[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: commit: ldap/libraries/libldap tls.c

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: commit: ldap/libraries/libldap tls.c
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 25 Apr 2004 09:13:58 -0700
Cc: "'OpenLDAP Commit'" <openldap-commit2devel@OpenLDAP.org>
In-reply-to: <01f701c42a9c$3ed3f700$1801a8c0@CELLO>
References: <200404250246.i3P2kjld096159@cantor.openldap.org> <01f701c42a9c$3ed3f700$1801a8c0@CELLO>

At 01:06 AM 4/25/2004, Howard Chu wrote:
>I have the feeling that the best fix for ITS#3109 is to alter the
>ldap_pvt_tls_set_option stuff to immediately operate on the TLS context,
>otherwise any settings made after the default context is initialized are
>ignored.

I'm concerned that sharing the 'default' context between multiple
callers (slapd, nssldap) of the API, or even between different
'uses' (frontend, backends) by one caller, may lead to inappropriate
settings.

Unfortuately, the API is designed such that data not associated
with a particular LDAP session is global.  Without redesigning
the whole API, it is hard to fix properly.

For now, I think we should only worry about separating the
default context used for server function (slapd frontend)
from the default context used for client operations
(nssldap, back-ldap, syncrepl).

I'm not sure what is the best approach yet (it's way too early
in the morning for me to think through the choices :-).

>I considered modifying slapd to set up a custom context as well, but what
>that means for things like back-ldap and syncrepl becomes murky.

>Another possibility that came to mind is to have a ldap_pvt_tls_new_ctx() to
>allocate a new context pointer, and ldap_pvt_tls_set_ctx() to write the
>current pvt_tls_options into a given ctx. Then ldap_pvt_tls_init_def_ctx()
>can be rewritten to use these two functions, and we can also easily establish
>other contexts when multiple contexts are desired.
>
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support
>
>> -----Original Message-----
>> From: owner-openldap-commit@OpenLDAP.org
>> [mailto:owner-openldap-commit@OpenLDAP.org]On Behalf Of
>> kurt@OpenLDAP.org
>> Sent: Saturday, April 24, 2004 7:47 PM
>> To: OpenLDAP Commit
>> Subject: commit: ldap/libraries/libldap tls.c
>>
>>
>> Update of /repo/OpenLDAP/pkg/ldap/libraries/libldap
>>
>> Modified Files:
>>       tls.c  1.110 -> 1.111
>>
>> Log Message:
>> back out last change
>>
>>
>> CVS Web URLs:
>>   http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/
>>     http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls.c
>>
>> Changes are generally available on cvs.openldap.org (and CVSweb)
>> within 30 minutes of being committed.
>>

Follow-Ups:
- RE: commit: ldap/libraries/libldap tls.c
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- RE: commit: ldap/libraries/libldap tls.c
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: commit: ldap/libraries/libldap tls.c
Next by Date: RE: commit: ldap/libraries/libldap tls.c
Index(es):
- Chronological
- Thread