arthurdejong · codinja1188 · Jan 24, 2026
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
@@ -896,6 +896,8 @@ static void handle_tls_reqcert(const char *filename, int lnr,
   log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,%s)",
           print_tls_reqcert(value));
   LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
+  if (nslcd_cfg != NULL)
+    nslcd_cfg->tls_reqcert = value;
 }
 
 #ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
@@ -908,6 +910,8 @@ static void handle_tls_reqsan(const char *filename, int lnr,
   log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_SAN,%s)",
           print_tls_reqcert(value));
   LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_SAN, &value);
+  if (nslcd_cfg != NULL)
+    nslcd_cfg->tls_reqsan = value;
 }
 #endif /* LDAP_OPT_X_TLS_REQUIRE_SAN */
 
@@ -936,6 +940,8 @@ static void handle_tls_crlcheck(const char *filename, int lnr,
   }
   log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CRLCHECK,%s)", token);
   LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CRLCHECK, &value);
+  if (nslcd_cfg != NULL)
+    nslcd_cfg->tls_crlcheck = value;
 }
 
 static const char *print_tls_crlcheck(int value)
@@ -1299,6 +1305,20 @@ static void cfg_defaults(struct ldap_config *cfg)
   cfg->reconnect_retrytime = 10;
 #ifdef LDAP_OPT_X_TLS
   cfg->ssl = SSL_OFF;
+  cfg->tls_cacertdir = NULL;
+  cfg->tls_cacertfile = NULL;
+  cfg->tls_randfile = NULL;
+  cfg->tls_ciphers = NULL;
+  cfg->tls_certfile = NULL;
+  cfg->tls_keyfile = NULL;
+  cfg->tls_crlfile = NULL;
+  cfg->tls_reqcert = LDAP_OPT_X_TLS_DEMAND;
+#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
+  cfg->tls_reqsan = LDAP_OPT_X_TLS_ALLOW;
+#endif /* LDAP_OPT_X_TLS_REQUIRE_SAN */
+#ifdef LDAP_OPT_X_TLS_CRLCHECK
+  cfg->tls_crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
+#endif /* LDAP_OPT_X_TLS_CRLCHECK */
 #endif /* LDAP_OPT_X_TLS */
   cfg->pagesize = 0;
   cfg->nss_initgroups_ignoreusers = NULL;
@@ -1592,6 +1612,9 @@ static void cfg_read(const char *filename, struct ldap_config *cfg)
       log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,\"%s\")",
               value);
       LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CACERTDIR, value);
+      if (cfg->tls_cacertdir != NULL)
+        free(cfg->tls_cacertdir);
+      cfg->tls_cacertdir = strdup(value);
       free(value);
     }
     else if ((strcasecmp(keyword, "tls_cacertfile") == 0) ||
@@ -1603,6 +1626,9 @@ static void cfg_read(const char *filename, struct ldap_config *cfg)
       log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,\"%s\")",
               value);
       LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CACERTFILE, value);
+      if (cfg->tls_cacertfile != NULL)
+        free(cfg->tls_cacertfile);
+      cfg->tls_cacertfile = strdup(value);
       free(value);
     }
     else if (strcasecmp(keyword, "tls_randfile") == 0)
@@ -1613,6 +1639,9 @@ static void cfg_read(const char *filename, struct ldap_config *cfg)
       log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE,\"%s\")",
               value);
       LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_RANDOM_FILE, value);
+      if (cfg->tls_randfile != NULL)
+        free(cfg->tls_randfile);
+      cfg->tls_randfile = strdup(value);
       free(value);
     }
     else if (strcasecmp(keyword, "tls_ciphers") == 0)
@@ -1621,6 +1650,9 @@ static void cfg_read(const char *filename, struct ldap_config *cfg)
       log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE,\"%s\")",
               value);
       LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, value);
+      if (cfg->tls_ciphers != NULL)
+        free(cfg->tls_ciphers);
+      cfg->tls_ciphers = strdup(value);
       free(value);
     }
     else if (strcasecmp(keyword, "tls_cert") == 0)
@@ -1631,6 +1663,9 @@ static void cfg_read(const char *filename, struct ldap_config *cfg)
       log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CERTFILE,\"%s\")",
               value);
       LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CERTFILE, value);
+      if (cfg->tls_certfile != NULL)
+        free(cfg->tls_certfile);
+      cfg->tls_certfile = strdup(value);
       free(value);
     }
     else if (strcasecmp(keyword, "tls_key") == 0)
@@ -1641,6 +1676,9 @@ static void cfg_read(const char *filename, struct ldap_config *cfg)
       log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_KEYFILE,\"%s\")",
               value);
       LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_KEYFILE, value);
+      if (cfg->tls_keyfile != NULL)
+        free(cfg->tls_keyfile);
+      cfg->tls_keyfile = strdup(value);
       free(value);
     }
     else if (strcasecmp(keyword, "tls_reqsan") == 0)
@@ -1672,6 +1710,9 @@ static void cfg_read(const char *filename, struct ldap_config *cfg)
       log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CRLFILE,\"%s\")",
