pam_ldaphome: provide an option to specify CA certificate file for TLS

* pam_ldaphome/pam_ldaphome.c (ldap_connect): New option tls-cacert
* doc/pam-modules.texi: Document tls-cacert
* doc/pam_ldaphome.8in: Likewise.

doc/pam-modules.texi

@@ -1246,6 +1246,10 @@ mandatory, and the module will not establish LDAP connection unless
 @samp{StartTLS} succeeds.
 @end deffn
 
+@deffn {pam_ldaphome config} tls-cacert @var{val}
+Full pathname to the CA certificate file.  Used if TLS is enabled.
+@end deffn
+
 @deffn {pam_ldaphome config} min-uid @var{n}
 Sets the minimal UID.  For users with UIDs less than @var{n},
 @command{pam_ldaphome} returns PAM_SUCCESS immediately.  This allows

doc/pam_ldaphome.8in

@@ -14,7 +14,7 @@
 .\" You should have received a copy of the GNU General Public License
 .\" along with PAM-Modules.  If not, see <http://www.gnu.org/licenses/>.
 .so config.so
-.TH PAM_LDAPHOME 8 "May 21, 2014" "PAM-MODULES" "Pam-Modules User Reference"
+.TH PAM_LDAPHOME 8 "July 24, 2014" "PAM-MODULES" "Pam-Modules User Reference"
 .SH NAME
 pam_ldaphome \- create and populate user home directories
 .SH SYNOPSIS
@@ -84,6 +84,9 @@ anyway if it fails.  Finally, if \fIVAL\fR is the word \fBonly\fR, the
 use of TLS becomes mandatory, and the module will not establish LDAP
 connection unless \fIStartTLS\fR succeeds.
 .TP
+.BI tls-cacert " VAL"
+Full pathname to the CA certificate file.  Used if TLS is enabled.
+.TP
 .BI uri " ARG"
 Sets the URI of the LDAP server to consult for the user profile.
 .SS Home directory creation

pam_ldaphome/pam_ldaphome.c

@@ -406,6 +406,21 @@ ldap_connect(struct gray_env *env)
 				}
 				/* try to continue anyway */
 			}
+
+			val = gray_env_get(env, "tls-cacert");
+			if (val) {
+				rc = ldap_set_option(ld,
+						     LDAP_OPT_X_TLS_CACERTFILE,
+						     val);
+				if (rc != LDAP_SUCCESS) {
+					_pam_log(LOG_ERR,
+						 "setting of LDAP_OPT_X_TLS_CACERTFILE failed");
+					if (tls == tls_only) {
+						ldap_unbind(ld);
+						return NULL;
+					}
+				}
+			}
 		}
 	}