Re: Problem with ldap table lookups and TLS

Tue, 03 Mar 2009 16:31:12 -0800 

Victor Duchovni:
> With OpenLDAP 2.4 it is possible to set the TLS properties for
> a particular LDAP connection (not just global properties), and to
> associate a new OpenLDAP managed TLS context for the connection via the
> new "LDAP_OPT_X_TLS_NEWCTX" option.
> 
> Try this completely untested patch (it may not even compile, but it
> looks promising):

Is this the version that is ready, or have there been furth changes?

        Wietse

> Index: src/global/dict_ldap.c
> --- src/global/dict_ldap.c    28 Jan 2008 04:29:48 -0000      1.1.1.2
> +++ src/global/dict_ldap.c    26 Feb 2009 00:04:18 -0000
> @@ -484,10 +484,16 @@
>  {
>      const char *myname = "dict_ldap_set_tls_options";
>      int     rc;
> +#ifdef LDAP_OPT_X_TLS_NEWCTX
> +    int     am_server = 0;
> +    LDAP   *ld = dict_ldap->ld;
> +#else
> +    LDAP   *ld = 0;
> +#endif
>  
>      if (dict_ldap->start_tls || dict_ldap->ldap_ssl) {
>       if (*dict_ldap->tls_random_file) {
> -         if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
> +         if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE,
>                              dict_ldap->tls_random_file)) != LDAP_SUCCESS) {
>               msg_warn("%s: Unable to set tls_random_file to %s: %d: %s",
>                        myname, dict_ldap->tls_random_file,
> @@ -496,7 +502,7 @@
>           }
>       }
>       if (*dict_ldap->tls_ca_cert_file) {
> -         if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
> +         if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
>                             dict_ldap->tls_ca_cert_file)) != LDAP_SUCCESS) {
>               msg_warn("%s: Unable to set tls_ca_cert_file to %s: %d: %s",
>                        myname, dict_ldap->tls_ca_cert_file,
> @@ -505,7 +511,7 @@
>           }
>       }
>       if (*dict_ldap->tls_ca_cert_dir) {
> -         if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,
> +         if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR,
>                              dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS) {
>               msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s",
>                        myname, dict_ldap->tls_ca_cert_dir,
> @@ -514,7 +520,7 @@
>           }
>       }
>       if (*dict_ldap->tls_cert) {
> -         if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
> +         if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE,
>                                     dict_ldap->tls_cert)) != LDAP_SUCCESS) {
>               msg_warn("%s: Unable to set tls_cert to %s: %d: %s",
>                        myname, dict_ldap->tls_cert,
> @@ -523,7 +529,7 @@
>           }
>       }
>       if (*dict_ldap->tls_key) {
> -         if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
> +         if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE,
>                                     dict_ldap->tls_key)) != LDAP_SUCCESS) {
>               msg_warn("%s: Unable to set tls_key to %s: %d: %s",
>                        myname, dict_ldap->tls_key,
> @@ -532,7 +538,7 @@
>           }
>       }
>       if (*dict_ldap->tls_cipher_suite) {
> -         if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
> +         if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
>                             dict_ldap->tls_cipher_suite)) != LDAP_SUCCESS) {
>               msg_warn("%s: Unable to set tls_cipher_suite to %s: %d: %s",
>                        myname, dict_ldap->tls_cipher_suite,
> @@ -540,13 +546,21 @@
>               return (-1);
>           }
>       }
> -     if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
> +     if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
>                      &(dict_ldap->tls_require_cert))) != LDAP_SUCCESS) {
>           msg_warn("%s: Unable to set tls_require_cert to %d: %d: %s",
>                    myname, dict_ldap->tls_require_cert,
>                    rc, ldap_err2string(rc));
>           return (-1);
>       }
> +#ifdef LDAP_OPT_X_TLS_NEWCTX
> +     if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server))
> +         != LDAP_SUCCESS) {
> +         msg_warn("%s: Unable to allocate new TLS context %d: %s",
> +                  myname, rc, ldap_err2string(rc));
> +         return (-1);
> +     }
> +#endif
>      }
>      return (0);
>  }
> @@ -592,10 +606,6 @@
>  
>  #ifdef LDAP_OPT_NETWORK_TIMEOUT
>  #ifdef LDAP_API_FEATURE_X_OPENLDAP
> -    if (dict_ldap_set_tls_options(dict_ldap) != 0) {
> -     dict_errno = DICT_ERR_RETRY;
> -     return (-1);
> -    }
>      ldap_initialize(&(dict_ldap->ld), dict_ldap->server_host);
>  #else
>      dict_ldap->ld = ldap_init(dict_ldap->server_host,
> @@ -700,6 +710,8 @@
>  #endif
>  
>  #ifdef LDAP_API_FEATURE_X_OPENLDAP
> +    if (dict_ldap_set_tls_options(dict_ldap) != 0)
> +     DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
>      if (dict_ldap->start_tls) {
>       if ((saved_alarm = signal(SIGALRM, dict_ldap_timeout)) == SIG_ERR) {
>           msg_warn("%s: Error setting signal handler for STARTTLS timeout: 
> %m",
> 
> -- 
>       Viktor.
> 
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
> 
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:[email protected]?body=unsubscribe%20postfix-users>
> 
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
> 
>

Reply via email to