Full_Name: Prashant Kumar. Version: 2.1.22 (20030709) OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.234.0.52) Right now, while using OpenLdap with TLS/SSL, there are no API's to specify user customized "verify_callback" and "verify_depth". Also, there are no API's to input the CA cert, client cert and client cert key onto the SSL context in the binary (DER) format (right now, OpenLdap reads all these info from PEM files whose path is specified in the "ldap.conf"). This enhancement adds following API's to OpenLdap library which will allow the user to do all the above things: /*To set the verify callback*/ ldap_set_tls_verify_callback ( int (*tls_verify_callback)(int, struct x509_store_ctx_s *)); /*To set the verify depth*/ ldap_set_tls_verify_depth (unsigned int verify_depth); /*To set the CA cert*/ ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len); /*To set the client cert*/ ldap_set_tls_clientcert_bin (unsigned char *clientcert, unsigned int len); /*To set the client cert key*/ ldap_set_tls_clientcert_key_bin (unsigned char *clientkey, unsigned int len); I have changed two files "include/ldap.h" and "libraries/libldap/tls.c" to accommodate these features and I have uploaded these changes as a tar ball (this tar ball has 2 patches, one for ldap.h and other one for tls.c) onto "ftp://ftp.openldap.org/incoming/". The tar ball name is "prashant-kumar-openldap-031014.tgz" Thank you, Prashant Kumar
A couple of quick comments (without really look at your tls.c patch... I'll leave most of that to others who are more familiar with that code). Setting of options should be done through the ldap_set_option(3) API. Likely should support global and per-session callbacks. ldap_set_option(3) supports both. Also, we shouldn't provide options for things which can be managed through the TLS_CTX option. That is, -lldap should avoid knowing too much about OpenSSL and/or TLS details. Lastly, no file in the tarball include a notice See <http://www.openldap.org/devel/contributing.html> for guidelines. I suggest you provide a notice in a separate COPYRIGHT file. Kurt At 08:14 AM 10/14/2003, prkumar@nortelnetworks.com wrote: >Full_Name: Prashant Kumar. >Version: 2.1.22 (20030709) >OS: Linux >URL: ftp://ftp.openldap.org/incoming/ >Submission from: (NULL) (47.234.0.52) > > >Right now, while using OpenLdap with TLS/SSL, there are no API's to specify user >customized "verify_callback" and "verify_depth". Also, there are no API's to >input the CA cert, client cert and client cert key onto the SSL context in the >binary (DER) format (right now, OpenLdap reads all these info from PEM files >whose path is specified in the "ldap.conf"). > >This enhancement adds following API's to OpenLdap library which will allow the >user to do all the above things: > >/*To set the verify callback*/ >ldap_set_tls_verify_callback ( > int (*tls_verify_callback)(int, struct x509_store_ctx_s *)); > >/*To set the verify depth*/ >ldap_set_tls_verify_depth (unsigned int verify_depth); > >/*To set the CA cert*/ >ldap_set_tls_cacert_bin (unsigned char *caCert,unsigned int len); > >/*To set the client cert*/ >ldap_set_tls_clientcert_bin (unsigned char *clientcert, unsigned int len); > >/*To set the client cert key*/ >ldap_set_tls_clientcert_key_bin (unsigned char *clientkey, unsigned int len); > >I have changed two files "include/ldap.h" and "libraries/libldap/tls.c" to >accommodate these features and I have uploaded these changes as a tar ball (this >tar ball has 2 patches, one for ldap.h and other one for tls.c) onto >"ftp://ftp.openldap.org/incoming/". The tar ball name is >"prashant-kumar-openldap-031014.tgz" > > >Thank you, >Prashant Kumar
Kurt, Thanks a lot for your comments. I will modify my code to provide those options through ldap_set_options (I will wait for comments from others so that I can make all these changes in one shot :)). The way TLS_CTX is set right now, it does not provide enough flexibility to the user of -ldap to customize things based on his requirements. For example, 1. "verify_callback", depending on the application, the user may like to handle certificate in their on customized way. However, -ldap forces the user to use the default way the openldap provides, that is to use "tls_verify_cb" or use "tls_verify_ok". 2. verify depth. I don't see any options in TLS_CTX to control this. 3. -ldap forces the user to specify the cert files in the PEM format in a file. I do agree with you that it may not be a good option to expose too much of OpenSsl to the user. However, I don't see a problem with exposing TLS to the user if we wants to use OpenLdap over TLS/SSL. If OpenLdap supports running over TLS, I guess, we should provide complete set of options to customize TLS on the need basis. I will add the COPYRIGHT file. Thank you again for your feedback. Regards, Prashant Kumar.
moved from Incoming to Development
After I got suggestions from the OpenLdap Developers group, I have incorporated changes to set all the options through "ldap_set_options" API. The new tar ball is "prashant-kumar-031016.tgz".
changed state Open to Suspended moved from Development to Software Enhancements
moved from Software Enhancements to Contrib