LDAP_OPT_X_TLS_RANDOM_FILE, "randfile", inst->tls_randfile);
 
+#ifdef LDAP_OPT_X_TLS_NEVER
+	{
+		/* We need to translate string option to enumerated constant */
+		int require_cert = -1;
+
+		if (strcasecmp(inst->tls_require_cert, "never") == 0) {
+			require_cert = LDAP_OPT_X_TLS_NEVER;
+		} else if (strcasecmp(inst->tls_require_cert, "demand") == 0) {
+			require_cert = LDAP_OPT_X_TLS_DEMAND;
+		} else if (strcasecmp(inst->tls_require_cert, "allow") == 0) {
+			require_cert = LDAP_OPT_X_TLS_ALLOW;
+		} else if (strcasecmp(inst->tls_require_cert, "try") == 0) {
+			require_cert = LDAP_OPT_X_TLS_TRY;
+		} else if (strcasecmp(inst->tls_require_cert, "hard") == 0) {
+			require_cert = LDAP_OPT_X_TLS_HARD;
+		}
+		if (require_cert == -1) {
+			LDAP_ERR("[%s] require_cert option %s invalid, "
+				 "must be one of: never,demand,allow,try,hard",
+				 inst->xlat_name, inst->tls_require_cert);
+		} else {
+			do_ldap_option(LDAP_OPT_X_TLS_REQUIRE_CERT, "tls_require_cert", &require_cert);
+		}
+	}
+#endif
+
 	/*
 	 *	And finally start the TLS code.
 	 */
-- 
1.7.11.7

