summaryrefslogtreecommitdiff
path: root/modules/ldap/util_ldap.c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/ldap/util_ldap.c')
-rw-r--r--modules/ldap/util_ldap.c170
1 files changed, 101 insertions, 69 deletions
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index 4b19aaae58..e4b9d6fcd0 100644
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -38,8 +38,17 @@
#include <unistd.h>
#endif
-#if !AP_HAS_LDAP
-#error mod_ldap requires httpd to detect LDAP support
+#if !APR_HAS_LDAP
+#error mod_ldap requires APR-util to have LDAP support built in
+#endif
+
+/* Default define for ldap functions that need a SIZELIMIT but
+ * do not have the define
+ * XXX This should be removed once a supporting #define is
+ * released through APR-Util.
+ */
+#ifndef APR_LDAP_SIZELIMIT
+#define APR_LDAP_SIZELIMIT -1
#endif
#ifdef LDAP_OPT_DEBUG_LEVEL
@@ -172,7 +181,7 @@ static apr_status_t uldap_connection_unbind(void *param)
/* forget the rebind info for this conn */
if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
- ap_ldap_rebind_remove(ldc->ldap);
+ apr_ldap_rebind_remove(ldc->ldap);
apr_pool_clear(ldc->rebind_pool);
}
}
@@ -242,7 +251,7 @@ static int uldap_connection_init(request_rec *r,
{
int rc = 0, ldap_option = 0;
int version = LDAP_VERSION3;
- ap_ldap_err_t *result = NULL;
+ apr_ldap_err_t *result = NULL;
#ifdef LDAP_OPT_NETWORK_TIMEOUT
struct timeval connectionTimeout = {10,0}; /* 10 second connection timeout */
#endif
@@ -256,10 +265,10 @@ static int uldap_connection_init(request_rec *r,
* some hosts with ports and some without. All hosts which do not
* specify a port will use the default port.
*/
- ap_ldap_init(r->pool, &(ldc->ldap),
+ apr_ldap_init(r->pool, &(ldc->ldap),
ldc->host,
- AP_LDAP_SSL == ldc->secure ? LDAPS_PORT : LDAP_PORT,
- AP_LDAP_NONE,
+ APR_LDAP_SSL == ldc->secure ? LDAPS_PORT : LDAP_PORT,
+ APR_LDAP_NONE,
&(result));
if (NULL == result) {
@@ -291,7 +300,7 @@ static int uldap_connection_init(request_rec *r,
if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
/* Now that we have an ldap struct, add it to the referral list for rebinds. */
- rc = ap_ldap_rebind_add(ldc->rebind_pool, ldc->ldap, ldc->binddn, ldc->bindpw);
+ rc = apr_ldap_rebind_add(ldc->rebind_pool, ldc->ldap, ldc->binddn, ldc->bindpw);
if (rc != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, rc, r->server,
"LDAP: Unable to add rebind cross reference entry. Out of memory?");
@@ -306,7 +315,7 @@ static int uldap_connection_init(request_rec *r,
/* set client certificates */
if (!apr_is_empty_array(ldc->client_certs)) {
- ap_ldap_set_option(r->pool, ldc->ldap, AP_LDAP_OPT_TLS_CERT,
+ apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
ldc->client_certs, &(result));
if (LDAP_SUCCESS != result->rc) {
uldap_connection_unbind( ldc );
@@ -316,9 +325,9 @@ static int uldap_connection_init(request_rec *r,
}
/* switch on SSL/TLS */
- if (AP_LDAP_NONE != ldc->secure) {
- ap_ldap_set_option(r->pool, ldc->ldap,
- AP_LDAP_OPT_TLS, &ldc->secure, &(result));
+ if (APR_LDAP_NONE != ldc->secure) {
+ apr_ldap_set_option(r->pool, ldc->ldap,
+ APR_LDAP_OPT_TLS, &ldc->secure, &(result));
if (LDAP_SUCCESS != result->rc) {
uldap_connection_unbind( ldc );
ldc->reason = result->reason;
@@ -335,8 +344,8 @@ static int uldap_connection_init(request_rec *r,
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"LDAP: Setting referrals to %s.",
((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"));
- ap_ldap_set_option(r->pool, ldc->ldap,
- AP_LDAP_OPT_REFERRALS,
+ apr_ldap_set_option(r->pool, ldc->ldap,
+ APR_LDAP_OPT_REFERRALS,
(void *)((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ?
