[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: commit: ldap/libraries/libldap tls.c



At 09:13 AM 4/25/2004, Kurt D. Zeilenga wrote:
>At 01:06 AM 4/25/2004, Howard Chu wrote:
>>I have the feeling that the best fix for ITS#3109 is to alter the
>>ldap_pvt_tls_set_option stuff to immediately operate on the TLS context,
>>otherwise any settings made after the default context is initialized are
>>ignored.
>
>I'm concerned that sharing the 'default' context between multiple
>callers (slapd, nssldap) of the API, or even between different
>'uses' (frontend, backends) by one caller, may lead to inappropriate
>settings.
>
>Unfortuately, the API is designed such that data not associated
>with a particular LDAP session is global.  Without redesigning
>the whole API, it is hard to fix properly.
>
>For now, I think we should only worry about separating the
>default context used for server function (slapd frontend)
>from the default context used for client operations
>(nssldap, back-ldap, syncrepl).
>
>I'm not sure what is the best approach yet (it's way too early
>in the morning for me to think through the choices :-).
>
>>I considered modifying slapd to set up a custom context as well, but what
>>that means for things like back-ldap and syncrepl becomes murky.

I suggest, for now, moving to a system where the frontend
had its own 'default' context (driven by slapd.conf(5)
settings) and have all the client uses (syncrepl, back-ldap,
back-meta) share a 'default' context (driven by ldap.conf(5)).

Long term, we'll have to figure how to separately configure
each client use (not only on a per backend basis, but a per
instance basis).

So, basically, I'd create a ldap_pvt_tls API which slapd
can use for frontend purposes which doesn't rely on ldap.conf
nor interfere with client uses.

>>Another possibility that came to mind is to have a ldap_pvt_tls_new_ctx() to
>>allocate a new context pointer, and ldap_pvt_tls_set_ctx() to write the
>>current pvt_tls_options into a given ctx. Then ldap_pvt_tls_init_def_ctx()
>>can be rewritten to use these two functions, and we can also easily establish
>>other contexts when multiple contexts are desired.
>>
>>  -- Howard Chu
>>  Chief Architect, Symas Corp.       Director, Highland Sun
>>  http://www.symas.com               http://highlandsun.com/hyc
>>  Symas: Premier OpenSource Development and Support
>>
>>> -----Original Message-----
>>> From: owner-openldap-commit@OpenLDAP.org
>>> [mailto:owner-openldap-commit@OpenLDAP.org]On Behalf Of
>>> kurt@OpenLDAP.org
>>> Sent: Saturday, April 24, 2004 7:47 PM
>>> To: OpenLDAP Commit
>>> Subject: commit: ldap/libraries/libldap tls.c
>>>
>>>
>>> Update of /repo/OpenLDAP/pkg/ldap/libraries/libldap
>>>
>>> Modified Files:
>>>       tls.c  1.110 -> 1.111
>>>
>>> Log Message:
>>> back out last change
>>>
>>>
>>> CVS Web URLs:
>>>   http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/
>>>     http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls.c
>>>
>>> Changes are generally available on cvs.openldap.org (and CVSweb)
>>> within 30 minutes of being committed.
>>>