Re: Problem with ldap table lookups and TLS

Tue, 03 Mar 2009 16:55:48 -0800 

On Tue, Mar 03, 2009 at 07:30:39PM -0500, Wietse Venema wrote:

> Victor Duchovni:
> > With OpenLDAP 2.4 it is possible to set the TLS properties for
> > a particular LDAP connection (not just global properties), and to
> > associate a new OpenLDAP managed TLS context for the connection via the
> > new "LDAP_OPT_X_TLS_NEWCTX" option.
> > 
> > Try this completely untested patch (it may not even compile, but it
> > looks promising):
> 
> Is this the version that is ready, or have there been furth changes?
> 

No changes. It worked as originally posted.

> > Index: src/global/dict_ldap.c
> > --- src/global/dict_ldap.c  28 Jan 2008 04:29:48 -0000      1.1.1.2
> > +++ src/global/dict_ldap.c  26 Feb 2009 00:04:18 -0000
> > @@ -484,10 +484,16 @@
> >  {
> >      const char *myname = "dict_ldap_set_tls_options";
> >      int     rc;
> > +#ifdef LDAP_OPT_X_TLS_NEWCTX
> > +    int     am_server = 0;
> > +    LDAP   *ld = dict_ldap->ld;
> > +#else
> > +    LDAP   *ld = 0;
> > +#endif
> >  
> >      if (dict_ldap->start_tls || dict_ldap->ldap_ssl) {
> >     if (*dict_ldap->tls_random_file) {
> > -       if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
> > +       if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE,
> >                            dict_ldap->tls_random_file)) != LDAP_SUCCESS) {
> >             msg_warn("%s: Unable to set tls_random_file to %s: %d: %s",
> >                      myname, dict_ldap->tls_random_file,
> > @@ -496,7 +502,7 @@
> >         }
> >     }
> >     if (*dict_ldap->tls_ca_cert_file) {
> > -       if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
> > +       if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
> >                           dict_ldap->tls_ca_cert_file)) != LDAP_SUCCESS) {
> >             msg_warn("%s: Unable to set tls_ca_cert_file to %s: %d: %s",
> >                      myname, dict_ldap->tls_ca_cert_file,
> > @@ -505,7 +511,7 @@
> >         }
> >     }
> >     if (*dict_ldap->tls_ca_cert_dir) {
> > -       if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,
> > +       if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR,
> >                            dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS) {
> >             msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s",
> >                      myname, dict_ldap->tls_ca_cert_dir,
> > @@ -514,7 +520,7 @@
> >         }
> >     }
> >     if (*dict_ldap->tls_cert) {
> > -       if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
> > +       if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE,
> >                                   dict_ldap->tls_cert)) != LDAP_SUCCESS) {
> >             msg_warn("%s: Unable to set tls_cert to %s: %d: %s",
> >                      myname, dict_ldap->tls_cert,
> > @@ -523,7 +529,7 @@
> >         }
> >     }
> >     if (*dict_ldap->tls_key) {
> > -       if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
> > +       if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE,
> >                                   dict_ldap->tls_key)) != LDAP_SUCCESS) {
> >             msg_warn("%s: Unable to set tls_key to %s: %d: %s",
> >                      myname, dict_ldap->tls_key,
> > @@ -532,7 +538,7 @@
> >         }
> >     }
> >     if (*dict_ldap->tls_cipher_suite) {
> > -       if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
> > +       if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
> >                           dict_ldap->tls_cipher_suite)) != LDAP_SUCCESS) {
> >             msg_warn("%s: Unable to set tls_cipher_suite to %s: %d: %s",
> >                      myname, dict_ldap->tls_cipher_suite,
> > @@ -540,13 +546,21 @@
> >             return (-1);
> >         }
> >     }
> > -   if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
> >                    &(dict_ldap->tls_require_cert))) != LDAP_SUCCESS) {
> >         msg_warn("%s: Unable to set tls_require_cert to %d: %d: %s",
> >                  myname, dict_ldap->tls_require_cert,
> >                  rc, ldap_err2string(rc));
> >         return (-1);
> >     }
> > +#ifdef LDAP_OPT_X_TLS_NEWCTX
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server))
> > +       != LDAP_SUCCESS) {
> > +       msg_warn("%s: Unable to allocate new TLS context %d: %s",
> > +                myname, rc, ldap_err2string(rc));
> > +       return (-1);
> > +   }
> > +#endif
> >      }
> >      return (0);
> >  }
> > @@ -592,10 +606,6 @@
> >  
> >  #ifdef LDAP_OPT_NETWORK_TIMEOUT
> >  #ifdef LDAP_API_FEATURE_X_OPENLDAP
> > -    if (dict_ldap_set_tls_options(dict_ldap) != 0) {
> > -   dict_errno = DICT_ERR_RETRY;
> > -   return (-1);
> > -    }
> >      ldap_initialize(&(dict_ldap->ld), dict_ldap->server_host);
> >  #else
> >      dict_ldap->ld = ldap_init(dict_ldap->server_host,
> > @@ -700,6 +710,8 @@
> >  #endif
> >  
> >  #ifdef LDAP_API_FEATURE_X_OPENLDAP
> > +    if (dict_ldap_set_tls_options(dict_ldap) != 0)
> > +   DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
> >      if (dict_ldap->start_tls) {
> >     if ((saved_alarm = signal(SIGALRM, dict_ldap_timeout)) == SIG_ERR) {
> >         msg_warn("%s: Error setting signal handler for STARTTLS timeout: 
> > %m",

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[email protected]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reply via email to