LDAP_OPT_ON : LDAP_OPT_OFF),
&(result));
@@ -356,8 +365,8 @@ static int uldap_connection_init(request_rec *r,
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Setting referral hop limit to %d.",
ldc->ReferralHopLimit);
- ap_ldap_set_option(r->pool, ldc->ldap,
- AP_LDAP_OPT_REFHOPLIMIT,
+ apr_ldap_set_option(r->pool, ldc->ldap,
+ APR_LDAP_OPT_REFHOPLIMIT,
(void *)&ldc->ReferralHopLimit,
&(result));
if (result->rc != LDAP_SUCCESS) {
@@ -373,8 +382,31 @@ static int uldap_connection_init(request_rec *r,
}
}
- ap_ldap_set_option(r->pool, ldc->ldap, AP_LDAP_OPT_VERIFY_CERT,
+/*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
+#ifdef APR_LDAP_OPT_VERIFY_CERT
+ apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_VERIFY_CERT,
&(st->verify_svr_cert), &(result));
+#else
+#if defined(LDAPSSL_VERIFY_SERVER)
+ if (st->verify_svr_cert) {
+ result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER);
+ }
+ else {
+ result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE);
+ }
+#elif defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
+ /* This is not a per-connection setting so just pass NULL for the
+ Ldap connection handle */
+ if (st->verify_svr_cert) {
+ int i = LDAP_OPT_X_TLS_DEMAND;
+ result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
+ }
+ else {
+ int i = LDAP_OPT_X_TLS_NEVER;
+ result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
+ }
+#endif
+#endif
#ifdef LDAP_OPT_NETWORK_TIMEOUT
if (st->connectionTimeout > 0) {
@@ -382,7 +414,7 @@ static int uldap_connection_init(request_rec *r,
}
if (st->connectionTimeout >= 0) {
- rc = ap_ldap_set_option(r->pool, ldc->ldap, LDAP_OPT_NETWORK_TIMEOUT,
+ rc = apr_ldap_set_option(r->pool, ldc->ldap, LDAP_OPT_NETWORK_TIMEOUT,
(void *)&connectionTimeout, &(result));
if (APR_SUCCESS != rc) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
@@ -401,7 +433,7 @@ static int uldap_connection_init(request_rec *r,
* XXX: ldap_result() with a timeout.
*/
if (st->opTimeout) {
- rc = ap_ldap_set_option(r->pool, ldc->ldap, LDAP_OPT_TIMEOUT,
+ rc = apr_ldap_set_option(r->pool, ldc->ldap, LDAP_OPT_TIMEOUT,
st->opTimeout, &(result));
if (APR_SUCCESS != rc) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
@@ -556,7 +588,7 @@ static int compare_client_certs(apr_array_header_t *srcs,
apr_array_header_t *dests)
{
int i = 0;
- struct ap_ldap_opt_tls_cert_t *src, *dest;
+ struct apr_ldap_opt_tls_cert_t *src, *dest;
/* arrays both NULL? if so, then equal */
if (srcs == NULL && dests == NULL) {
@@ -569,8 +601,8 @@ static int compare_client_certs(apr_array_header_t *srcs,
}
/* run an actual comparison */
- src = (struct ap_ldap_opt_tls_cert_t *)srcs->elts;
- dest = (struct ap_ldap_opt_tls_cert_t *)dests->elts;
+ src = (struct apr_ldap_opt_tls_cert_t *)srcs->elts;
+ dest = (struct apr_ldap_opt_tls_cert_t *)dests->elts;
for (i = 0; i < srcs->nelts; i++) {
if ((strcmp(src[i].path, dest[i].path)) ||
(src[i].type != dest[i].type) ||
@@ -617,7 +649,7 @@ static util_ldap_connection_t *
apr_thread_mutex_lock(st->mutex);
#endif
- if (secure < AP_LDAP_NONE) {
+ if (secure < APR_LDAP_NONE) {
secureflag = st->secure;
}
@@ -731,7 +763,7 @@ static util_ldap_connection_t *
l->ReferralHopLimit = dc->ReferralHopLimit;
/* The security mode after parsing the URL will always be either
- * AP_LDAP_NONE (ldap://) or AP_LDAP_SSL (ldaps://).
+ * APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
* If the security setting is NONE, override it to the security
* setting optionally supplied by the admin using LDAPTrustedMode
*/
@@ -853,7 +885,7 @@ start_over:
/* search for reqdn */
result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
"(objectclass=*)", NULL, 1,
- NULL, NULL, st->opTimeout, AP_LDAP_SIZELIMIT, &res);
+ NULL, NULL, st->opTimeout, APR_LDAP_SIZELIMIT, &res);
if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "DN Comparison ldap_search_ext_s() "
@@ -1112,7 +1144,7 @@ start_over:
/* try to do the search */
result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
(char *)"cn=*", subgroupAttrs, 0,
- NULL, NULL, NULL, AP_LDAP_SIZELIMIT, &sga_res);
+ NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
if (AP_LDAP_IS_SERVER_DOWN(result)) {
ldc->reason = "ldap_search_ext_s() for subgroups failed with server"
" down";
@@ -1583,7 +1615,7 @@ start_over:
result = ldap_search_ext_s(ldc->ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
- NULL, NULL, st->opTimeout, AP_LDAP_SIZELIMIT, &res);
+ NULL, NULL, st->opTimeout, APR_LDAP_SIZELIMIT, &res);
if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "ldap_search_ext_s() for user failed with server down";
@@ -1834,7 +1866,7 @@ start_over:
result = ldap_search_ext_s(ldc->ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
- NULL, NULL, st->opTimeout, AP_LDAP_SIZELIMIT, &res);
+ NULL, NULL, st->opTimeout, APR_LDAP_SIZELIMIT, &res);
if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "ldap_search_ext_s() for user failed with server down";
@@ -2104,72 +2136,72 @@ static const char *util_ldap_set_opcache_entries(cmd_parms *cmd, void *dummy,
* CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64,
* CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, KEY_BASE64
*
- * If no matches are found, AP_LDAP_CA_TYPE_UNKNOWN is returned.
+ * If no matches are found, APR_LDAP_CA_TYPE_UNKNOWN is returned.
*/
static int util_ldap_parse_cert_type(const char *type)
{
/* Authority file in binary DER format */
if (0 == strcasecmp("CA_DER", type)) {
- return AP_LDAP_CA_TYPE_DER;
+ return APR_LDAP_CA_TYPE_DER;
}
/* Authority file in Base64 format */
else if (0 == strcasecmp("CA_BASE64", type)) {
- return AP_LDAP_CA_TYPE_BASE64;
+ return APR_LDAP_CA_TYPE_BASE64;
}
/* Netscape certificate database file/directory */
else if (0 == strcasecmp("CA_CERT7_DB", type)) {
- return AP_LDAP_CA_TYPE_CERT7_DB;
+ return APR_LDAP_CA_TYPE_CERT7_DB;
}
/* Netscape secmod file/directory */
else if (0 == strcasecmp("CA_SECMOD", type)) {
- return AP_LDAP_CA_TYPE_SECMOD;
+ return APR_LDAP_CA_TYPE_SECMOD;
}
/* Client cert file in DER format */
else if (0 == strcasecmp("CERT_DER", type)) {
- return AP_LDAP_CERT_TYPE_DER;
+ return APR_LDAP_CERT_TYPE_DER;
}
/* Client cert file in Base64 format */
else if (0 == strcasecmp("CERT_BASE64", type)) {
- return AP_LDAP_CERT_TYPE_BASE64;
+ return APR_LDAP_CERT_TYPE_BASE64;
}
/* Client cert file in PKCS#12 format */
else if (0 == strcasecmp("CERT_PFX", type)) {
- return AP_LDAP_CERT_TYPE_PFX;
+ return APR_LDAP_CERT_TYPE_PFX;
}
/* Netscape client cert database file/directory */
else if (0 == strcasecmp("CERT_KEY3_DB", type)) {
- return AP_LDAP_CERT_TYPE_KEY3_DB;
+ return APR_LDAP_CERT_TYPE_KEY3_DB;
}
/* Netscape client cert nickname */
else if (0 == strcasecmp("CERT_NICKNAME", type)) {
- return AP_LDAP_CERT_TYPE_NICKNAME;
+ return APR_LDAP_CERT_TYPE_NICKNAME;
}
/* Client cert key file in DER format */
else if (0 == strcasecmp("KEY_DER", type)) {
- return AP_LDAP_KEY_TYPE_DER;
+ return APR_LDAP_KEY_TYPE_DER;
}
/* Client cert key file in Base64 format */
else if (0 == strcasecmp("KEY_BASE64", type)) {
- return AP_LDAP_KEY_TYPE_BASE64;
+ return APR_LDAP_KEY_TYPE_BASE64;
}
/* Client cert key file in PKCS#12 format */
else if (0 == strcasecmp("KEY_PFX", type)) {
- return AP_LDAP_KEY_TYPE_PFX;
+ return APR_LDAP_KEY_TYPE_PFX;
}
else {
- return AP_LDAP_CA_TYPE_UNKNOWN;
+ return APR_LDAP_CA_TYPE_UNKNOWN;
}
}
@@ -2198,7 +2230,7 @@ static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd,
apr_finfo_t finfo;
apr_status_t rv;
int cert_type = 0;
- ap_ldap_opt_tls_cert_t *cert;
+ apr_ldap_opt_tls_cert_t *cert;
if (err != NULL) {
return err;
@@ -2207,7 +2239,7 @@ static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd,
/* handle the certificate type */
if (type) {
cert_type = util_ldap_parse_cert_type(type);
- if (AP_LDAP_CA_TYPE_UNKNOWN == cert_type) {
+ if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type %s is "
"not recognised. It should be one "
"of CA_DER, CA_BASE64, CA_CERT7_DB, "
@@ -2225,14 +2257,14 @@ static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd,
file, type);
/* add the certificate to the global array */
- cert = (ap_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
+ cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
cert->type = cert_type;
cert->path = file;
cert->password = password;
/* if file is a file or path, fix the path */
- if (cert_type != AP_LDAP_CA_TYPE_UNKNOWN &&
- cert_type != AP_LDAP_CERT_TYPE_NICKNAME) {
+ if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
+ cert_type != APR_LDAP_CERT_TYPE_NICKNAME) {
cert->path = ap_server_root_relative(cmd->pool, file);
if (cert->path &&
@@ -2269,12 +2301,12 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,
apr_finfo_t finfo;
apr_status_t rv;
int cert_type = 0;
- ap_ldap_opt_tls_cert_t *cert;
+ apr_ldap_opt_tls_cert_t *cert;
/* handle the certificate type */
if (type) {
cert_type = util_ldap_parse_cert_type(type);
- if (AP_LDAP_CA_TYPE_UNKNOWN == cert_type) {
+ if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
"not recognised. It should be one "
"of CA_DER, CA_BASE64, "
@@ -2283,10 +2315,10 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,
"KEY_DER, KEY_BASE64, KEY_PFX",
type);
}
- else if ( AP_LDAP_CA_TYPE_CERT7_DB == cert_type ||
- AP_LDAP_CA_TYPE_SECMOD == cert_type ||
- AP_LDAP_CERT_TYPE_PFX == cert_type ||
- AP_LDAP_CERT_TYPE_KEY3_DB == cert_type) {
+ else if ( APR_LDAP_CA_TYPE_CERT7_DB == cert_type ||
+ APR_LDAP_CA_TYPE_SECMOD == cert_type ||
+ APR_LDAP_CERT_TYPE_PFX == cert_type ||
+ APR_LDAP_CERT_TYPE_KEY3_DB == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
"only valid within a "
"LDAPTrustedGlobalCert directive. "
@@ -2305,14 +2337,14 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,
file, type);
/* add the certificate to the client array */
- cert = (ap_ldap_opt_tls_cert_t *)apr_array_push(dc->client_certs);
+ cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(dc->client_certs);
