|
 |
c52eca |
From: Antonio Torres <antorres@redhat.com>
|
|
|
c52eca |
Date: Fri, 28 Jan 2022
|
|
|
c52eca |
Subject: Use infinite timeout when using LDAP+start-TLS
|
|
|
c52eca |
|
|
|
c52eca |
This will ensure that the TLS connection to the LDAP server will complete
|
|
|
c52eca |
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
|
|
|
c52eca |
the process. Infinite timeout is the OpenLDAP default.
|
|
|
c52eca |
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
|
|
|
c52eca |
|
|
|
c52eca |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
|
|
|
c52eca |
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
|
c52eca |
---
|
|
|
c52eca |
src/modules/rlm_ldap/ldap.c | 5 ++++-
|
|
|
c52eca |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
c52eca |
|
|
|
c52eca |
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
|
|
c52eca |
index cf7a84e069..841bf888a1 100644
|
|
|
c52eca |
--- a/src/modules/rlm_ldap/ldap.c
|
|
|
c52eca |
+++ b/src/modules/rlm_ldap/ldap.c
|
|
|
c52eca |
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
|
|
c52eca |
}
|
|
|
c52eca |
|
|
|
c52eca |
#ifdef LDAP_OPT_NETWORK_TIMEOUT
|
|
|
c52eca |
- if (inst->net_timeout) {
|
|
|
c52eca |
+ bool using_tls = inst->start_tls ||
|
|
|
c52eca |
+ inst->port == 636 ||
|
|
|
c52eca |
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
|
|
|
c52eca |
+ if (inst->net_timeout && !using_tls) {
|
|
|
c52eca |
memset(&tv, 0, sizeof(tv));
|
|
|
c52eca |
tv.tv_sec = inst->net_timeout;
|
|
|
c52eca |
|