Commit a6a8fb51 authored by Howard Chu's avatar Howard Chu
Browse files

Add TLS context configuration

parent 7bcca306
......@@ -247,6 +247,9 @@ typedef struct ldapinfo_t {
LDAP_URLLIST_PROC *li_urllist_f;
void *li_urllist_p;
/* we only care about the TLS options here */
slap_bindconf li_tls;
slap_bindconf li_acl;
#define li_acl_authcID li_acl.sb_authcId
#define li_acl_authcDN li_acl.sb_binddn
......@@ -276,27 +279,29 @@ typedef struct ldapinfo_t {
#define LDAP_BACK_F_USE_TLS (0x00000002U)
#define LDAP_BACK_F_PROPAGATE_TLS (0x00000004U)
#define LDAP_BACK_F_TLS_CRITICAL (0x00000008U)
#define LDAP_BACK_F_TLS_LDAPS (0x00000010U)
#define LDAP_BACK_F_TLS_USE_MASK (LDAP_BACK_F_USE_TLS|LDAP_BACK_F_TLS_CRITICAL)
#define LDAP_BACK_F_TLS_PROPAGATE_MASK (LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
#define LDAP_BACK_F_TLS_MASK (LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK)
#define LDAP_BACK_F_CHASE_REFERRALS (0x00000010U)
#define LDAP_BACK_F_PROXY_WHOAMI (0x00000020U)
#define LDAP_BACK_F_TLS_MASK (LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK|LDAP_BACK_F_TLS_LDAPS)
#define LDAP_BACK_F_CHASE_REFERRALS (0x00000020U)
#define LDAP_BACK_F_PROXY_WHOAMI (0x00000040U)
#define LDAP_BACK_F_T_F (0x00000040U)
#define LDAP_BACK_F_T_F_DISCOVER (0x00000080U)
#define LDAP_BACK_F_T_F (0x00000080U)
#define LDAP_BACK_F_T_F_DISCOVER (0x00000100U)
#define LDAP_BACK_F_T_F_MASK (LDAP_BACK_F_T_F)
#define LDAP_BACK_F_T_F_MASK2 (LDAP_BACK_F_T_F_MASK|LDAP_BACK_F_T_F_DISCOVER)
#define LDAP_BACK_F_MONITOR (0x00000100U)
#define LDAP_BACK_F_SINGLECONN (0x00000200U)
#define LDAP_BACK_F_USE_TEMPORARIES (0x00000400U)
#define LDAP_BACK_F_MONITOR (0x00000200U)
#define LDAP_BACK_F_SINGLECONN (0x00000400U)
#define LDAP_BACK_F_USE_TEMPORARIES (0x00000800U)
#define LDAP_BACK_F_ISOPEN (0x00000800U)
#define LDAP_BACK_F_ISOPEN (0x00001000U)
#define LDAP_BACK_F_CANCEL_ABANDON (0x00000000U)
#define LDAP_BACK_F_CANCEL_IGNORE (0x00001000U)
#define LDAP_BACK_F_CANCEL_EXOP (0x00002000U)
#define LDAP_BACK_F_CANCEL_EXOP_DISCOVER (0x00004000U)
#define LDAP_BACK_F_CANCEL_IGNORE (0x00002000U)
#define LDAP_BACK_F_CANCEL_EXOP (0x00004000U)
#define LDAP_BACK_F_CANCEL_EXOP_DISCOVER (0x00008000U)
#define LDAP_BACK_F_CANCEL_MASK (LDAP_BACK_F_CANCEL_IGNORE|LDAP_BACK_F_CANCEL_EXOP)
#define LDAP_BACK_F_CANCEL_MASK2 (LDAP_BACK_F_CANCEL_MASK|LDAP_BACK_F_CANCEL_EXOP_DISCOVER)
......
......@@ -127,7 +127,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs,
ldap_back_send_t sendok, struct berval *binddn, struct berval *bindcred );
static int
ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs,
ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs,
ldap_back_send_t sendok );
static int
......@@ -610,7 +610,7 @@ retry:;
#endif /* HAVE_TLS */
static int
ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
{
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
int version;
......@@ -618,10 +618,9 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
#ifdef HAVE_TLS
int is_tls = op->o_conn->c_is_tls;
time_t lc_time = (time_t)(-1);
slap_bindconf *sb;
#endif /* HAVE_TLS */
assert( lcp != NULL );
ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
rs->sr_err = ldap_initialize( &ld, li->li_uri );
ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex );
......@@ -661,6 +660,19 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
}
#ifdef HAVE_TLS
if ( LDAP_BACK_CONN_ISPRIV( lc ))
sb = &li->li_acl;
else if ( LDAP_BACK_CONN_ISIDASSERT( lc ))
sb = &li->li_idassert.si_bc;
else
sb = &li->li_tls;
if ( sb->sb_tls_do_init ) {
bindconf_tls_set( sb, ld );
} else if ( sb->sb_tls_ctx ) {
ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
}
ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls,
li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text );
......@@ -675,21 +687,17 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
}
#endif /* HAVE_TLS */
if ( *lcp == NULL ) {
*lcp = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) );
(*lcp)->lc_flags = li->li_flags;
}
(*lcp)->lc_ld = ld;
(*lcp)->lc_refcnt = 1;
(*lcp)->lc_binding = 1;
lc->lc_ld = ld;
lc->lc_refcnt = 1;
lc->lc_binding = 1;
#ifdef HAVE_TLS
if ( is_tls ) {
LDAP_BACK_CONN_ISTLS_SET( *lcp );
LDAP_BACK_CONN_ISTLS_SET( lc );
} else {
LDAP_BACK_CONN_ISTLS_CLEAR( *lcp );
LDAP_BACK_CONN_ISTLS_CLEAR( lc );
}
if ( lc_time != (time_t)(-1) ) {
(*lcp)->lc_time = lc_time;
lc->lc_time = lc_time;
}
#endif /* HAVE_TLS */
......@@ -706,7 +714,7 @@ error_return:;
} else {
if ( li->li_conn_ttl > 0 ) {
(*lcp)->lc_create_time = op->o_time;
lc->lc_create_time = op->o_time;
}
}
......@@ -892,7 +900,11 @@ retry_lock:
/* Looks like we didn't get a bind. Open a new session... */
if ( lc == NULL ) {
if ( ldap_back_prepare_conn( &lc, op, rs, sendok ) != LDAP_SUCCESS ) {
lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) );
lc->lc_flags = li->li_flags;
lc->lc_lcflags = lc_curr.lc_lcflags;
if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) {
ch_free( lc );
return NULL;
}
......
