[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3791) start_tls while chasing referrals
On Thursday 11 August 2005 11:44, ando@sys-net.it wrote:
[..]
> As far as I can tell, start tls is already propagated by libldap on rebind
> while chasing referrals: if you follow the path, from
>
> request.c:ldap_chase_v3referrals()
> request.c:ldap_send_server_request()
> request.c:ldap_new_connection() with a newly allocated Sockbuf
>
> open.c:ldap_int_open_connection() starts TLS
> if ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
> strcmp( srv->lud_scheme, "ldaps" ) == 0 )
>
> Then
>
> request.c:ldap_new_connection() calls ldap_rebind_proc().
>
> So, ldap_rebind_proc() should start TLS only if the above test is
> negative. Since I don't expect that to be a reliable means to determine
> if one should start TLS, I think a better fix would be to expose something
> equivalent to ldap_pvt_tls_inplace(), something like
>
>
> int
> ldap_tls_inplace( LDAP *ld )
> {
> Sockbuf *sb = NULL;
>
> ldap_get_option( lc->lc_ld, LDAP_OPT_SOCKBUF, (void *)&sb );
>
> return ldap_pvt_tls_inplace( sb );
> }
>
> so that a possible ldap_rebind_proc() would be
>
> int
> rebind_proc( LDAP *ld, const char *url, ber_tag_t request,
> ber_int_t msgid, void *params )
> {
> if ( !ldap_tls_inplace( ld ) ) {
> int rc;
>
> rc = ldap_start_tls_s( ld, NULL, NULL );
But this would again return LDAP_LOCAL_ERROR since ldap_pvt_tls_inplace() is
true for ld->ld_sb. If I see it correctly ld->ld_sb still points to the
original connection (not to the new connection of the referral). Please
correct me if I am wrong here.
> if ( rc != LDAP_SUCCESS ) {
> return rc;
> }
> }
>
> return ldap_simple_bind_s( ld, params->dn, params->cred );
> }
--
Ralf