[EMAIL PROTECTED] (William M. Perry) writes:
> Here is the LDAP cert validation code. I do not know if this belongs in
> the core distribution of OpenSSL or not, but if people think that is the
> place for it to go, feel free. Otherwise I'll probably just put it up for
> download from one of Aventail's web servers and just have mod_ssl reference
> it as an external library.
>
> There is sample code for it's use in openssl-glue.c - you pass in an `X509
> *' and an LDAP handle and it does the rest.
>
> So, a sample usage would be:
>
> #1) In your initialize code, get your LDAP config variables from wherever
> you want to keep them, and do:
>
> static void __log_cert_message(int level,const char *msg);
>
> struct av_ldap_config cfg;
>
> memset(&cfg,'\0',sizeof(cfg));
>
> cfg.avlc_enabled = 1;
> cfg.avlc_timeout = 60;
> cfg.avlc_server = ldapHost; /* LDAP server to use */
> cfg.avlc_bind_dn = ldapDN; /* DN to bind to the LDAP server as */
> cfg.avlc_bind_pwd = ldapPassword; /* password to use */
> cfg.avlc_base = ldapBase; /* Search base */
> cfg.avlc_mappings = ldapAttributes; /* Attribute mappings */
> cfg.avlc_cert_attr = ldapCertAttr; /* where user certs live */
> cfg.avlc_log_function = __log_cert_message; /* log message */
>
> #2) In your callback for cert validation, do:
>
> /* I only check the user certificate via LDAP - the roots are still done
> ** the old way.
> */
>
> if (!errdepth)
> {
> if
>(ldap_verify_openssl_certificate(X509_STORE_CTX_get_current_cert(ctx),ldap_handle))
> {
> ok = FALSE;
> }
> else
> {
> ok = TRUE;
> }
> }
>
> No makefile included. Just needs ldap.h and the OpenSSL header files
> though. This should work under windows and unix with no problems.
Urk, sorry about that. Gnus didn't actually attach the file. Let's try
this one more time.
-Bill P.
ldap-cert.tar.gz