......@@ -83,7 +83,7 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "tls", "what", 2, 2, 0,
{ "tls", "what", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_TLS,
ldap_back_cf_gen, "( OLcfgDbAt:3.1 "
"NAME 'olcDbStartTLS' "
......@@ -352,6 +352,7 @@ static slap_verbmasks tls_mode[] = {
{ BER_BVC( "try-propagate" ), LDAP_BACK_F_PROPAGATE_TLS },
{ BER_BVC( "start" ), LDAP_BACK_F_TLS_USE_MASK },
{ BER_BVC( "try-start" ), LDAP_BACK_F_USE_TLS },
{ BER_BVC( "ldaps" ), LDAP_BACK_F_TLS_LDAPS },
{ BER_BVC( "none" ), LDAP_BACK_F_NONE },
{ BER_BVNULL, 0 }
};
......@@ -712,6 +713,7 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
return 1;
}
}
bindconf_tls_defaults( &si->si_bc );
return 0;
}
......@@ -776,10 +778,23 @@ ldap_back_cf_gen( ConfigArgs *c )
}
break;
case LDAP_BACK_CFG_TLS:
case LDAP_BACK_CFG_TLS: {
struct berval bc = BER_BVNULL, bv2;
enum_to_verb( tls_mode, ( li->li_flags & LDAP_BACK_F_TLS_MASK ), &bv );
assert( !BER_BVISNULL( &bv ) );
value_add_one( &c->rvalue_vals, &bv );
bindconf_tls_unparse( &li->li_tls, &bc );
if ( !BER_BVISEMPTY( &bc )) {
bv2.bv_len = bv.bv_len + bc.bv_len + 1;
bv2.bv_val = ch_malloc(bv2.bv_len + 1 );
strcpy( bv2.bv_val, bv.bv_val );
bv2.bv_val[bv.bv_len] = ' ';
strcpy( bv2.bv_val+bv.bv_len+1, bc.bv_val );
ber_bvarray_add( &c->rvalue_vals, &bv2 );
} else {
value_add_one( &c->rvalue_vals, &bv );
}
}
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
......@@ -1379,6 +1394,13 @@ done_url:;
}
li->li_flags &= ~LDAP_BACK_F_TLS_MASK;
li->li_flags |= tls_mode[i].mask;
if ( c->argc > 2 ) {
for ( i=0; i<c->argc; i++ ) {
if ( bindconf_tls_parse( c->argv[i], &li->li_tls ))
return 1;
}
bindconf_tls_defaults( &li->li_tls );
}
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
......@@ -1437,6 +1459,7 @@ done_url:;
return 1;
}
}
bindconf_tls_defaults( &li->li_acl );
break;
case LDAP_BACK_CFG_IDASSERT_MODE:
......
......@@ -1275,14 +1275,31 @@ slap_tls_get_config( LDAP *ld, int opt, char **val )
}
int
bindconf_parse( const char *word, slap_bindconf *bc )
bindconf_tls_parse( const char *word, slap_bindconf *bc )
{
#ifdef HAVE_TLS
/* Detect TLS config changes explicitly */
if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) {
bc->sb_tls_do_init = 1;
return 0;
}
#endif
return -1;
}
int
bindconf_tls_unparse( slap_bindconf *bc, struct berval *bv )
{
return slap_cf_aux_table_unparse( bc, bv, aux_TLS );
}
int
bindconf_parse( const char *word, slap_bindconf *bc )
{
#ifdef HAVE_TLS
/* Detect TLS config changes explicitly */
if ( bindconf_tls_parse( word, bc ) == 0 ) {
return 0;
}
#endif
return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" );
}
......
......@@ -635,6 +635,10 @@ LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp,
LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P((
LDAP *ld, int opt, char **val ));
LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_tls_parse LDAP_P((
const char *word, slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_tls_unparse LDAP_P((
slap_bindconf *bc, struct berval *bv ));
LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
const char *word, slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment