OpenSC · frankmorgner · Dec 6, 2024 · Dec 6, 2024
diff --git a/doc/pam_pkcs11.8.in b/doc/pam_pkcs11.8.in
@@ -29,6 +29,8 @@ other applications on your system is also a good source for examples
 on how to configure a PAM service.
 .SH "FILES"
 \fI@confdir@/pam_pkcs11.conf\fP
+.br
+\fI@docdir@/pam_pkcs11.conf.example\fP
 .br 
 \fI/usr/lib/pam_pkcs11/*_mapper.so\fP
 .SH "AUTHOR"
@@ -40,7 +42,6 @@ Report bugs ideas, comments, bug\-fixes and so to:
 .I Juan Antonio Martinez <[email protected]>
 .SH "SEE ALSO"
 .BR pam (8),
-.BR pam_pkcs11.conf (5),
 PAM Systems Administrator Guide,
 .I README.mappers
 file, PAM\-PKCS#11 User Manual.
diff --git a/doc/pam_pkcs11.xml b/doc/pam_pkcs11.xml
@@ -145,7 +145,7 @@

 <para>
 <application>Pam-pkcs11</application> is a PAM (Pluggable Authentication
 Module) pluggin to allow logging into a UNIX/Linux System that supports
 PAM by mean of use Digital Certificates stored in a smart card.
 </para>

@@ -1687,7 +1687,7 @@
         uid_attribute = "uid";
         attribute_map = "<![CDATA[uid=uid&mail=email]]>", "<![CDATA[krbprincipalname=upn]]>";
         # SSL/TLS-Settings
-        ssl = tls
+        ssl = starttls
         # tls_randfile = ...
         tls_cacertfile = /etc/ssl/cacert.pem
         # tls_cacertdir = ...
@@ -1714,7 +1714,7 @@
 <varlistentry>
 <term><token>ldapport</token></term>
 <listitem>The LDAP Port on the server (default:
-389 for LDAP and LDAP-TLS and 636 for SSL)
+389 for LDAP and LDAP-TLS (STARTTLS) and 636 for LDAP-SSL (LDAPS))
 </listitem>
 </varlistentry>
 
@@ -1825,13 +1825,13 @@
 <term><token>ssl</token></term>
 <listitem>Enable or disable the usage of TLS or SSL
 	<itemizedlist>
-		<listitem><option> off </option>   TLS/SSL off(default)
+		<listitem><option> off </option>   TLS/SSL off (default)
 		</listitem>
 
-		<listitem><option> tls </option>   enable TLS 
+		<listitem><option> starttls|tls </option>   enable LDAP-TLS (STARTTLS)
 	    </listitem>
 
-		<listitem><option> on|ssl </option>   enable SSL
+		<listitem><option> ldaps|on|ssl </option>   enable LDAP-SSL (LDAPS)
 		</listitem>
 	</itemizedlist>
 </listitem>

diff --git a/src/mappers/ldap_mapper.c b/src/mappers/ldap_mapper.c
@@ -1143,10 +1143,14 @@ static int read_config(scconf_block *blk) {
 	ssltls =  scconf_get_str(blk,"ssl","off");
 	if (! strncasecmp (ssltls, "tls", 3))
 		ssl_on = SSL_START_TLS;
+	else if( ! strncasecmp (ssltls, "starttls", 3))
+		ssl_on = SSL_START_TLS;
 	else if( ! strncasecmp (ssltls, "on", 2))
 		ssl_on = SSL_LDAPS;
 	else if( ! strncasecmp (ssltls, "ssl", 3))
 		ssl_on = SSL_LDAPS;
+	else if( ! strncasecmp (ssltls, "ldaps", 3))
+		ssl_on = SSL_LDAPS;
 
 #if defined HAVE_LDAP_START_TLS_S || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
 	/* TLS specific options */