Attachment #73491 for bug #113464

View | Details | Raw Unified | Return to bug 113464
Collapse All | Expand All




    int failures = 0;
    int version  = LDAP_VERSION3;
    int rc = LDAP_SUCCESS;
    int tls_rc;
    struct timeval timeOut = {10,0};    /* 10 second connection timeout */

    util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(

                ldc->reason = "LDAP: ssl connections not supported";
        }


        /* Set the alias dereferencing option */
        ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));

        /* always default to LDAP V3 */
        ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);

        #if APR_HAS_OPENLDAP_LDAPSDK & APR_HAS_LDAP_SSL
        if (st->ssl_support && st->start_tls) {
            tls_rc = ldap_start_tls_s(ldc->ldap, NULL, NULL);
            if (tls_rc) {
               ldc->reason = sprintf("LDAP: tls failure: %s", ldap_err2string(tls_rc));
               ldc->ldap = NULL;
            }
        }
        #endif /* APR_HAS_OPENLDAP_LDAPSDK & APR_HAS_LDAP_SSL */

        if (NULL == ldc->ldap)
        {
            ldc->bound = 0;

            return(-1);
        }

        /* Set the alias dereferencing option */
        ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));

        /* always default to LDAP V3 */
        ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);

#ifdef LDAP_OPT_NETWORK_TIMEOUT
        if (st->connectionTimeout > 0) {
            timeOut.tv_sec = st->connectionTimeout;

    return(NULL);
}

static const char *util_ldap_set_cert_key(cmd_parms *cmd, void *dummy, const char *file)
{
    util_ldap_state_t *st = 
        (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, 
						  &ldap_module);
    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
    apr_finfo_t finfo;
    apr_status_t rv;

    if (err != NULL) {
        return err;
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, 
                      "LDAP: SSL certificate key file - %s", 
                       file);

    st->cert_key_file = ap_server_root_relative(cmd->pool, file);

    if (st->cert_key_file && 
        ((rv = apr_stat (&finfo, st->cert_key_file, APR_FINFO_MIN, cmd->pool)) != APR_SUCCESS))
    {
        ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server, 
                     "LDAP: Could not open SSL trusted certificate authority file - %s", 
                     st->cert_key_file == NULL ? file : st->cert_key_file);
        return "Invalid file path";
    }

    return(NULL);
}

static const char *util_ldap_set_cert(cmd_parms *cmd, void *dummy, const char *file)
{
    util_ldap_state_t *st = 
        (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, 
						  &ldap_module);
    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
    apr_finfo_t finfo;
    apr_status_t rv;

    if (err != NULL) {
        return err;
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, 
                      "LDAP: SSL certificate file - %s", file);

    st->cert_file = ap_server_root_relative(cmd->pool, file);

    if (st->cert_file && 
        ((rv = apr_stat (&finfo, st->cert_file, APR_FINFO_MIN, cmd->pool)) != APR_SUCCESS))
    {
        ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server, 
                     "LDAP: Could not open SSL trusted certificate authority file - %s", 
                     st->cert_file == NULL ? file : st->cert_file);
        return "Invalid file path";
    }

    return(NULL);
}

static const char *util_ldap_set_start_tls(cmd_parms *cmd, void *dummy, int flag)
{
    util_ldap_state_t *st = 
        (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, 
						  &ldap_module);
    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);

    if (err != NULL) {
        return err;
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, 
                      "LDAP: Start TLS is: %s", (flag)?"on":"off");

    st->start_tls = flag;
    return(NULL);
}

static const char *util_ldap_set_cert_type(cmd_parms *cmd, void *dummy, const char *Type)
{

    st->compare_cache_ttl = 600000000;
    st->compare_cache_size = 1024;
    st->connections = NULL;
    st->start_tls = 0;
    st->cert_key_file = NULL;
    st->cert_file = NULL;
    st->cert_auth_file = NULL;
    st->cert_file_type = LDAP_CA_TYPE_UNKNOWN;
    st->ssl_support = 0;

            if (st->cert_file_type == LDAP_CA_TYPE_BASE64)
            {
                rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, st->cert_auth_file);
                ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, s, 
                             "CACERTFILE: %s", st->cert_auth_file);

                if (LDAP_SUCCESS == rc && st->cert_file != NULL) {
                  rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, st->cert_file);
                  ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, s, 
                               "CERTFILE: %s", st->cert_file);
                }

                if (LDAP_SUCCESS == rc && st->cert_key_file != NULL) {
                  rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, st->cert_key_file);
                  ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, s, 
                               "CERTKEYFILE: %s", st->cert_key_file);
                }
            }
            else
            {

                  "Specifies the LDAP socket connection timeout in seconds. "
                  "Default is 10 seconds. "),