               value);
       LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CRLFILE, value);
+      if (cfg->tls_crlfile != NULL)
+        free(cfg->tls_crlfile);
+      cfg->tls_crlfile = strdup(value);
       free(value);
 #else /* not LDAP_OPT_X_TLS_CRLFILE */
       log_log(LOG_ERR, "%s:%d: option %s not supported on platform",
@@ -2101,3 +2142,99 @@ void cfg_init(const char *fname)
   service_init();
   shadow_init();
 }
+
+#ifdef LDAP_OPT_X_TLS
+/* Reload TLS configuration dynamically */
+void cfg_reload_tls(void)
+{
+  int rc;
+
+  /* Check if configuration is initialized */
+  if (nslcd_cfg == NULL)
+  {
+    log_log(LOG_ERR, "cfg_reload_tls() called before cfg_init()");
+    return;
+  }
+
+  log_log(LOG_INFO, "Reloading TLS configuration");
+
+  /* Reload TLS CA certificate directory */
+  if (nslcd_cfg->tls_cacertdir != NULL)
+  {
+    log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,\"%s\")",
+            nslcd_cfg->tls_cacertdir);
+    LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CACERTDIR, nslcd_cfg->tls_cacertdir);
+  }
+
+  /* Reload TLS CA certificate file */
+  if (nslcd_cfg->tls_cacertfile != NULL)
+  {
+    log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,\"%s\")",
+            nslcd_cfg->tls_cacertfile);
+    LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CACERTFILE, nslcd_cfg->tls_cacertfile);
+  }
+
+  /* Reload TLS random file */
+  if (nslcd_cfg->tls_randfile != NULL)
+  {
+    log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE,\"%s\")",
+            nslcd_cfg->tls_randfile);
+    LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_RANDOM_FILE, nslcd_cfg->tls_randfile);
+  }
+
+  /* Reload TLS cipher suite */
+  if (nslcd_cfg->tls_ciphers != NULL)
+  {
+    log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE,\"%s\")",
+            nslcd_cfg->tls_ciphers);
+    LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, nslcd_cfg->tls_ciphers);
+  }
+
+  /* Reload TLS client certificate file */
+  if (nslcd_cfg->tls_certfile != NULL)
+  {
+    log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CERTFILE,\"%s\")",
+            nslcd_cfg->tls_certfile);
+    LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CERTFILE, nslcd_cfg->tls_certfile);
+  }
+
+  /* Reload TLS client key file */
+  if (nslcd_cfg->tls_keyfile != NULL)
+  {
+    log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_KEYFILE,\"%s\")",
+            nslcd_cfg->tls_keyfile);
+    LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_KEYFILE, nslcd_cfg->tls_keyfile);
+  }
+
+  /* Reload TLS certificate requirement */
+  log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,%s)",
+          print_tls_reqcert(nslcd_cfg->tls_reqcert));
+  LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &nslcd_cfg->tls_reqcert);
+
+#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
+  /* Reload TLS SAN requirement */
+  log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_SAN,%s)",
+          print_tls_reqcert(nslcd_cfg->tls_reqsan));
+  LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_SAN, &nslcd_cfg->tls_reqsan);
+#endif /* LDAP_OPT_X_TLS_REQUIRE_SAN */
+
+#ifdef LDAP_OPT_X_TLS_CRLCHECK
+  /* Reload TLS CRL check mode */
+  log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CRLCHECK,%s)",
+          print_tls_crlcheck(nslcd_cfg->tls_crlcheck));
+  LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CRLCHECK, &nslcd_cfg->tls_crlcheck);
+#endif /* LDAP_OPT_X_TLS_CRLCHECK */
+
+#ifdef LDAP_OPT_X_TLS_CRLFILE
+  /* Reload TLS CRL file */
+  if (nslcd_cfg->tls_crlfile != NULL)
+  {
+    log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CRLFILE,\"%s\")",
+            nslcd_cfg->tls_crlfile);
+    LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CRLFILE, nslcd_cfg->tls_crlfile);
+  }
+#endif /* LDAP_OPT_X_TLS_CRLFILE */
+
+  log_log(LOG_INFO, "TLS configuration reloaded successfully");
+}
+#endif /* LDAP_OPT_X_TLS */
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
@@ -119,6 +119,21 @@ struct ldap_config {
 #ifdef LDAP_OPT_X_TLS
   /* SSL enabled */
   enum ldap_ssl_options ssl;
+  /* TLS configuration options for dynamic reload */
+  char *tls_cacertdir;  /* CA certificate directory */
+  char *tls_cacertfile; /* CA certificate file */
+  char *tls_randfile;   /* random file for TLS */
+  char *tls_ciphers;    /* cipher suite */
+  char *tls_certfile;   /* client certificate file */
+  char *tls_keyfile;    /* client key file */
+  char *tls_crlfile;    /* CRL file */
+  int tls_reqcert;      /* certificate verification requirement */
+#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
+  int tls_reqsan;       /* SAN verification requirement */
+#endif /* LDAP_OPT_X_TLS_REQUIRE_SAN */
+#ifdef LDAP_OPT_X_TLS_CRLCHECK
+  int tls_crlcheck;     /* CRL check mode */
+#endif /* LDAP_OPT_X_TLS_CRLCHECK */
 #endif /* LDAP_OPT_X_TLS */
 
