Mike wrote:
Thanks for the info, Anton. Do you think I need to redo all 3 init
steps after the NSS_Shutdown (ldapssl_clientauth_init, ldapssl_init,
and ldapssl_enable_clientauth)?
You might try mozilla.dev.tech.crypto to see how to do this in general
with NSS.
I tried this approach and got a core
dump in the ldapssl_enable_clientauth call:
pstack core.ldapUtil_ut
0: core 'core.ldapUtil_ut' ...
1: --------------- lwp# 1 / thread# 1 ---------------
2: fda222e8 PK11_FindCertFromNickname (cfe08, 0, 0, fd841ce4, 222d8,
13b9c) + 8c
3: fdac3858 get_keyandcert(c36f8, ffbe9d7c, ffbe9d84, 222d8, 0) + 18
4: fdac3954 check_client_auth_nickname_and_passwd (f88b0, c36f8,
ffbe9e10, cb4b8, cb4b8, c3058) + 20
5: fdac3498 ldapssl_enable_clientauth (f88b0, c0725, c0726, cb4b8,
cd030, fdb201, f4) + e0
I tried putting a check around this call so it doesn't get called again
after NSS_Shutdown, but then the second sasl_bind cored. I've been
digging through NSS code to try and see what's going on, but was hoping
someone might see this and have more insight.
Mike
Anton Bobrov wrote:
Mike, i just asked our NSS folks here and this is what i got, quote:
"You can only have one writer process with no readers, or multiple
readers with no writer ."
so what that essentially means to you is that you cannot modify sec
db on the fly and have to prevent that from happening by any means
necessary. from your ldap enabled app i would suggest calling NSSs
own NSS_Shutdown() then making whatever changes you need to make to
secdb then calling ldapssl* init functions again which will trigger
NSS_Init/ialize() further down the line and your ldap app has up to
date secdb then.
also i been told that NSS folks at work on improving secdb sharing
features so when they deliver something we will certainly try to
take those features on board [ if they not transparent by default ]
.
Mike wrote:
I'm wondering if it's possible to re-read certificates after I have
initialized my connection and performed the sasl bind? Right now, for
example, our C SDK does the following:
void connectToServer()
{
if(!connected)
{
ldapssl_clientauth_init(...);
ldapssl_init(...);
ldapssl_enable_clientauth(...);
set_option(LDAP_OPT_RECONNECT = ON);
connected = true;
}
ldap_sasl_bind_s(...);
}
We then check the return from every API call for LDAP_SERVER_DOWN and
LDAP_CONNECT_ERROR to see if we need to call this connectToServer
method again (and thus only redo the sasl bind). Just as a test I
moved the connected flag logic ONLY around the ldapssl_init -- so it
never gets called twice -- and re-generated my certificate while the
software was running. The software detected this and when it tried to
call ldapssl_enable_clientauth again, it failed with error code -1.
Is what I'm trying to do possible, and do I need to take the approach
of turning off the RECONNECT option and just creating a new ldap
connection object each time? We tried this before but had a handful of
apps coring, so if possible I'd like to stay away from this approach.
Thanks for any help,
Mike
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
