[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)



I believe a related issue was recently raised on the -software list; the
ldap_set_option  TLS_CTX doesn't work on a fresh LDAP* because ld->ld_defconn
doesn't get created until an actual request is made that needs a connection.
The ld_defconn then gets used right away, without giving an opportunity to
reconfigure it. So you can't override things on a per-session basis, you must
override the global tls_def_ctx.

Given that we have this unusable ldap_set_option function at the moment, we
can either remove it or make it work by adding a ld_tls_ctx pointer to the
LDAP*, so it can be set before the ld_defconn is created. But this creates an
ambiguity in the ldap_get_option side... What next?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> Kurt@OpenLDAP.org
> Sent: Tuesday, October 14, 2003 12:06 PM
> To: openldap-its@OpenLDAP.org
> Subject: Re: Flexibility to use customized "verify_callback"
> while using
> OpenLdap with TLS (ITS#2767)
>
>
> A couple of quick comments (without really look at your tls.c
> patch... I'll leave most of that to others who are more familiar
> with that code).
>
> Setting of options should be done through the ldap_set_option(3) API.
> Likely should support global and per-session callbacks.
> ldap_set_option(3)
> supports both.  Also, we shouldn't provide options for things which
> can be managed through the TLS_CTX option.  That is, -lldap should
> avoid knowing too much about OpenSSL and/or TLS details.
>
> Lastly, no file in the tarball include a notice  See
> <http://www.openldap.org/devel/contributing.html> for guidelines.
> I suggest you provide a notice in a separate COPYRIGHT file.
>
> Kurt
>
>
> At 08:14 AM 10/14/2003, prkumar@nortelnetworks.com wrote:
> >Full_Name: Prashant Kumar.
> >Version: 2.1.22 (20030709)
> >OS: Linux
> >URL: ftp://ftp.openldap.org/incoming/
> >Submission from: (NULL) (47.234.0.52)
> >
> >
> >Right now, while using OpenLdap with TLS/SSL, there are no
> API's to specify user
> >customized "verify_callback" and "verify_depth". Also, there
> are no API's to
> >input the CA cert, client cert and client cert key onto the
> SSL context in the
> >binary (DER) format (right now, OpenLdap reads all these
> info from PEM files
> >whose path is specified in the "ldap.conf").
> >
> >This enhancement adds following API's to OpenLdap library
> which will allow the
> >user to do all the above things:
> >
> >/*To set the verify callback*/
> >ldap_set_tls_verify_callback (
> >      int (*tls_verify_callback)(int, struct x509_store_ctx_s *));
> >
> >/*To set the verify depth*/
> >ldap_set_tls_verify_depth (unsigned int verify_depth);
> >
> >/*To set the CA cert*/
> >ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len);
> >
> >/*To set the client cert*/
> >ldap_set_tls_clientcert_bin (unsigned char *clientcert,
> unsigned int len);
> >
> >/*To set the client cert key*/
> >ldap_set_tls_clientcert_key_bin (unsigned char *clientkey,
> unsigned int len);
> >
> >I have changed two files "include/ldap.h" and
> "libraries/libldap/tls.c" to
> >accommodate these features and I have uploaded these changes
> as a tar ball (this
> >tar ball has 2 patches, one for ldap.h and other one for tls.c) onto
> >"ftp://ftp.openldap.org/incoming/";. The tar ball name is
> >"prashant-kumar-openldap-031014.tgz"
> >
> >
> >Thank you,
> >Prashant Kumar
>
>
>