Commit 1cc1f9b1 authored by Howard Chu's avatar Howard Chu
Browse files

Make syncrepl inherit default TLS settings from main slapd config (except

for reqcert, default demand)
parent 813cca89
......@@ -3094,22 +3094,9 @@ config_tls_option(ConfigArgs *c) {
static int
config_tls_config(ConfigArgs *c) {
int i, flag;
slap_verbmasks crlkeys[] = {
{ BER_BVC("none"), LDAP_OPT_X_TLS_CRL_NONE },
{ BER_BVC("peer"), LDAP_OPT_X_TLS_CRL_PEER },
{ BER_BVC("all"), LDAP_OPT_X_TLS_CRL_ALL },
{ BER_BVNULL, 0 }
};
slap_verbmasks vfykeys[] = {
{ BER_BVC("never"), LDAP_OPT_X_TLS_NEVER },
{ BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND },
{ BER_BVC("try"), LDAP_OPT_X_TLS_TRY },
{ BER_BVC("hard"), LDAP_OPT_X_TLS_HARD },
{ BER_BVNULL, 0 }
}, *keys;
switch(c->type) {
case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; keys = crlkeys; break;
case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; keys = vfykeys; break;
case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; break;
case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; break;
default:
Debug(LDAP_DEBUG_ANY, "%s: "
"unknown tls_option <0x%x>\n",
......@@ -3117,14 +3104,7 @@ config_tls_config(ConfigArgs *c) {
return 1;
}
if (c->op == SLAP_CONFIG_EMIT) {
ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int );
for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
if (keys[i].mask == c->value_int) {
c->value_string = ch_strdup( keys[i].word.bv_val );
return 0;
}
}
return 1;
return slap_tls_get_config( slap_tls_ld, flag, &c->value_string );
} else if ( c->op == LDAP_MOD_DELETE ) {
int i = 0;
return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i );
......
......@@ -998,6 +998,21 @@ static slap_verbmasks tlskey[] = {
{ BER_BVC("critical"), SB_TLS_CRITICAL },
{ BER_BVNULL, 0 }
};
static slap_verbmasks crlkeys[] = {
{ BER_BVC("none"), LDAP_OPT_X_TLS_CRL_NONE },
{ BER_BVC("peer"), LDAP_OPT_X_TLS_CRL_PEER },
{ BER_BVC("all"), LDAP_OPT_X_TLS_CRL_ALL },
{ BER_BVNULL, 0 }
};
static slap_verbmasks vfykeys[] = {
{ BER_BVC("never"), LDAP_OPT_X_TLS_NEVER },
{ BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND },
{ BER_BVC("try"), LDAP_OPT_X_TLS_TRY },
{ BER_BVC("hard"), LDAP_OPT_X_TLS_HARD },
{ BER_BVNULL, 0 }
};
#endif
static slap_verbmasks methkey[] = {
......@@ -1232,6 +1247,33 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0
return 0;
}
int
slap_tls_get_config( LDAP *ld, int opt, char **val )
{
slap_verbmasks *keys;
int i, ival;
*val = NULL;
switch( opt ) {
case LDAP_OPT_X_TLS_CRLCHECK:
keys = crlkeys;
break;
case LDAP_OPT_X_TLS_REQUIRE_CERT:
keys = vfykeys;
break;
default:
return -1;
}
ldap_pvt_tls_get_option( ld, opt, &ival );
for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
if (keys[i].mask == ival) {
*val = ch_strdup( keys[i].word.bv_val );
return 0;
}
}
return -1;
}
int
bindconf_parse( const char *word, slap_bindconf *bc )
{
......@@ -1324,6 +1366,37 @@ void bindconf_free( slap_bindconf *bc ) {
#endif
}
void
bindconf_tls_defaults( slap_bindconf *bc )
{
#ifdef HAVE_TLS
if ( bc->sb_tls_do_init ) {
if ( !bc->sb_tls_cacert )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTFILE,
&bc->sb_tls_cacert );
if ( !bc->sb_tls_cacertdir )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTDIR,
&bc->sb_tls_cacertdir );
if ( !bc->sb_tls_cert )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CERTFILE,
&bc->sb_tls_cert );
if ( !bc->sb_tls_key )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_KEYFILE,
&bc->sb_tls_key );
if ( !bc->sb_tls_cipher_suite )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
&bc->sb_tls_cipher_suite );
if ( !bc->sb_tls_reqcert )
bc->sb_tls_reqcert = ch_strdup("demand");
#ifdef HAVE_OPENSSL_CRL
if ( !bc->sb_tls_crlcheck )
slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
&bc->sb_tls_crlcheck );
#endif
}
#endif
}
#ifdef HAVE_TLS
static struct {
const char *key;
......
......@@ -632,6 +632,9 @@ LDAP_SLAPD_F (int) slap_verbmasks_init LDAP_P(( slap_verbmasks **vp, slap_verbma
LDAP_SLAPD_F (int) slap_verbmasks_destroy LDAP_P(( slap_verbmasks *v ));
LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp,
slap_mask_t m, struct berval *v, slap_mask_t *ignore ));
LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P((
LDAP *ld, int opt, char **val ));
LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
const char *word, slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
......
......@@ -3248,6 +3248,11 @@ add_syncrepl(
if ( !si->si_re )
rc = -1;
}
#ifdef HAVE_TLS
/* Use main slapd defaults */
bindconf_tls_defaults( &si->si_bindconf );
#endif
if ( rc < 0 ) {
Debug( LDAP_DEBUG_ANY, "failed to add syncinfo\n", 0, 0, 0 );
syncinfo_free( si );
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment