diff options
| -rw-r--r-- | CHANGES | 31 | ||||
| -rw-r--r-- | aprutil.dsp | 4 | ||||
| -rw-r--r-- | include/apr_ldap.h.in | 4 | ||||
| -rw-r--r-- | include/apr_ldap.hnw | 2 | ||||
| -rw-r--r-- | include/apr_ldap.hw | 2 | ||||
| -rw-r--r-- | include/apr_ldap_option.h | 115 | ||||
| -rw-r--r-- | ldap/apr_ldap_init.c | 60 | ||||
| -rw-r--r-- | ldap/apr_ldap_option.c | 103 | ||||
| -rw-r--r-- | libaprutil.dsp | 4 |
9 files changed, 299 insertions, 26 deletions
@@ -1,18 +1,5 @@ Changes with APR-util 1.1.0 - *) Rework the LDAP toolkit detection to be more accurate than "OpenLDAP - detected regardless", while remaining backwards compatible with v1.0. - [Graham Leggett] - - *) Fix the detection of ldap.h on Solaris - it needs lber.h to be - defined first. [Graham Leggett] - - *) Add a build script to create a solaris package. [Graham Leggett] - - *) Added the apr_ldap_ssl_add_cert() API to allow multiple certificates - to be stored and used when establishing an SSL connection to different - LDAP servers. [Brad Nicholes] - *) Emit the run-time link path option in apu-config after installation if the user is linking with libtool. [Justin Erenkrantz] @@ -29,6 +16,24 @@ Changes with APR-util 1.1.0 *) Add apr_brigade_insert_file() function, to safely insert a file into a brigade, regardless of size. [Joe Orton] +Changes with APR-util 1.0.2 + + *) Teach apr_ldap_init() how to handle STARTTLS in addition to the existing + SSL support. Add apr_ldap_option API. [Graham Leggett] + + *) Rework the LDAP toolkit detection to be more accurate than "OpenLDAP + detected regardless", while remaining backwards compatible with v1.0. + [Graham Leggett] + + *) Added the apr_ldap_ssl_add_cert() API to allow multiple certificates + to be stored and used when establishing an SSL connection to different + LDAP servers. [Brad Nicholes] + + *) Fix the detection of ldap.h on Solaris - it needs lber.h to be + defined first. [Graham Leggett] + + *) Add a build script to create a solaris package. [Graham Leggett] + Changes with APR-util 1.0.1 *) Add support for Berkeley DB 4.3. [Jani Averbach <jaa jaa.iki.fi>] diff --git a/aprutil.dsp b/aprutil.dsp index c70b2120..a37635d0 100644 --- a/aprutil.dsp +++ b/aprutil.dsp @@ -211,6 +211,10 @@ SOURCE=.\ldap\apr_ldap_init.c SOURCE=.\ldap\apr_ldap_url.c # End Source File +# Begin Source File + +SOURCE=.\ldap\apr_ldap_option.c +# End Source File # End Group # Begin Group "misc" diff --git a/include/apr_ldap.h.in b/include/apr_ldap.h.in index 0bead420..ed3c4c87 100644 --- a/include/apr_ldap.h.in +++ b/include/apr_ldap.h.in @@ -75,9 +75,7 @@ @lber_h@ @ldap_h@ -#if APR_HAS_LDAP_SSL @ldap_ssl_h@ -#endif /* @@ -132,7 +130,7 @@ typedef struct apr_ldap_err_t { #include "apr_ldap_url.h" #include "apr_ldap_init.h" - +#include "apr_ldap_option.h" /** @} */ #endif /* APR_HAS_LDAP */ diff --git a/include/apr_ldap.hnw b/include/apr_ldap.hnw index 5a280114..6a3c15fa 100644 --- a/include/apr_ldap.hnw +++ b/include/apr_ldap.hnw @@ -132,7 +132,7 @@ typedef struct apr_ldap_err_t { #include "apr_ldap_url.h" #include "apr_ldap_init.h" - +#include "apr_ldap_option.h" /** @} */ #endif /* APR_HAS_LDAP */ diff --git a/include/apr_ldap.hw b/include/apr_ldap.hw index 64cf055b..b70b4cdb 100644 --- a/include/apr_ldap.hw +++ b/include/apr_ldap.hw @@ -128,7 +128,7 @@ typedef struct apr_ldap_err_t { #include "apr_ldap_url.h" #include "apr_ldap_init.h" - +#include "apr_ldap_option.h" /** @} */ #endif /* APR_HAS_LDAP */ diff --git a/include/apr_ldap_option.h b/include/apr_ldap_option.h new file mode 100644 index 00000000..a425e5d8 --- /dev/null +++ b/include/apr_ldap_option.h @@ -0,0 +1,115 @@ +/* Copyright 2000-2004 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file apr_ldap_option.h + * @brief APR-UTIL LDAP ldap_*_option() functions + */ +#ifndef APR_LDAP_OPTION_H +#define APR_LDAP_OPTION_H + +/** + * @defgroup APR_Util_LDAP LDAP + * @ingroup APR_Util + * @{ + */ + +#include "apr_ldap.h" + +#if APR_HAS_LDAP + +/* + * The following defines handle the different TLS certificate + * options available. If these options are missing, APR will try and + * emulate support for this using the derecated ldap_start_tls_s() + * function. + */ +#ifdef LDAP_OPT_X_TLS_NEVER +#define APR_LDAP_OPT_TLS_NEVER LDAP_OPT_X_TLS_NEVER +#else +#define APR_LDAP_OPT_TLS_NEVER 0 +#endif + +#ifdef LDAP_OPT_X_TLS_HARD +#define APR_LDAP_OPT_TLS_HARD LDAP_OPT_X_TLS_HARD +#else +#define APR_LDAP_OPT_TLS_HARD 1 +#endif + +#ifdef LDAP_OPT_X_TLS_DEMAND +#define APR_LDAP_OPT_TLS_DEMAND LDAP_OPT_X_TLS_DEMAND +#else +#define APR_LDAP_OPT_TLS_DEMAND 2 +#endif + +#ifdef LDAP_OPT_X_TLS_ALLOW +#define APR_LDAP_OPT_TLS_ALLOW LDAP_OPT_X_TLS_ALLOW +#else +#define APR_LDAP_OPT_TLS_ALLOW 3 +#endif + +#ifdef LDAP_OPT_X_TLS_TRY +#define APR_LDAP_OPT_TLS_TRY LDAP_OPT_X_TLS_TRY +#else +#define APR_LDAP_OPT_TLS_TRY 4 +#endif + + +/** + * APR LDAP get option function + * + * This function gets option values from a given LDAP session if + * one was specified. It maps to the native ldap_get_option() function. + * @param pool The pool to use + * @param ldap The LDAP handle + * @param option The LDAP_OPT_* option to return + * @param outvalue The value returned (if any) + * @param result_err The apr_ldap_err_t structure contained detailed results + * of the operation. + */ +APU_DECLARE(int) apr_ldap_get_option(apr_pool_t *pool, + LDAP *ldap, + int option, + void *outvalue, + apr_ldap_err_t **result_err); + +/** + * APR LDAP set option function + * + * This function sets option values to a given LDAP session if + * one was specified. It maps to the native ldap_set_option() function. + * + * Where an option is not supported by an LDAP toolkit, this function + * will try and apply legacy functions to achieve the same effect, + * depending on the platform. + * @param pool The pool to use + * @param ldap The LDAP handle + * @param option The LDAP_OPT_* option to set + * @param invalue The value to set + * @param result_err The apr_ldap_err_t structure contained detailed results + * of the operation. + */ +APU_DECLARE(int) apr_ldap_set_option(apr_pool_t *pool, + LDAP *ldap, + int option, + const void *invalue, + apr_ldap_err_t **result_err); + +#endif /* APR_HAS_LDAP */ + +/** @} */ + +#endif /* APR_LDAP_OPTION_H */ + diff --git a/ldap/apr_ldap_init.c b/ldap/apr_ldap_init.c index b4079dec..e8555c6e 100644 --- a/ldap/apr_ldap_init.c +++ b/ldap/apr_ldap_init.c @@ -298,6 +298,16 @@ APU_DECLARE(int) apr_ldap_ssl_deinit(void) { * to hide the complexity setup from the user. This function * assumes that any certificate setup necessary has already * been done. + * + * If SSL or STARTTLS needs to be enabled, and the underlying + * toolkit supports it, the following values are accepted for + * secure: + * + * APR_LDAP_OPT_TLS_NEVER: No encryption + * APR_LDAP_OPT_TLS_HARD: SSL encryption (ldaps://) + * APR_LDAP_OPT_TLS_DEMAND: Force STARTTLS on ldap:// + * APR_LDAP_OPT_TLS_ALLOW: Allow STARTTLS on ldap:// + * APR_LDAP_OPT_TLS_TRY: Optionally try STARTLS on ldap:// */ APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool, LDAP **ldap, @@ -333,19 +343,20 @@ APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool, #ifdef LDAP_OPT_X_TLS *ldap = ldap_init(hostname, portno); if (NULL != *ldap) { - int SSLmode = LDAP_OPT_X_TLS_HARD; + int SSLmode = secure; result->rc = ldap_set_option(*ldap, LDAP_OPT_X_TLS, &SSLmode); if (LDAP_SUCCESS != result->rc) { ldap_unbind_s(*ldap); - result->reason = "LDAP: ldap_set_option - " - "LDAP_OPT_X_TLS_HARD failed"; + result->reason = "LDAP: ldap_set_option failed, " + "could not set security mode for " + "apr_ldap_init()"; result->msg = ldap_err2string(result->rc); *ldap = NULL; return APR_EGENERAL; } } #else - result->reason = "LDAP: SSL not yet supported by APR on this " + result->reason = "LDAP: SSL/TLS not yet supported by APR on this " "version of the OpenLDAP toolkit"; return APR_ENOTIMPL; #endif @@ -353,13 +364,46 @@ APU_DECLARE(int) apr_ldap_init(apr_pool_t *pool, /* microsoft toolkit */ else if (!strcmp(LDAP_VENDOR_NAME, APR_LDAP_VENDOR_MICROSOFT)) { + if (APR_LDAP_OPT_TLS_HARD == secure) { #if APR_HAS_LDAP_SSLINIT - *ldap = ldap_sslinit((char *)hostname, portno, 1); + *ldap = ldap_sslinit((char *)hostname, portno, 1); #else - result->reason = "LDAP: SSL not yet supported by APR on " - "this version of the Microsoft toolkit"; - return APR_ENOTIMPL; + result->reason = "LDAP: ldap_sslinit() not yet supported by APR on " + "this version of the Microsoft toolkit"; + return APR_ENOTIMPL; +#endif + } + else { +#if APR_HAS_LDAP_START_TLS_S + if (APR_LDAP_OPT_TLS_DEMAND == secure) { + *ldap = ldap_init(hostname, portno); + if (NULL != *ldap) { + result->rc = ldap_start_tls_s(*ldap, NULL, NULL, NULL, NULL); + if (LDAP_SUCCESS != result->rc) { + ldap_unbind_s(*ldap); + result->reason = "LDAP: ldap_start_tls_s() failed, " + "could not set STARTTLS mode for " + "apr_ldap_init()"; + result->msg = ldap_err2string(result->rc); + *ldap = NULL; + return APR_EGENERAL; + } + } + } + else { + result->reason = "LDAP: APR_LDAP_OPT_TLS_ALLOW and " + "APR_LDAP_OPT_TLS_TRY are not supported " + "by APR on this version of the Microsoft " + "toolkit. Use APR_LDAP_OPT_TLS_DEMAND " + "instead to enable STARTTLS"; + return APR_ENOTIMPL; + } +#else + result->reason = "LDAP: ldap_start_tls_s() not yet supported " + "by APR on this version of the Microsoft toolkit"; + return APR_ENOTIMPL; #endif + } } /* sun toolkit */ diff --git a/ldap/apr_ldap_option.c b/ldap/apr_ldap_option.c new file mode 100644 index 00000000..a0aec2d9 --- /dev/null +++ b/ldap/apr_ldap_option.c @@ -0,0 +1,103 @@ +/* Copyright 2000-2004 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* apr_ldap_option.c -- LDAP options + * + * The LDAP SDK allows the getting and setting of options on an LDAP + * connection. + * + */ + +#include <apu.h> +#include <apr_ldap.h> +#include <apr_errno.h> +#include <apr_pools.h> +#include <apr_strings.h> + +#if APR_HAS_LDAP + +/** + * APR LDAP get option function + * + * This function gets option values from a given LDAP session if + * one was specified. + */ +APU_DECLARE(int) apr_ldap_get_option(apr_pool_t *pool, + LDAP *ldap, + int option, + void *outvalue, + apr_ldap_err_t **result_err) { + + apr_ldap_err_t *result; + + result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t)); + *result_err = result; + if (!result) { + return APR_ENOMEM; + } + + /* get the option specified using the native LDAP function */ + result->rc = ldap_get_option(ldap, option, outvalue); + + /* handle the error case */ + if (LDAP_SUCCESS != result->rc) { + result->msg = ldap_err2string(result-> rc); + result->reason = apr_pstrdup (pool, "LDAP: Could not get an option"); + return APR_EGENERAL; + } + + return APR_SUCCESS; + +} + +/** + * APR LDAP set option function + * + * This function sets option values to a given LDAP session if + * one was specified. + * + * Where an option is not supported by an LDAP toolkit, this function + * will try and apply legacy functions to achieve the same effect, + * depending on the platform. + */ +APU_DECLARE(int) apr_ldap_set_option(apr_pool_t *pool, + LDAP *ldap, + int option, + const void *invalue, + apr_ldap_err_t **result_err) { + + apr_ldap_err_t *result; + + result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t)); + *result_err = result; + if (!result) { + return APR_ENOMEM; + } + + /* set the option specified using the native LDAP function */ + result->rc = ldap_set_option(ldap, option, (void *)invalue); + + /* handle the error case */ + if (LDAP_SUCCESS != result->rc) { + result->msg = ldap_err2string(result-> rc); + result->reason = apr_pstrdup (pool, "LDAP: Could not get an option"); + return APR_EGENERAL; + } + + return APR_SUCCESS; + +} + +#endif /* APR_HAS_LDAP */ diff --git a/libaprutil.dsp b/libaprutil.dsp index ace7decc..fc06e3c7 100644 --- a/libaprutil.dsp +++ b/libaprutil.dsp @@ -217,6 +217,10 @@ SOURCE=.\ldap\apr_ldap_init.c SOURCE=.\ldap\apr_ldap_url.c # End Source File +# Begin Source File + +SOURCE=.\ldap\apr_ldap_option.c +# End Source File # End Group # Begin Group "misc" |