You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by co...@apache.org on 2010/02/24 04:31:18 UTC

svn commit: r915649 - in /apr/apr/trunk: CHANGES ldap/apr_ldap_option.c

Author: covener
Date: Wed Feb 24 03:31:18 2010
New Revision: 915649

URL: http://svn.apache.org/viewvc?rev=915649&view=rev
Log:
When an individual LDAP connection is to have a different SSL environemnt
than the global (ldap == NULL) options, we have to tell openldap via
LDAP_OPT_X_TLS_NEWCTX.


Modified:
    apr/apr/trunk/CHANGES
    apr/apr/trunk/ldap/apr_ldap_option.c

Modified: apr/apr/trunk/CHANGES
URL: http://svn.apache.org/viewvc/apr/apr/trunk/CHANGES?rev=915649&r1=915648&r2=915649&view=diff
==============================================================================
--- apr/apr/trunk/CHANGES [utf-8] (original)
+++ apr/apr/trunk/CHANGES [utf-8] Wed Feb 24 03:31:18 2010
@@ -1,6 +1,9 @@
                                                      -*- coding: utf-8 -*-
 Changes for APR 2.0.0
 
+  *) Enable per-connection LDAP client certificates for
+     openldap by requesting a new SSL context. [Eric Covener]
+
   *) Support connecttimeout, readtimeout and writetimeout MySQL options
      PR 48251 [Marko Kevac <marko kevac.org>]
 

Modified: apr/apr/trunk/ldap/apr_ldap_option.c
URL: http://svn.apache.org/viewvc/apr/apr/trunk/ldap/apr_ldap_option.c?rev=915649&r1=915648&r2=915649&view=diff
==============================================================================
--- apr/apr/trunk/ldap/apr_ldap_option.c (original)
+++ apr/apr/trunk/ldap/apr_ldap_option.c Wed Feb 24 03:31:18 2010
@@ -578,6 +578,15 @@
     /* OpenLDAP SDK */
 #if APR_HAS_OPENLDAP_LDAPSDK
 #ifdef LDAP_OPT_X_TLS_CACERTFILE
+#ifndef LDAP_OPT_X_TLS_NEWCTX 
+    if (ldap) {
+        result->reason = "LDAP: The OpenLDAP SDK cannot support the setting "
+                         "of certificates or keys on a per connection basis.";
+        result->rc = -1;
+        return; 
+    }
+#endif
+
     /* set one or more certificates */
     /* FIXME: make it support setting directories as well as files */
     for (i = 0; i < certs->nelts; i++) {
@@ -615,6 +624,15 @@
             break;
         }
     }
+    /*  Certificate settings are now configured, but we also need a new
+     *  TLS context to be created.  This applies to both gnuTLS and openssl
+     */
+    if (ldap && (result->rc == LDAP_SUCCESS)) {
+        int IS_SERVER = 0;
+        result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_NEWCTX, &IS_SERVER);
+        result->msg = ldap_err2string(result->rc);
+    }
+
 #else
     result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
                      "defined by this OpenLDAP SDK. Certificate "