diff options
author | minfrin <minfrin@13f79535-47bb-0310-9956-ffa450edef68> | 2005-01-05 10:47:07 +0000 |
---|---|---|
committer | minfrin <minfrin@13f79535-47bb-0310-9956-ffa450edef68> | 2005-01-05 10:47:07 +0000 |
commit | d8390d90082c11e41a59e1f3c38e68f5e2739596 (patch) | |
tree | 140e6ca03d172259a2bef862c460bc7e6c2eba41 /ldap | |
parent | ef3c3aff889e45bac0eeb0ac855a29e623d4cc20 (diff) | |
download | libapr-util-d8390d90082c11e41a59e1f3c38e68f5e2739596.tar.gz |
Teach apr_ldap_init() how to handle STARTTLS in addition to the existing
SSL support. Add apr_ldap_option API.
git-svn-id: http://svn.apache.org/repos/asf/apr/apr-util/trunk@124191 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'ldap')
-rw-r--r-- | ldap/apr_ldap_init.c | 60 | ||||
-rw-r--r-- | ldap/apr_ldap_option.c | 103 |
2 files changed, 155 insertions, 8 deletions
diff --git a/ldap/apr_ldap_init.c b/ldap/apr_ldap_init.c index b4079dec..e8555c6e 100644 --- a/ldap/apr_ldap_init.c +++ b/ldap/apr_ldap_init.c @@ -298,6 +298,16 @@ APU_DECLARE(int) apr_ldap_ssl_deinit(void) { * to hide the complexity setup from the user. This function * assumes that any certificate setup necessary has already * been done. + * + * If SSL or STARTTLS needs to be enabled, and the underlying + * toolkit supports it, the following values are accepted for + * secure: + * + * APR_LDAP_OPT_TLS_NEVER: No encryption + * APR_LDAP_OPT_TLS_HARD: SSL encryption (ldaps://) + * APR_LDAP_OPT_TLS_DEMAND: Force STARTTLS on ldap:// + * APR_LDAP_OPT_TLS_ALLOW: Allow STARTTLS on ldap:// + * APR_LDAP_OPT_TLS_TRY: Optionally try STARTLS on ldap:// */ APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool, LDAP **ldap, @@ -333,19 +343,20 @@ APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool, #ifdef LDAP_OPT_X_TLS *ldap = ldap_init(hostname, portno); if (NULL != *ldap) { - int SSLmode = LDAP_OPT_X_TLS_HARD; + int SSLmode = secure; result->rc = ldap_set_option(*ldap, LDAP_OPT_X_TLS, &SSLmode); if (LDAP_SUCCESS != result->rc) { ldap_unbind_s(*ldap); - result->reason = "LDAP: ldap_set_option - " - "LDAP_OPT_X_TLS_HARD failed"; + result->reason = "LDAP: ldap_set_option failed, " + "could not set security mode for " + "apr_ldap_init()"; result->msg = ldap_err2string(result->rc); *ldap = NULL; return APR_EGENERAL; } } #else - result->reason = "LDAP: SSL not yet supported by APR on this " + result->reason = "LDAP: SSL/TLS not yet supported by APR on this " "version of the OpenLDAP toolkit"; return APR_ENOTIMPL; #endif @@ -353,13 +364,46 @@ APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool, /* microsoft toolkit */ else if (!strcmp(LDAP_VENDOR_NAME, APR_LDAP_VENDOR_MICROSOFT)) { + if (APR_LDAP_OPT_TLS_HARD == secure) { #if APR_HAS_LDAP_SSLINIT - *ldap = ldap_sslinit((char *)hostname, portno, 1); + *ldap = ldap_sslinit((char *)hostname, portno, 1); #else - result->reason = "LDAP: SSL not yet supported by APR on " - "this version of the Microsoft toolkit"; - return APR_ENOTIMPL; + result->reason = "LDAP: ldap_sslinit() not yet supported by APR on " + "this version of the Microsoft toolkit"; + return APR_ENOTIMPL; +#endif + } + else { +#if APR_HAS_LDAP_START_TLS_S + if (APR_LDAP_OPT_TLS_DEMAND == secure) { + *ldap = ldap_init(hostname, portno); + if (NULL != *ldap) { + result->rc = ldap_start_tls_s(*ldap, NULL, NULL, NULL, NULL); + if (LDAP_SUCCESS != result->rc) { + ldap_unbind_s(*ldap); + result->reason = "LDAP: ldap_start_tls_s() failed, " + "could not set STARTTLS mode for " + "apr_ldap_init()"; + result->msg = ldap_err2string(result->rc); + *ldap = NULL; + return APR_EGENERAL; + } + } + } + else { + result->reason = "LDAP: APR_LDAP_OPT_TLS_ALLOW and " + "APR_LDAP_OPT_TLS_TRY are not supported " + "by APR on this version of the Microsoft " + "toolkit. Use APR_LDAP_OPT_TLS_DEMAND " + "instead to enable STARTTLS"; + return APR_ENOTIMPL; + } +#else + result->reason = "LDAP: ldap_start_tls_s() not yet supported " + "by APR on this version of the Microsoft toolkit"; + return APR_ENOTIMPL; #endif + } } /* sun toolkit */ diff --git a/ldap/apr_ldap_option.c b/ldap/apr_ldap_option.c new file mode 100644 index 00000000..a0aec2d9 --- /dev/null +++ b/ldap/apr_ldap_option.c @@ -0,0 +1,103 @@ +/* Copyright 2000-2004 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* apr_ldap_option.c -- LDAP options + * + * The LDAP SDK allows the getting and setting of options on an LDAP + * connection. + * + */ + +#include <apu.h> +#include <apr_ldap.h> +#include <apr_errno.h> +#include <apr_pools.h> +#include <apr_strings.h> + +#if APR_HAS_LDAP + +/** + * APR LDAP get option function + * + * This function gets option values from a given LDAP session if + * one was specified. + */ +APU_DECLARE(int) apr_ldap_get_option(apr_pool_t *pool, + LDAP *ldap, + int option, + void *outvalue, + apr_ldap_err_t **result_err) { + + apr_ldap_err_t *result; + + result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t)); + *result_err = result; + if (!result) { + return APR_ENOMEM; + } + + /* get the option specified using the native LDAP function */ + result->rc = ldap_get_option(ldap, option, outvalue); + + /* handle the error case */ + if (LDAP_SUCCESS != result->rc) { + result->msg = ldap_err2string(result-> rc); + result->reason = apr_pstrdup (pool, "LDAP: Could not get an option"); + return APR_EGENERAL; + } + + return APR_SUCCESS; + +} + +/** + * APR LDAP set option function + * + * This function sets option values to a given LDAP session if + * one was specified. + * + * Where an option is not supported by an LDAP toolkit, this function + * will try and apply legacy functions to achieve the same effect, + * depending on the platform. + */ +APU_DECLARE(int) apr_ldap_set_option(apr_pool_t *pool, + LDAP *ldap, + int option, + const void *invalue, + apr_ldap_err_t **result_err) { + + apr_ldap_err_t *result; + + result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t)); + *result_err = result; + if (!result) { + return APR_ENOMEM; + } + + /* set the option specified using the native LDAP function */ + result->rc = ldap_set_option(ldap, option, (void *)invalue); + + /* handle the error case */ + if (LDAP_SUCCESS != result->rc) { + result->msg = ldap_err2string(result-> rc); + result->reason = apr_pstrdup (pool, "LDAP: Could not get an option"); + return APR_EGENERAL; + } + + return APR_SUCCESS; + +} + +#endif /* APR_HAS_LDAP */ |