   int pagesize; /* set to a greater than 0 to enable handling of paged results with the specified size */
@@ -149,4 +164,7 @@ extern struct ldap_config *nslcd_cfg;
    default configuration file and call exit() if an error occurs. */
 void cfg_init(const char *fname);
 
+/* Reload TLS configuration dynamically from the same configuration file. */
+void cfg_reload_tls(void);
+
 #endif /* NSLCD__CFG_H */
diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c
@@ -890,7 +890,7 @@ int main(int argc, char *argv[])
   /* enable receiving of signals */
   pthread_sigmask(SIG_SETMASK, &oldmask, NULL);
   /* wait until we received a signal */
-  while ((nslcd_receivedsignal == 0) || (nslcd_receivedsignal == SIGUSR1))
+  while ((nslcd_receivedsignal == 0) || (nslcd_receivedsignal == SIGUSR1) || (nslcd_receivedsignal == SIGHUP))
   {
     sleep(INT_MAX); /* sleep as long as we can or until we receive a signal */
     if (nslcd_receivedsignal == SIGUSR1)
@@ -900,6 +900,15 @@ int main(int argc, char *argv[])
       myldap_immediate_reconnect();
       nslcd_receivedsignal = 0;
     }
+    else if (nslcd_receivedsignal == SIGHUP)
+    {
+      log_log(LOG_INFO, "caught signal %s (%d), reloading TLS configuration",
+              signame(nslcd_receivedsignal), nslcd_receivedsignal);
+#ifdef LDAP_OPT_X_TLS
+      cfg_reload_tls();
+#endif /* LDAP_OPT_X_TLS */
+      nslcd_receivedsignal = 0;
+    }
   }
   /* print something about received signal */
   log_log(LOG_INFO, "caught signal %s (%d), shutting down",