Here is the LDAP cert validation code. I do not know if this belongs in
the core distribution of OpenSSL or not, but if people think that is the
place for it to go, feel free. Otherwise I'll probably just put it up for
download from one of Aventail's web servers and just have mod_ssl reference
it as an external library.
There is sample code for it's use in openssl-glue.c - you pass in an `X509
*' and an LDAP handle and it does the rest.
So, a sample usage would be:
#1) In your initialize code, get your LDAP config variables from wherever
you want to keep them, and do:
static void __log_cert_message(int level,const char *msg);
struct av_ldap_config cfg;
memset(&cfg,'\0',sizeof(cfg));
cfg.avlc_enabled = 1;
cfg.avlc_timeout = 60;
cfg.avlc_server = ldapHost; /* LDAP server to use */
cfg.avlc_bind_dn = ldapDN; /* DN to bind to the LDAP server as */
cfg.avlc_bind_pwd = ldapPassword; /* password to use */
cfg.avlc_base = ldapBase; /* Search base */
cfg.avlc_mappings = ldapAttributes; /* Attribute mappings */
cfg.avlc_cert_attr = ldapCertAttr; /* where user certs live */
cfg.avlc_log_function = __log_cert_message; /* log message */
#2) In your callback for cert validation, do:
/* I only check the user certificate via LDAP - the roots are still done
** the old way.
*/
if (!errdepth)
{
if
(ldap_verify_openssl_certificate(X509_STORE_CTX_get_current_cert(ctx),ldap_handle))
{
ok = FALSE;
}
else
{
ok = TRUE;
}
}
No makefile included. Just needs ldap.h and the OpenSSL header files
though. This should work under windows and unix with no problems.
-Bill P.
<#part type="application/octet-stream" filename="/tmp/ldap-cert.tar.gz"
disposition=attachment>
<#/part>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
