Teach apr_ldap_init() how to handle STARTTLS in addition to the existing

SSL support. Add apr_ldap_option API.


git-svn-id: http://svn.apache.org/repos/asf/apr/apr-util/trunk@124191 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 155 insertions, 8 deletions

diff --git a/ldap/apr_ldap_init.c b/ldap/apr_ldap_init.c
index b4079dec..e8555c6e 100644
--- a/ldap/apr_ldap_init.c
+++ b/ldap/apr_ldap_init.c
@@ -298,6 +298,16 @@ APU_DECLARE(int) apr_ldap_ssl_deinit(void) {
  * to hide the complexity setup from the user. This function
  * assumes that any certificate setup necessary has already
  * been done.
+ *
+ * If SSL or STARTTLS needs to be enabled, and the underlying
+ * toolkit supports it, the following values are accepted for
+ * secure:
+ *
+ * APR_LDAP_OPT_TLS_NEVER: No encryption
+ * APR_LDAP_OPT_TLS_HARD: SSL encryption (ldaps://)
+ * APR_LDAP_OPT_TLS_DEMAND: Force STARTTLS on ldap://
+ * APR_LDAP_OPT_TLS_ALLOW: Allow STARTTLS on ldap://
+ * APR_LDAP_OPT_TLS_TRY: Optionally try STARTLS on ldap://
  */
 APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool,
                                LDAP **ldap,
@@ -333,19 +343,20 @@ APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool,
 #ifdef LDAP_OPT_X_TLS
             *ldap = ldap_init(hostname, portno);
             if (NULL != *ldap) {
-                int SSLmode = LDAP_OPT_X_TLS_HARD;
+                int SSLmode = secure;
                 result->rc = ldap_set_option(*ldap, LDAP_OPT_X_TLS, &SSLmode);
                 if (LDAP_SUCCESS != result->rc) {
                     ldap_unbind_s(*ldap);
-                    result->reason = "LDAP: ldap_set_option - "
-                                     "LDAP_OPT_X_TLS_HARD failed";
+                    result->reason = "LDAP: ldap_set_option failed, "
+                                     "could not set security mode for "
+                                     "apr_ldap_init()";
                     result->msg = ldap_err2string(result->rc);
                     *ldap = NULL;
                     return APR_EGENERAL;
                 }
             }
 #else
-            result->reason = "LDAP: SSL not yet supported by APR on this "
+            result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
                              "version of the OpenLDAP toolkit";
             return APR_ENOTIMPL;
 #endif
@@ -353,13 +364,46 @@ APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool,
 
         /* microsoft toolkit */
         else if (!strcmp(LDAP_VENDOR_NAME, APR_LDAP_VENDOR_MICROSOFT)) {
+            if (APR_LDAP_OPT_TLS_HARD == secure) {
 #if APR_HAS_LDAP_SSLINIT
-            *ldap = ldap_sslinit((char *)hostname, portno, 1);
+                *ldap = ldap_sslinit((char *)hostname, portno, 1);
 #else
-            result->reason = "LDAP: SSL not yet supported by APR on "
-                             "this version of the Microsoft toolkit";
-            return APR_ENOTIMPL;
+                result->reason = "LDAP: ldap_sslinit() not yet supported by APR on "
+                                 "this version of the Microsoft toolkit";
+                return APR_ENOTIMPL;
+#endif
+            }
+            else {
+#if APR_HAS_LDAP_START_TLS_S
+                if (APR_LDAP_OPT_TLS_DEMAND == secure) {
+                    *ldap = ldap_init(hostname, portno);
+                    if (NULL != *ldap) {
+                        result->rc = ldap_start_tls_s(*ldap, NULL, NULL, NULL, NULL);
+                        if (LDAP_SUCCESS != result->rc) {
+                            ldap_unbind_s(*ldap);
+                            result->reason = "LDAP: ldap_start_tls_s() failed, "
+                                             "could not set STARTTLS mode for "
+                                             "apr_ldap_init()";
+                            result->msg = ldap_err2string(result->rc);
+                            *ldap = NULL;
+                            return APR_EGENERAL;
+                        }
+                    }
+                }
+                else {
+                    result->reason = "LDAP: APR_LDAP_OPT_TLS_ALLOW and "
+                                     "APR_LDAP_OPT_TLS_TRY are not supported "
+                                     "by APR on this version of the Microsoft "
+                                     "toolkit. Use APR_LDAP_OPT_TLS_DEMAND "
+                                     "instead to enable STARTTLS";
+                    return APR_ENOTIMPL;
+                }
+#else
+                result->reason = "LDAP: ldap_start_tls_s() not yet supported "
+                                 "by APR on this version of the Microsoft toolkit";
+                return APR_ENOTIMPL;
 #endif
+            }
         }
 
         /* sun toolkit */
diff --git a/ldap/apr_ldap_option.c b/ldap/apr_ldap_option.c
new file mode 100644
index 00000000..a0aec2d9
--- /dev/null
+++ b/ldap/apr_ldap_option.c
@@ -0,0 +1,103 @@
+/* Copyright 2000-2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*  apr_ldap_option.c -- LDAP options
+ *
+ *  The LDAP SDK allows the getting and setting of options on an LDAP
+ *  connection.
+ *
+ */
+
+#include <apu.h>
+#include <apr_ldap.h>
+#include <apr_errno.h>
+#include <apr_pools.h>
+#include <apr_strings.h>
+
+#if APR_HAS_LDAP
+
+/**
+ * APR LDAP get option function
+ *
+ * This function gets option values from a given LDAP session if
+ * one was specified.
+ */
+APU_DECLARE(int) apr_ldap_get_option(apr_pool_t *pool,
+                                     LDAP *ldap,
+                                     int option,
+                                     void *outvalue,
+                                     apr_ldap_err_t **result_err) {
+
+    apr_ldap_err_t *result;
+
+    result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
+    *result_err = result;
+    if (!result) {
+        return APR_ENOMEM;
+    }
+
+    /* get the option specified using the native LDAP function */
+    result->rc = ldap_get_option(ldap, option, outvalue);
+
+    /* handle the error case */
+    if (LDAP_SUCCESS != result->rc) {
+        result->msg = ldap_err2string(result-> rc);
+        result->reason = apr_pstrdup (pool, "LDAP: Could not get an option");
+        return APR_EGENERAL;
+    }
+
+    return APR_SUCCESS;
+
+} 
+
+/**
+ * APR LDAP set option function
+ *
+ * This function sets option values to a given LDAP session if
+ * one was specified.
+ *
+ * Where an option is not supported by an LDAP toolkit, this function
+ * will try and apply legacy functions to achieve the same effect,
+ * depending on the platform.
+ */
+APU_DECLARE(int) apr_ldap_set_option(apr_pool_t *pool,
+                                     LDAP *ldap,
+                                     int option,
+                                     const void *invalue,
+                                     apr_ldap_err_t **result_err) {
+
+    apr_ldap_err_t *result;
+
+    result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
+    *result_err = result;
+    if (!result) {
+        return APR_ENOMEM;
+    }
+
+    /* set the option specified using the native LDAP function */
+    result->rc = ldap_set_option(ldap, option, (void *)invalue);
+
+    /* handle the error case */
+    if (LDAP_SUCCESS != result->rc) {
+        result->msg = ldap_err2string(result-> rc);
+        result->reason = apr_pstrdup (pool, "LDAP: Could not get an option");
+        return APR_EGENERAL;
+    }
+
+    return APR_SUCCESS;
+
+}
+
+#endif /* APR_HAS_LDAP */