ldap: support insecure mode for Windows native LDAP

- Bypass cert verification if verifypeer is disabled.

Prior to this change libcurl lacked the ability to bypass certificate
verification for Windows native LDAP (USE_WIN32_LDAP). A comment said
"Win32 LDAP SDK does not support insecure mode without CA!" but I found
that we can bypass the check by setting a verify callback to override
Windows' internal verify check.

Closes https://github.com/curl/curl/pull/22152
This commit is contained in:
Jay Satiro 2026-06-24 01:59:05 -04:00
parent a1af38be09
commit 4ce309d968

View file

@ -251,6 +251,17 @@ static bool ldap_value_needs_base64(const char *attr, size_t attr_len,
return FALSE;
}
#ifdef USE_WIN32_LDAP
static BOOLEAN bypass_cert_verify(PLDAP Connection,
PCCERT_CONTEXT *ppServerCert)
{
(void)Connection;
CertFreeCertificateContext(*ppServerCert);
/* approve any certificate since the verification is set to bypass */
return TRUE;
}
#endif
static CURLcode ldap_do(struct Curl_easy *data, bool *done)
{
CURLcode result = CURLE_OK;
@ -340,8 +351,18 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
if(ldap_ssl) {
#ifdef HAVE_LDAP_SSL
#ifdef USE_WIN32_LDAP
/* Win32 LDAP SDK does not support insecure mode without CA! */
/* Win32 LDAP uses the Windows CA store to verify certificates */
ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
if(!conn->ssl_config.verifypeer) {
if(conn->ssl_config.verifyhost) {
failf(data, "LDAP local: host verification cannot be enabled when "
"peer verification is disabled for Windows native LDAP");
result = CURLE_NOT_BUILT_IN;
goto quit;
}
ldap_set_option(server, LDAP_OPT_SERVER_CERTIFICATE,
(void *)(uintptr_t)bypass_cert_verify);
}
#else /* !USE_WIN32_LDAP */
int ldap_option;
const char *ldap_ca = conn->ssl_config.CAfile;