1 files changed, 19 insertions, 5 deletions

diff --git a/usr.bin/sudo/ldap.c b/usr.bin/sudo/ldap.c
index c4fbfbf6008..9097310cbf9 100644
--- a/usr.bin/sudo/ldap.c
+++ b/usr.bin/sudo/ldap.c
@@ -61,12 +61,17 @@
 # include <lber.h>
 #endif
 #include <ldap.h>
+#if defined(HAVE_LDAP_SSL_H)
+# include <ldap_ssl.h>
+#elif defined(HAVE_MPS_LDAP_SSL_H)
+# include <mps/ldap_ssl.h>
+#endif
 
 #include "sudo.h"
 #include "parse.h"
 
 #ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.32 2008/01/05 23:27:10 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $";
 #endif /* lint */
 
 #ifndef LINE_MAX
@@ -136,6 +141,8 @@ struct ldap_config_table ldap_conf_table[] = {
 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
     { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
 	&ldap_conf.tls_checkpeer },
+#else
+    { "tls_checkpeer", CONF_BOOL, FALSE, -1, &ldap_conf.tls_checkpeer },
 #endif
 #ifdef LDAP_OPT_X_TLS_CACERTFILE
     { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
@@ -810,12 +817,19 @@ sudo_ldap_read_config()
      * Interpret SSL option
      */
     if (ldap_conf.ssl != NULL) {
-	    if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
-		ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
-	    else if (_atobool(ldap_conf.ssl))
-		ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+	if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
+	    ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
+	else if (_atobool(ldap_conf.ssl))
+	    ldap_conf.ssl_mode = SUDO_LDAP_SSL;
     }
 
+#if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
+    if (ldap_conf.tls_checkpeer != -1) {
+	ldapssl_set_strength(NULL,
+	    ldap_conf.tls_checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK);
+    }
+#endif
+
 #ifndef HAVE_LDAP_INITIALIZE
     /* Convert uri list to host list if no ldap_initialize(). */
     if (ldap_conf.uri) {