cert->type = cert_type;
cert->path = file;
cert->password = password;
/* if file is a file or path, fix the path */
- if (cert_type != AP_LDAP_CA_TYPE_UNKNOWN &&
- cert_type != AP_LDAP_CERT_TYPE_NICKNAME) {
+ if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
+ cert_type != APR_LDAP_CERT_TYPE_NICKNAME) {
cert->path = ap_server_root_relative(cmd->pool, file);
if (cert->path &&
@@ -2352,14 +2384,14 @@ static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy,
mode);
if (0 == strcasecmp("NONE", mode)) {
- st->secure = AP_LDAP_NONE;
+ st->secure = APR_LDAP_NONE;
}
else if (0 == strcasecmp("SSL", mode)) {
- st->secure = AP_LDAP_SSL;
+ st->secure = APR_LDAP_SSL;
}
else if ( (0 == strcasecmp("TLS", mode))
|| (0 == strcasecmp("STARTTLS", mode))) {
- st->secure = AP_LDAP_STARTTLS;
+ st->secure = APR_LDAP_STARTTLS;
}
else {
return "Invalid LDAPTrustedMode setting: must be one of NONE, "
@@ -2485,7 +2517,7 @@ static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) {
(util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
/* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */
- dc->client_certs = apr_array_make(p, 10, sizeof(ap_ldap_opt_tls_cert_t));
+ dc->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
dc->ReferralHopLimit = AP_LDAP_HOPLIMIT_UNSET;
@@ -2584,8 +2616,8 @@ static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
st->compare_cache_size = 1024;
st->connections = NULL;
st->ssl_supported = 0;
- st->global_certs = apr_array_make(p, 10, sizeof(ap_ldap_opt_tls_cert_t));
- st->secure = AP_LDAP_NONE;
+ st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
+ st->secure = APR_LDAP_NONE;
st->secure_set = 0;
st->connectionTimeout = 10;
st->opTimeout = apr_pcalloc(p, sizeof(struct timeval));
@@ -2657,7 +2689,7 @@ static apr_status_t util_ldap_cleanup_module(void *data)
s->module_config, &ldap_module);
if (st->ssl_supported) {
- ap_ldap_ssl_deinit();
+ apr_ldap_ssl_deinit();
}
return APR_SUCCESS;
@@ -2689,7 +2721,7 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
ap_get_module_config(s->module_config,
&ldap_module);
- ap_ldap_err_t *result_err = NULL;
+ apr_ldap_err_t *result_err = NULL;
int rc;
/* util_ldap_post_config() will be called twice. Don't bother
@@ -2762,8 +2794,8 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
/* log the LDAP SDK used
*/
{
- ap_ldap_err_t *result = NULL;
- ap_ldap_info(p, &(result));
+ apr_ldap_err_t *result = NULL;
+ apr_ldap_info(p, &(result));
if (result != NULL) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "%s", result->reason);
}
@@ -2778,12 +2810,12 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
* If SSL is not supported it is not necessarily an error, as the
* application may not want to use it.
*/
- rc = ap_ldap_ssl_init(p,
+ rc = apr_ldap_ssl_init(p,
NULL,
0,
&(result_err));
if (APR_SUCCESS == rc) {
- rc = ap_ldap_set_option(ptemp, NULL, AP_LDAP_OPT_TLS_CERT,
+ rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,
(void *)st->global_certs, &(result_err));
}
@@ -2801,7 +2833,7 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
}
/* Initialize the rebind callback's cross reference list. */
- ap_ldap_rebind_init (p);
+ apr_ldap_rebind_init (p);
#ifdef AP_LDAP_OPT_DEBUG
if (st->debug_level > 0) {
View Lorry Controller Status