From 49bd3269603be4a80f6edcfde1cdf8a77ad35d8c Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Mon, 1 Dec 2008 23:28:58 +0000
Subject: [PATCH] Properly support TLS and SSL

---
 ldap-useradmin/CHANGELOG                      |  1 +
 ldap-useradmin/config                         |  1 +
 ldap-useradmin/config-*-linux                 |  1 +
 ldap-useradmin/config-coherent-linux          |  1 +
 ldap-useradmin/config-debian-linux            |  1 +
 ldap-useradmin/config-debian-linux-3.1        |  1 +
 ldap-useradmin/config-debian-linux-4.0-*      |  1 +
 .../config-debian-squirrelmail-linux          |  1 +
 ldap-useradmin/config-macos                   |  1 +
 ldap-useradmin/config-mandrake-linux          |  1 +
 ldap-useradmin/config-redhat-linux            |  1 +
 ldap-useradmin/config-sol-linux               |  1 +
 ldap-useradmin/config-suse-linux              |  1 +
 ldap-useradmin/config-trustix-linux           |  1 +
 ldap-useradmin/config-united-linux            |  1 +
 ldap-useradmin/config.info                    |  2 +-
 ldap-useradmin/ldap-useradmin-lib.pl          | 29 ++++++++++---------
 17 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/ldap-useradmin/CHANGELOG b/ldap-useradmin/CHANGELOG
index 9831f34cc..ff2c1a30d 100644
--- a/ldap-useradmin/CHANGELOG
+++ b/ldap-useradmin/CHANGELOG
@@ -64,3 +64,4 @@ Coverted all pages to use the new Webmin UI library, for a more consistent look.
 ---- Changes since 1.440 ----
 Added a Module Config option to allow / as an IMAP folder separator, thanks to Bas van den Heuvel.
 Added a check on the module's main page to ensure that the LDAP schema is accessible.
+Fixed support for SSL and TLS when connecting to the LDAP server, thanks to Paul R. Ganci.
diff --git a/ldap-useradmin/config b/ldap-useradmin/config
index 3924048a2..b17ba3a59 100644
--- a/ldap-useradmin/config
+++ b/ldap-useradmin/config
@@ -19,3 +19,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-*-linux b/ldap-useradmin/config-*-linux
index 0a80331e5..5a1f07855 100644
--- a/ldap-useradmin/config-*-linux
+++ b/ldap-useradmin/config-*-linux
@@ -19,3 +19,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-coherent-linux b/ldap-useradmin/config-coherent-linux
index 80719cb41..fb67950ca 100644
--- a/ldap-useradmin/config-coherent-linux
+++ b/ldap-useradmin/config-coherent-linux
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-debian-linux b/ldap-useradmin/config-debian-linux
index bad8fb48f..8b47f679b 100644
--- a/ldap-useradmin/config-debian-linux
+++ b/ldap-useradmin/config-debian-linux
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-debian-linux-3.1 b/ldap-useradmin/config-debian-linux-3.1
index 96f0b66a3..f27b2c9d5 100644
--- a/ldap-useradmin/config-debian-linux-3.1
+++ b/ldap-useradmin/config-debian-linux-3.1
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-debian-linux-4.0-* b/ldap-useradmin/config-debian-linux-4.0-*
index be543621c..5834ba503 100644
--- a/ldap-useradmin/config-debian-linux-4.0-*
+++ b/ldap-useradmin/config-debian-linux-4.0-*
@@ -18,3 +18,4 @@ other_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-debian-squirrelmail-linux b/ldap-useradmin/config-debian-squirrelmail-linux
index 052af9cc6..24264c0d2 100644
--- a/ldap-useradmin/config-debian-squirrelmail-linux
+++ b/ldap-useradmin/config-debian-squirrelmail-linux
@@ -24,3 +24,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-macos b/ldap-useradmin/config-macos
index 81c226066..4d0d1323a 100644
--- a/ldap-useradmin/config-macos
+++ b/ldap-useradmin/config-macos
@@ -19,3 +19,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-mandrake-linux b/ldap-useradmin/config-mandrake-linux
index 80719cb41..fb67950ca 100644
--- a/ldap-useradmin/config-mandrake-linux
+++ b/ldap-useradmin/config-mandrake-linux
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-redhat-linux b/ldap-useradmin/config-redhat-linux
index 80719cb41..fb67950ca 100644
--- a/ldap-useradmin/config-redhat-linux
+++ b/ldap-useradmin/config-redhat-linux
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-sol-linux b/ldap-useradmin/config-sol-linux
index 80719cb41..fb67950ca 100644
--- a/ldap-useradmin/config-sol-linux
+++ b/ldap-useradmin/config-sol-linux
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-suse-linux b/ldap-useradmin/config-suse-linux
index 9084f59aa..864442db7 100644
--- a/ldap-useradmin/config-suse-linux
+++ b/ldap-useradmin/config-suse-linux
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-trustix-linux b/ldap-useradmin/config-trustix-linux
index 9084f59aa..864442db7 100644
--- a/ldap-useradmin/config-trustix-linux
+++ b/ldap-useradmin/config-trustix-linux
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config-united-linux b/ldap-useradmin/config-united-linux
index 9084f59aa..864442db7 100644
--- a/ldap-useradmin/config-united-linux
+++ b/ldap-useradmin/config-united-linux
@@ -18,3 +18,4 @@ given_class=inetOrgPerson
 person=1
 given_order=0
 imap_foldersep=.
