Merge remote-tracking branch 'github/pr/50'

GitHub user @YmrDtnJu "Björn" provided a patch to fix that we called
ldap_start_tls_s on ldapi:// connections.

This is obviously a correct change, since above we've avoiding
initializing the TLS state if using ldapi.

Added documentation noting this behaviour.

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 769b9e1c9885912cbed9d9d796ba032a112274b0..465a3052584097ad467a9abf494faca8e0fb56f1 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15293,6 +15293,9 @@ connecting on a regular LDAP port.  This is the LDAP equivalent of SMTP's
 of SSL-on-connect.
 In the event of failure to negotiate TLS, the action taken is controlled
 by &%ldap_require_cert%&.
+.new
+This option is ignored for &`ldapi`& connections.
+.wen
 
 
 .option ldap_version main integer unset

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5427392b97d1693858ace79019f1d114075d0167..7e02d30bc0bf0e91581d55d7159713ad52c78042 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -4,16 +4,22 @@ This document describes *changes* to previous versions, that might
 affect Exim's operation, with an unchanged configuration file.  For new
 options, and new features, see the NewStuff file next to this ChangeLog.
 
+
 Exim version 4.89
 -------------------
+
 JH/01 Bug 1922: Support IDNA2008.  This has slightly different conversion rules
       than -2003 did; needs libidn2 in addition to linidn.
 
 JH/02 The path option on a pipe transport is now expanded before use.
 
+PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections.
+      Patch provided by "Björn", documentation fix added too.
+
 
 Exim version 4.88
 -----------------
+
 JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
       supports it and a size is available (ie. the sending peer gave us one).
 
@@ -152,11 +158,12 @@ HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
       fallback to "prime256v1".
 
 JH/34 SECURITY: Use proper copy of DATA command in error message.
-      Could leak key material.  Remotely explaoitable.  CVE-2016-9963.
+      Could leak key material.  Remotely exploitable.  CVE-2016-9963.
 
 
 Exim version 4.87
 -----------------
+
 JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16
       and 3.4.4 - once the server is enabled to respond to an OCSP request
       it does even when not requested, resulting in a stapling non-aware
@@ -353,9 +360,9 @@ JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing
       extraction.  Accept either.
 
 
-
 Exim version 4.86
 -----------------
+
 JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
       expanded.
 
@@ -478,6 +485,7 @@ HS/03 Add perl_taintmode main config option
 
 Exim version 4.85
 -----------------
+
 TL/01 When running the test suite, the README says that variables such as
       no_msglog_check are global and can be placed anywhere in a specific
       test's script, however it was observed that placement needed to be near

diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index 3db787ccee372ba01205afa89e0da628e8a5bc86..b8a326834f498a550d33596e1881fb73f6528ce8 100644 (file)
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -580,7 +580,7 @@ if (!lcp->bound ||
   {
   DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
     (lcp->bound)? "re-" : "", user, password);
-  if (eldap_start_tls && !lcp->is_start_tls_called)
+  if (eldap_start_tls && !lcp->is_start_tls_called && !ldapi)
     {
 #if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
     /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.