Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
openldap
OpenLDAP
Commits
650b1404
Commit
650b1404
authored
Aug 21, 2020
by
Howard Chu
Browse files
ITS#9054, #9318 add new TLS options to slapd bindconf
For use with back-ldap/back-meta/syncrepl/etc
parent
608a8223
Pipeline
#733
passed with stage
in 32 minutes and 29 seconds
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
servers/slapd/config.c
View file @
650b1404
...
...
@@ -1488,8 +1488,10 @@ static slap_cf_aux_table bindkey[] = {
{
BER_BVC
(
"tls_cacert="
),
offsetof
(
slap_bindconf
,
sb_tls_cacert
),
's'
,
1
,
NULL
},
{
BER_BVC
(
"tls_cacertdir="
),
offsetof
(
slap_bindconf
,
sb_tls_cacertdir
),
's'
,
1
,
NULL
},
{
BER_BVC
(
"tls_reqcert="
),
offsetof
(
slap_bindconf
,
sb_tls_reqcert
),
's'
,
0
,
NULL
},
{
BER_BVC
(
"tls_reqsan="
),
offsetof
(
slap_bindconf
,
sb_tls_reqsan
),
's'
,
0
,
NULL
},
{
BER_BVC
(
"tls_cipher_suite="
),
offsetof
(
slap_bindconf
,
sb_tls_cipher_suite
),
's'
,
0
,
NULL
},
{
BER_BVC
(
"tls_protocol_min="
),
offsetof
(
slap_bindconf
,
sb_tls_protocol_min
),
's'
,
0
,
NULL
},
{
BER_BVC
(
"tls_ecname="
),
offsetof
(
slap_bindconf
,
sb_tls_ecname
),
's'
,
0
,
NULL
},
#ifdef HAVE_OPENSSL_CRL
{
BER_BVC
(
"tls_crlcheck="
),
offsetof
(
slap_bindconf
,
sb_tls_crlcheck
),
's'
,
0
,
NULL
},
#endif
...
...
@@ -1855,6 +1857,10 @@ void bindconf_free( slap_bindconf *bc ) {
ch_free
(
bc
->
sb_tls_reqcert
);
bc
->
sb_tls_reqcert
=
NULL
;
}
if
(
bc
->
sb_tls_reqsan
)
{
ch_free
(
bc
->
sb_tls_reqsan
);
bc
->
sb_tls_reqsan
=
NULL
;
}
if
(
bc
->
sb_tls_cipher_suite
)
{
ch_free
(
bc
->
sb_tls_cipher_suite
);
bc
->
sb_tls_cipher_suite
=
NULL
;
...
...
@@ -1863,6 +1869,10 @@ void bindconf_free( slap_bindconf *bc ) {
ch_free
(
bc
->
sb_tls_protocol_min
);
bc
->
sb_tls_protocol_min
=
NULL
;
}
if
(
bc
->
sb_tls_ecname
)
{
ch_free
(
bc
->
sb_tls_ecname
);
bc
->
sb_tls_ecname
=
NULL
;
}
#ifdef HAVE_OPENSSL_CRL
if
(
bc
->
sb_tls_crlcheck
)
{
ch_free
(
bc
->
sb_tls_crlcheck
);
...
...
@@ -1898,6 +1908,11 @@ bindconf_tls_defaults( slap_bindconf *bc )
&
bc
->
sb_tls_cipher_suite
);
if
(
!
bc
->
sb_tls_reqcert
)
bc
->
sb_tls_reqcert
=
ch_strdup
(
"demand"
);
if
(
!
bc
->
sb_tls_reqsan
)
bc
->
sb_tls_reqsan
=
ch_strdup
(
"allow"
);
if
(
!
bc
->
sb_tls_ecname
)
slap_tls_get_config
(
slap_tls_ld
,
LDAP_OPT_X_TLS_ECNAME
,
&
bc
->
sb_tls_ecname
);
#ifdef HAVE_OPENSSL_CRL
if
(
!
bc
->
sb_tls_crlcheck
)
slap_tls_get_config
(
slap_tls_ld
,
LDAP_OPT_X_TLS_CRLCHECK
,
...
...
@@ -1918,7 +1933,7 @@ static struct {
{
"tls_cacert"
,
offsetof
(
slap_bindconf
,
sb_tls_cacert
),
LDAP_OPT_X_TLS_CACERTFILE
},
{
"tls_cacertdir"
,
offsetof
(
slap_bindconf
,
sb_tls_cacertdir
),
LDAP_OPT_X_TLS_CACERTDIR
},
{
"tls_cipher_suite"
,
offsetof
(
slap_bindconf
,
sb_tls_cipher_suite
),
LDAP_OPT_X_TLS_CIPHER_SUITE
},
{
"tls_
protocol_min
"
,
offsetof
(
slap_bindconf
,
sb_tls_
protocol_min
),
LDAP_OPT_X_TLS_
PROTOCOL_MIN
},
{
"tls_
ecname
"
,
offsetof
(
slap_bindconf
,
sb_tls_
ecname
),
LDAP_OPT_X_TLS_
ECNAME
},
{
0
,
0
}
};
...
...
@@ -1951,6 +1966,16 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
res
=
-
1
;
}
}
if
(
bc
->
sb_tls_reqsan
)
{
rc
=
ldap_pvt_tls_config
(
ld
,
LDAP_OPT_X_TLS_REQUIRE_SAN
,
bc
->
sb_tls_reqsan
);
if
(
rc
)
{
Debug
(
LDAP_DEBUG_ANY
,
"bindconf_tls_set: failed to set tls_reqsan to %s
\n
"
,
bc
->
sb_tls_reqsan
);
res
=
-
1
;
}
}
if
(
bc
->
sb_tls_protocol_min
)
{
rc
=
ldap_pvt_tls_config
(
ld
,
LDAP_OPT_X_TLS_PROTOCOL_MIN
,
bc
->
sb_tls_protocol_min
);
...
...
servers/slapd/slap.h
View file @
650b1404
...
...
@@ -1651,8 +1651,10 @@ typedef struct slap_bindconf {
char
*
sb_tls_cacert
;
char
*
sb_tls_cacertdir
;
char
*
sb_tls_reqcert
;
char
*
sb_tls_reqsan
;
char
*
sb_tls_cipher_suite
;
char
*
sb_tls_protocol_min
;
char
*
sb_tls_ecname
;
#ifdef HAVE_OPENSSL_CRL
char
*
sb_tls_crlcheck
;
#endif
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment