[Date Prev][Date Next] [Chronological] [Thread] [Top]

Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)

Full_Name: Prashant Kumar.
Version: 2.1.22 (20030709)
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

Right now, while using OpenLdap with TLS/SSL, there are no API's to specify user
customized "verify_callback" and "verify_depth". Also, there are no API's to
input the CA cert, client cert and client cert key onto the SSL context in the
binary (DER) format (right now, OpenLdap reads all these info from PEM files
whose path is specified in the "ldap.conf").

This enhancement adds following API's to OpenLdap library which will allow the
user to do all the above things:

/*To set the verify callback*/
ldap_set_tls_verify_callback (
      int (*tls_verify_callback)(int, struct x509_store_ctx_s *));

/*To set the verify depth*/
ldap_set_tls_verify_depth (unsigned int verify_depth);

/*To set the CA cert*/
ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len);

/*To set the client cert*/
ldap_set_tls_clientcert_bin (unsigned char *clientcert, unsigned int len);

/*To set the client cert key*/
ldap_set_tls_clientcert_key_bin (unsigned char *clientkey, unsigned int len);

I have changed two files "include/ldap.h" and "libraries/libldap/tls.c" to
accommodate these features and I have uploaded these changes as a tar ball (this
tar ball has 2 patches, one for ldap.h and other one for tls.c) onto
"ftp://ftp.openldap.org/incoming/";. The tar ball name is

Thank you,
Prashant Kumar