From 33382dd9537a16c676e07632e122c0112855d5c3 Mon Sep 17 00:00:00 2001
From: Todd Lyons <tlyons@exim.org>
Date: Tue, 10 Sep 2013 14:09:51 -0700
Subject: [PATCH] Bug 1287 - Fix tls_require_cert

---
 doc/doc-txt/ChangeLog  |  5 +++++
 src/src/lookups/ldap.c | 35 ++++++++++++++++++++++++++++++++---
 2 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9d9f17d5b..61cd6f02b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -223,6 +223,11 @@ TL/09 Add expansion variable $authenticated_fail_id to keep track of
 TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by
       Alexander Miroch.
 
+TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
+      ldap library initialization, allowing self-signed CA's to be
+      used. Also properly sets require_cert option later in code by
+      using NULL (global ldap config) instead of ldap handle (per
+      session). Bug diagnosis and testing by alxgomz.
 
 Exim version 4.80.1
 -------------------
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index f121bce61..bb29b43af 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -416,15 +416,43 @@ if (lcp == NULL)
   if (!ldapi)
     {
     int tls_option;
+    #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+    if (eldap_require_cert != NULL)
+      {
+      tls_option = LDAP_OPT_X_TLS_NEVER;
+      if (Ustrcmp(eldap_require_cert, "hard") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_HARD;
+        }
+      else if (Ustrcmp(eldap_require_cert, "demand") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_DEMAND;
+        }
+      else if (Ustrcmp(eldap_require_cert, "allow") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_ALLOW;
+        }
+      else if (Ustrcmp(eldap_require_cert, "try") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_TRY;
+        }
+      DEBUG(D_lookup)
+        debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
+                     tls_option);
+      }
+    else
+    #endif  /* LDAP_OPT_X_TLS_REQUIRE_CERT */
     if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
       {
       tls_option = LDAP_OPT_X_TLS_HARD;
-      DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n");
+      DEBUG(D_lookup)
+        debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
       }
     else
       {
       tls_option = LDAP_OPT_X_TLS_TRY;
-      DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n");
+      DEBUG(D_lookup)
+        debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
       }
     ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
     }
@@ -480,7 +508,8 @@ if (lcp == NULL)
       {
       cert_option = LDAP_OPT_X_TLS_TRY;
       }
-    ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    /* Use NULL ldap handle because is a global option */
+    ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
     }
   #endif
 
-- 
2.30.2