[PATCH] TLS per-connection settings under OpenLDAP

Tue, 14 Nov 2006 11:22:51 -0800 

The release (2.3.x) version of OpenLDAP does not support
per-connection TLS settings, which apr-util will try to set if
requested  (manifests as bad RC from ldap_set_option when ldap!=null)

In the alpha release (2.4.x), OpenLDAP does allow you to set
per-connection TLS settings but requires that you ask for a new
(openssl) TLS context by setting the LDAP_OPT_X_TLS_NEWCTX ldap option
to make them active.

As an additional complication, requesting a new TLS context likely
doesn't work until the next alpha OpenLDAP is released (the broken
behavior of the released alphas is not accounted for in the patch)
see:
http://www.openldap.org/its/index.cgi?findid=4726

Possibly more background at this [EMAIL PROTECTED] discussion:
http://mail-archives.apache.org/mod_mbox/httpd-dev/200610.mbox/[EMAIL PROTECTED]

apr-util patch attached that lets apr-util attempt to set
per-connection TLS settings with openldap when the
LDAP_OPT_X_TLS_NEWCTX  was available at build time, and otherwise
bails out informatively (in the same fashion is Novell).

--
Eric Covener
[EMAIL PROTECTED]

Index: ldap/apr_ldap_option.c
===================================================================
--- ldap/apr_ldap_option.c	(revision 469464)
+++ ldap/apr_ldap_option.c	(working copy)
@@ -531,6 +531,15 @@
     /* OpenLDAP SDK */
 #if APR_HAS_OPENLDAP_LDAPSDK
 #ifdef LDAP_OPT_X_TLS_CACERTFILE
+#ifndef LDAP_OPT_X_TLS_NEWCTX 
+    if (ldap) {
+        result->reason = "LDAP: The OpenLDAP SDK cannot support the setting "
+                         "of certificates or keys on a per connection basis.";
+        result->rc = -1;
+        return; 
+    }
+#endif
+
     /* set one or more certificates */
     /* FIXME: make it support setting directories as well as files */
     for (i = 0; i < certs->nelts; i++) {
@@ -561,6 +570,15 @@
             break;
         }
     }
+    /*  Certificate settings are now configured, but we also need a new
+     *  TLS context to be created.
+     */
+    if (ldap && (result->rc == LDAP_SUCCESS)) {
+        int IS_SERVER = 0;
+        result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_NEWCTX, &IS_SERVER);
+        result->msg = ldap_err2string(result->rc);
+    }
+
 #else
     result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
                      "defined by this OpenLDAP SDK. Certificate "

Reply via email to