[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth

>> The way I read this, it seems to imply that if acl-bind is not set, the
>> identity specified by idassert-bind will be used -- which is clearly not
>> happening here. Am I misreading this, or do you think the wording should
>> be changed here?
>
> As far as I remember, the above is (or was) true in some cases (which I do
> not remember); in any case, the above statement is in contradiction with
> Howard's statement.  Either the behavior stated above should be
> generalized (if desirable, in order to avoid the need to configure things
> twice when the same identity is going to be used), or the two should be
> decoupled everywhere in the code.

The current code in ldap_back_prepare_conn:

 >>>>
#ifdef HAVE_TLS
     if ( LDAP_BACK_CONN_ISPRIV( lc ) ) {
         sb = &li->li_acl;

     } else if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
         sb = &li->li_idassert.si_bc;

     } else {
         sb = &li->li_tls;
     }

     if ( sb->sb_tls_do_init ) {
         bindconf_tls_set( sb, ld );
     } else if ( sb->sb_tls_ctx ) {
         ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
     }

     /* if required by the bindconf configuration, force TLS */
     if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) &&
         sb->sb_tls_ctx )
     {
         flags |= LDAP_BACK_F_USE_TLS;
     }
<<<<

It seems the initial if/else belongs outside the #ifdef, first of all. Not 
sure how to handle the fallback to li->li_tls.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/