+ldap_tls=0
diff --git a/ldap-useradmin/config.info b/ldap-useradmin/config.info
index 383fde56f..bcd9b1838 100644
--- a/ldap-useradmin/config.info
+++ b/ldap-useradmin/config.info
@@ -2,7 +2,7 @@ line1=LDAP server options,11
 auth_ldap=Linux LDAP NSS library config file,3,None (use settings below),40,,,Use settings from file
 ldap_host=LDAP server host,3,From NSS config file
 ldap_port=LDAP server port,3,From NSS config file or default
-ldap_tls=LDAP server uses TLS?,1,1-Yes,0-No
+ldap_tls=LDAP server uses encryption?,1,1-Yes SSL,2-Yes TLS,0-No
 login=Bind to LDAP server as,3,Bind name from NSS config file
 pass=Credentials for bind name above,12
 user_base=Base for users,3,From NSS config file
diff --git a/ldap-useradmin/ldap-useradmin-lib.pl b/ldap-useradmin/ldap-useradmin-lib.pl
index 9e5d39636..88df752d0 100644
--- a/ldap-useradmin/ldap-useradmin-lib.pl
+++ b/ldap-useradmin/ldap-useradmin-lib.pl
@@ -81,9 +81,10 @@ if ($conf) {
 	my @hostnames = split(/[ ,]+/, $conf->{'host'});
 	my $port = $conf->{'port'};
 	my @uris = split(/[ ,]+/, $conf->{'uri'});
-	my $ssl = $conf->{'start_tls'};
+	my $ssl = $conf->{'ssl'};
 	foreach my $hname (@hostnames) {
-		push(@hosts, [ $hname, $port, $ssl eq 'start_tls' ]);
+		push(@hosts, [ $hname, $port, $ssl eq 'start_tls' ? 2 :
+					      $ssl eq 'on' ? 1 : 0 ]);
 		}
 	foreach my $u (@uris) {
 		if ($u =~ /^(ldap|ldaps|ldapi):\/\/([a-z0-9\_\-\.]+)(:(\d+))?/){
@@ -94,12 +95,13 @@ if ($conf) {
 			elsif (!$port && $proto eq "ldaps") {
 				$port = 636;
 				}
-			push(@hosts, [ $host, $port, $proto eq 'ldaps' ]);
+			push(@hosts, [ $host, $port,
+				       $proto eq 'ldaps' ? 1 : 0 ]);
 			}
 		}
 	}
 else {
-	# From config
+	# From module config
 	foreach my $hname (split(/[ ,]+/, $config{'ldap_host'})) {
 		push(@hosts, [ $hname, $config{'ldap_port'},
 			       $config{'ldap_tls'} ]);
@@ -113,22 +115,23 @@ if (!@hosts) {
 # Try each host in turn
 local ($ldap, $err);
 foreach my $host (@hosts) {
-	$ldap = Net::LDAP->new($host->[0], port => $host->[1]);
+	$ldap = Net::LDAP->new($host->[0], port => $host->[1],
+			       scheme => $host->[2] == 1 ? 'ldaps' : 'ldap');
 	if (!$ldap) {
 		$err = &text('conn_econn',
 			     "<tt>$host->[0]</tt>","<tt>$host->[1]</tt>");
 		next;
 		}
-	# Connected .. but try SSL if needed
-	if ($host->[2]) {
+	# Switch to TLS if needed
+	if ($host->[2] == 2) {
 		my $mesg;
 		eval { $mesg = $ldap->start_tls(); };
-		if ($@ || !$mesg || $mesg->code) {
-			# SSL failed
-			$err = &text('conn_essl',
-			     "<tt>$host->[0]</tt>", "<tt>$host->[1]</tt>", $@);
-			next;
-			}
+                if ($@ || !$mesg || $mesg->code) {
+                        # TLS failed
+                        $err = &text('conn_essl',
+                             "<tt>$host->[0]</tt>", "<tt>$host->[1]</tt>", $@);
+                        next;
+                        }
 		}
 	# If we got here, it all worked!
 	$err = undef;