Re: A LDAPS related issue

[Ralf Haferkamp <rhafer@suse.de>]

Am Freitag 24 September 2010, 10:08:32 schrieb Michael Ströder:
> Ralf,
> 
> thanks for your followup on this.
> 
> Ralf Haferkamp wrote:
> > On Wednesday 22 September 2010 19:05:58 Michael Ströder wrote:
> >> Ralf Haferkamp wrote:
> >>> If you really want the TLS context recreated with each iteration I
> >>> think you can just call:
> >>> ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
> >>> after the above calls.
> >> 
> >> Ralf, does that really work? I did not manage to get
> >> this working from python-ldap...
> > 
> > Last time I checked it did. That was some month ago. But looking at
> > the libldap code it might be that LDAP_OPT_ON is probably the wrong
> > value to pass to it. It seems you need to pass a pointer to an
> > integer. That integer value is passed as the is_server argument to
> > the functions that actually initialize the context. So I guess in
> > client code you'd pass a int pointer to 0.
> 
> The relevant code excerpts from python-ldap/Modules/options.c are:
> 
> [..]
> 	    /* integer value options */
> 	    if (!PyArg_Parse(value, "i:set_option", &intval))
> 		return 0;
> 	    ptr = &intval;
> 	    break;
> [..]
>     if (res != LDAP_OPT_SUCCESS) {
>         option_error(res, "ldap_set_option");
>         return 0;
>     }
> [..]
> 
> That looks like your description. But I'd have to use 0 as the option
> value?
I think so. I am not exactly sure what your code does. My knowledge about 
Python C bindings is very limited. In plain C  you would do this:

int value=0;
[..]
ldap_set_option(ldap, LDAP_OPT_X_TLS_NEWCTX, &value);

to create a new TLS context for a client. For a server context you'd use 
any non-zero value. BTW, this is also documented in the 
ldap_set_option(3) manpage (surprisingly :)).

regards,
	Ralf