    AP_INIT_TAKE1("LDAPCertificateKey", util_ldap_set_cert_key, NULL, RSRC_CONF,
                  "Sets the file containing the trusted key certificate. "
                  "Used to validate the LDAP server certificate for SSL connections."),
 
    AP_INIT_TAKE1("LDAPCertificate", util_ldap_set_cert, NULL, RSRC_CONF,
                  "Sets the file containing the trusted certificate. "
                  "Used to validate the LDAP server certificate for SSL connections."),

    AP_INIT_FLAG("LDAPStartTLS", util_ldap_set_start_tls, NULL, RSRC_CONF,
                 "Set to 'on' if you want to use Start TLS to connect to your LDAP server."),

    {NULL}
};


Lines 114-119 Link Here

(-)include/util_ldap.h.orig (+3 lines)
114	long compare_cache_size; /* Size (in entries) of compare cache */	114	long compare_cache_size; /* Size (in entries) of compare cache */
115		115
116	struct util_ldap_connection_t *connections;	116	struct util_ldap_connection_t *connections;
		117	int start_tls;
		118	char *cert_key_file;
		119	char *cert_file;
117	char *cert_auth_file;	120	char *cert_auth_file;
118	int cert_file_type;	121	int cert_file_type;
119	int ssl_support;	122	int ssl_support;

