pam_pkcs11
pam_pkcs11 copied to clipboard
OpenSC
ssl config option for LDAP mapper has confusing values
The "ssl" configuration option for LDAP mapper can take the following values:
- ssl
- tls
- on
- off
based on the code in ldap_mapper.c
However documentation is not very clear what is the meaning of these values. One could incorrectly assume (with the recent poodle attack) that ssl stands for "SSL 3.0" and tls stands for "TLS 1.x". This would be incorrect: ssl means in fact "LDAPS" and "tls" means "StartTLS". Anyone involved with LDAP would immediately understand the exact meaning without examining source code for details.
So I suggest to rename "ssl" to "ldaps", "tls" to "starttls" or at least document these values properly.
Why not. The new code should not break existing configurations using ssl and tls in the configuration.
Can you propose a patch?
Before anything else I would like to reach an agreement what these configuration values actually mean.
- "ssl" is actually "ldaps"
- "tls" is actually "starttls"
- "on" is the same as "ldaps"
- "off" is plaintext
Is that correct?
Source code is pretty clear in ldap_mapper.c starting line 1143:
ssltls = scconf_get_str(blk,"ssl","off"); if (! strncasecmp (ssltls, "tls", 3)) ssl_on = SSL_START_TLS; else if( ! strncasecmp (ssltls, "on", 2)) ssl_on = SSL_LDAPS; else if( ! strncasecmp (ssltls, "ssl", 3)) ssl_on = SSL_LDAPS;
and default value at line 113:
static ldap_ssl_options_t ssl_on = SSL_OFF;
I could not find the documentation about ssl = ... configuration in doc/README.ldap_mapper
Maybe the best is to better document the configuration field ssl =in https://github.com/OpenSC/pam_pkcs11/blob/master/doc/pam_pkcs11.xml#L1824
Can you propose a patch?