Bradley Baetz authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

Use the new methods unconditionally, define helper functions for older versions.

Ondřej Kuzník authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

Maintain the SSF across SASL binds.

Howard Chu authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

Must release cookieState->cs_mutex before invoking backend.
Add a condvar to serialize calls of updateCookie, so we can
release the mutex and still update sequentially.

Also added tid logging, useful in conjunction with
7ab0e1aff0cc48cdfb299ca7dbd27900a9e3d1a8

Howard Chu authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

Make sure it's last in callback stack

Michael Ströder authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

ITS#8692 let back-sock generate increment: line in case of LDAP_MOD_INCREMENT (see RFC 4525, section 3)

Jan Vcelak authored 12 years ago and Quanah Gibson-Mount committed 7 years ago

If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.

This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.

ITS#8687 - EGD is disabled by default in OpenSSL 1.1. We need to comment out this block if it is not detected. Particularly affects cross compilation.

ITS#8121 - Note ldap_sasl_bind and ldap_sasl_bind_s can be used to make simple binds via the LDAP_SASL_SIMPLE mechanism

Jan Vcelak authored 12 years ago and Quanah Gibson-Mount committed 7 years ago

CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
file extension was '.0'. However the file name should be 8 letters long
certificate hash of the certificate subject name, followed by a numeric
suffix which is used to differentiate between two certificates with the
same subject name.

Wit this patch, certificate file names are matched correctly (using
regular expressions).

Jan Vcelak authored 12 years ago and Quanah Gibson-Mount committed 7 years ago

If multiple servers are specified, the connection to the first one
succeeds, and the hostname verification fails, *tls_session is not
dropped, but reused when connecting to the second server.

This is a problem with Mozilla NSS backend because another handshake
cannot be performed on the same file descriptor. From this reason,
hostname checking was moved into ldap_int_tls_connect() before
connection error handling.