Return to bug 113464

Lines 247-252 Link Here

(-)modules/experimental/util_ldap.c.orig (-6 / +124 lines)
247	int failures = 0;	247	int failures = 0;
248	int version = LDAP_VERSION3;	248	int version = LDAP_VERSION3;
249	int rc = LDAP_SUCCESS;	249	int rc = LDAP_SUCCESS;
		250	int tls_rc;
250	struct timeval timeOut = {10,0}; /* 10 second connection timeout */	251	struct timeval timeOut = {10,0}; /* 10 second connection timeout */
251		252
252	util_ldap_state_t st = (util_ldap_state_t )ap_get_module_config(	253	util_ldap_state_t st = (util_ldap_state_t )ap_get_module_config(
Lines 310-315 Link Here
310	ldc->reason = "LDAP: ssl connections not supported";	311	ldc->reason = "LDAP: ssl connections not supported";
311	}	312	}
312		313
		314
		315	/* Set the alias dereferencing option */
		316	ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));
		317
		318	/* always default to LDAP V3 */
		319	ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
		320
		321	#if APR_HAS_OPENLDAP_LDAPSDK & APR_HAS_LDAP_SSL
		322	if (st->ssl_support && st->start_tls) {
		323	tls_rc = ldap_start_tls_s(ldc->ldap, NULL, NULL);
		324	if (tls_rc) {
		325	ldc->reason = sprintf("LDAP: tls failure: %s", ldap_err2string(tls_rc));
		326	ldc->ldap = NULL;
		327	}
		328	}
		329	#endif /* APR_HAS_OPENLDAP_LDAPSDK & APR_HAS_LDAP_SSL */
		330
313	if (NULL == ldc->ldap)	331	if (NULL == ldc->ldap)
314	{	332	{
315	ldc->bound = 0;	333	ldc->bound = 0;
Lines 318-329 Link Here
318	return(-1);	336	return(-1);
319	}	337	}
320		338
321	/* Set the alias dereferencing option */
322	ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));
323
324	/* always default to LDAP V3 */
325	ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
326
327	#ifdef LDAP_OPT_NETWORK_TIMEOUT	339	#ifdef LDAP_OPT_NETWORK_TIMEOUT
328	if (st->connectionTimeout > 0) {	340	if (st->connectionTimeout > 0) {
329	timeOut.tv_sec = st->connectionTimeout;	341	timeOut.tv_sec = st->connectionTimeout;
Lines 1327-1332 Link Here
1327	return(NULL);	1339	return(NULL);
1328	}	1340	}
1329		1341
		1342	static const char util_ldap_set_cert_key(cmd_parms cmd, void dummy, const char file)
		1343	{
		1344	util_ldap_state_t *st =
		1345	(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
		1346	&ldap_module);
		1347	const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
		1348	apr_finfo_t finfo;
		1349	apr_status_t rv;
		1350
		1351	if (err != NULL) {
		1352	return err;
		1353	}
		1354
		1355	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, cmd->server,
		1356	"LDAP: SSL certificate key file - %s",
		1357	file);
		1358
		1359	st->cert_key_file = ap_server_root_relative(cmd->pool, file);
		1360
		1361	if (st->cert_key_file &&
		1362	((rv = apr_stat (&finfo, st->cert_key_file, APR_FINFO_MIN, cmd->pool)) != APR_SUCCESS))
		1363	{
		1364	ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server,
		1365	"LDAP: Could not open SSL trusted certificate authority file - %s",
		1366	st->cert_key_file == NULL ? file : st->cert_key_file);
		1367	return "Invalid file path";
		1368	}
		1369
		1370	return(NULL);
		1371	}
		1372
		1373	static const char util_ldap_set_cert(cmd_parms cmd, void dummy, const char file)
		1374	{
		1375	util_ldap_state_t *st =
		1376	(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
		1377	&ldap_module);
		1378	const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
		1379	apr_finfo_t finfo;
		1380	apr_status_t rv;
		1381
		1382	if (err != NULL) {
		1383	return err;
		1384	}
		1385
		1386	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, cmd->server,
		1387	"LDAP: SSL certificate file - %s", file);
		1388
		1389	st->cert_file = ap_server_root_relative(cmd->pool, file);
		1390
		1391	if (st->cert_file &&
		1392	((rv = apr_stat (&finfo, st->cert_file, APR_FINFO_MIN, cmd->pool)) != APR_SUCCESS))
		1393	{
		1394	ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server,
		1395	"LDAP: Could not open SSL trusted certificate authority file - %s",
		1396	st->cert_file == NULL ? file : st->cert_file);
		1397	return "Invalid file path";
		1398	}
		1399
		1400	return(NULL);
		1401	}
		1402
		1403	static const char util_ldap_set_start_tls(cmd_parms cmd, void *dummy, int flag)
		1404	{
		1405	util_ldap_state_t *st =
1406	(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1407	&ldap_module);
1408	const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
1409
1410	if (err != NULL) {
1411	return err;
1412	}
1413
1414	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, cmd->server,
1415	"LDAP: Start TLS is: %s", (flag)?"on":"off");
1416
1417	st->start_tls = flag;
1418	return(NULL);
1419	}
1330		1420
1331	static const char util_ldap_set_cert_type(cmd_parms cmd, void dummy, const char Type)	1421	static const char util_ldap_set_cert_type(cmd_parms cmd, void dummy, const char Type)
1332	{	1422	{
Lines 1395-1400 Link Here
1395	st->compare_cache_ttl = 600000000;	1485	st->compare_cache_ttl = 600000000;
1396	st->compare_cache_size = 1024;	1486	st->compare_cache_size = 1024;
1397	st->connections = NULL;	1487	st->connections = NULL;
		1488	st->start_tls = 0;
		1489	st->cert_key_file = NULL;
		1490	st->cert_file = NULL;
1398	st->cert_auth_file = NULL;	1491	st->cert_auth_file = NULL;
1399	st->cert_file_type = LDAP_CA_TYPE_UNKNOWN;	1492	st->cert_file_type = LDAP_CA_TYPE_UNKNOWN;
1400	st->ssl_support = 0;	1493	st->ssl_support = 0;
Lines 1600-1605 Link Here
1600	if (st->cert_file_type == LDAP_CA_TYPE_BASE64)	1693	if (st->cert_file_type == LDAP_CA_TYPE_BASE64)
1601	{	1694	{
1602	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, st->cert_auth_file);	1695	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, st->cert_auth_file);
		1696	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, s,
		1697	"CACERTFILE: %s", st->cert_auth_file);
		1698
		1699	if (LDAP_SUCCESS == rc && st->cert_file != NULL) {
		1700	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, st->cert_file);
		1701	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, s,
		1702	"CERTFILE: %s", st->cert_file);
		1703	}
		1704
		1705	if (LDAP_SUCCESS == rc && st->cert_key_file != NULL) {
		1706	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, st->cert_key_file);
		1707	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, s,
		1708	"CERTKEYFILE: %s", st->cert_key_file);
		1709	}
1603	}	1710	}
1604	else	1711	else
1605	{	1712	{
Lines 1734-1739 Link Here
1734	"Specifies the LDAP socket connection timeout in seconds. "	1841	"Specifies the LDAP socket connection timeout in seconds. "
1735	"Default is 10 seconds. "),	1842	"Default is 10 seconds. "),
1736		1843
		1844	AP_INIT_TAKE1("LDAPCertificateKey", util_ldap_set_cert_key, NULL, RSRC_CONF,
		1845	"Sets the file containing the trusted key certificate. "
		1846	"Used to validate the LDAP server certificate for SSL connections."),
		1847
		1848	AP_INIT_TAKE1("LDAPCertificate", util_ldap_set_cert, NULL, RSRC_CONF,
		1849	"Sets the file containing the trusted certificate. "
		1850	"Used to validate the LDAP server certificate for SSL connections."),
		1851
		1852	AP_INIT_FLAG("LDAPStartTLS", util_ldap_set_start_tls, NULL, RSRC_CONF,
		1853	"Set to 'on' if you want to use Start TLS to connect to your LDAP server."),
		1854
1737	{NULL}	1855	{NULL}
1738	};	1856	};
1739		1857