Add TLS context configuration

2025-12-25 09:09:54 -05:00 · 2007-01-08 23:36:24 +00:00 · 2007-01-08 23:36:24 +00:00 · a6a8fb514b
commit a6a8fb514b
parent 7bcca30623
5 changed files with 94 additions and 33 deletions
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@ -247,6 +247,9 @@ typedef struct ldapinfo_t {
 	LDAP_URLLIST_PROC	*li_urllist_f;
 	void			*li_urllist_p;

+	/* we only care about the TLS options here */
+	slap_bindconf		li_tls;
+
 	slap_bindconf		li_acl;
 #define	li_acl_authcID		li_acl.sb_authcId
 #define	li_acl_authcDN		li_acl.sb_binddn
@ -276,27 +279,29 @@ typedef struct ldapinfo_t {
 #define LDAP_BACK_F_USE_TLS		(0x00000002U)
 #define LDAP_BACK_F_PROPAGATE_TLS	(0x00000004U)
 #define LDAP_BACK_F_TLS_CRITICAL	(0x00000008U)
+#define LDAP_BACK_F_TLS_LDAPS	(0x00000010U)
+
 #define LDAP_BACK_F_TLS_USE_MASK	(LDAP_BACK_F_USE_TLS|LDAP_BACK_F_TLS_CRITICAL)
 #define LDAP_BACK_F_TLS_PROPAGATE_MASK	(LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
-#define LDAP_BACK_F_TLS_MASK		(LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK)
-#define LDAP_BACK_F_CHASE_REFERRALS	(0x00000010U)
-#define LDAP_BACK_F_PROXY_WHOAMI	(0x00000020U)
+#define LDAP_BACK_F_TLS_MASK		(LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK|LDAP_BACK_F_TLS_LDAPS)
+#define LDAP_BACK_F_CHASE_REFERRALS	(0x00000020U)
+#define LDAP_BACK_F_PROXY_WHOAMI	(0x00000040U)

-#define	LDAP_BACK_F_T_F			(0x00000040U)
-#define	LDAP_BACK_F_T_F_DISCOVER	(0x00000080U)
+#define	LDAP_BACK_F_T_F			(0x00000080U)
+#define	LDAP_BACK_F_T_F_DISCOVER	(0x00000100U)
 #define	LDAP_BACK_F_T_F_MASK		(LDAP_BACK_F_T_F)
 #define	LDAP_BACK_F_T_F_MASK2		(LDAP_BACK_F_T_F_MASK|LDAP_BACK_F_T_F_DISCOVER)

-#define LDAP_BACK_F_MONITOR		(0x00000100U)
-#define	LDAP_BACK_F_SINGLECONN		(0x00000200U)
-#define LDAP_BACK_F_USE_TEMPORARIES	(0x00000400U)
+#define LDAP_BACK_F_MONITOR		(0x00000200U)
+#define	LDAP_BACK_F_SINGLECONN		(0x00000400U)
+#define LDAP_BACK_F_USE_TEMPORARIES	(0x00000800U)

-#define	LDAP_BACK_F_ISOPEN		(0x00000800U)
+#define	LDAP_BACK_F_ISOPEN		(0x00001000U)

 #define	LDAP_BACK_F_CANCEL_ABANDON	(0x00000000U)
-#define	LDAP_BACK_F_CANCEL_IGNORE	(0x00001000U)
-#define	LDAP_BACK_F_CANCEL_EXOP		(0x00002000U)
-#define	LDAP_BACK_F_CANCEL_EXOP_DISCOVER	(0x00004000U)
+#define	LDAP_BACK_F_CANCEL_IGNORE	(0x00002000U)
+#define	LDAP_BACK_F_CANCEL_EXOP		(0x00004000U)
+#define	LDAP_BACK_F_CANCEL_EXOP_DISCOVER	(0x00008000U)
 #define	LDAP_BACK_F_CANCEL_MASK		(LDAP_BACK_F_CANCEL_IGNORE|LDAP_BACK_F_CANCEL_EXOP)
 #define	LDAP_BACK_F_CANCEL_MASK2	(LDAP_BACK_F_CANCEL_MASK|LDAP_BACK_F_CANCEL_EXOP_DISCOVER)

--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@ -127,7 +127,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs,
 	ldap_back_send_t sendok, struct berval *binddn, struct berval *bindcred );

 static int
-ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs,
+ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs,
 	ldap_back_send_t sendok );

 static int
@ -610,7 +610,7 @@ retry:;
 #endif /* HAVE_TLS */

 static int
-ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
+ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
 {
 	ldapinfo_t	*li = (ldapinfo_t *)op->o_bd->be_private;
 	int		version;
@ -618,10 +618,9 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
 #ifdef HAVE_TLS
 	int		is_tls = op->o_conn->c_is_tls;
 	time_t		lc_time = (time_t)(-1);
+	slap_bindconf *sb;
 #endif /* HAVE_TLS */

-	assert( lcp != NULL );
-
 	ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
 	rs->sr_err = ldap_initialize( &ld, li->li_uri );
 	ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex );
@ -661,6 +660,19 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
 	}

 #ifdef HAVE_TLS
+	if ( LDAP_BACK_CONN_ISPRIV( lc ))
+		sb = &li->li_acl;
+	else if ( LDAP_BACK_CONN_ISIDASSERT( lc ))
+		sb = &li->li_idassert.si_bc;
+	else
+		sb = &li->li_tls;
+
+	if ( sb->sb_tls_do_init ) {
+		bindconf_tls_set( sb, ld );
+	} else if ( sb->sb_tls_ctx ) {
+		ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
+	}
+
 	ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
 	rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls,
 			li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text );
@ -675,21 +687,17 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
 	}
 #endif /* HAVE_TLS */

-	if ( *lcp == NULL ) {
-		*lcp = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) );
-		(*lcp)->lc_flags = li->li_flags;
-	}
-	(*lcp)->lc_ld = ld;
-	(*lcp)->lc_refcnt = 1;
-	(*lcp)->lc_binding = 1;
+	lc->lc_ld = ld;
+	lc->lc_refcnt = 1;
+	lc->lc_binding = 1;
 #ifdef HAVE_TLS
 	if ( is_tls ) {
-		LDAP_BACK_CONN_ISTLS_SET( *lcp );
+		LDAP_BACK_CONN_ISTLS_SET( lc );
 	} else {
-		LDAP_BACK_CONN_ISTLS_CLEAR( *lcp );
+		LDAP_BACK_CONN_ISTLS_CLEAR( lc );
 	}
 	if ( lc_time != (time_t)(-1) ) {
-		(*lcp)->lc_time = lc_time;
+		lc->lc_time = lc_time;
 	}
 #endif /* HAVE_TLS */

@ -706,7 +714,7 @@ error_return:;

 	} else {
 		if ( li->li_conn_ttl > 0 ) {
-			(*lcp)->lc_create_time = op->o_time;
+			lc->lc_create_time = op->o_time;
 		}
 	}

@ -892,7 +900,11 @@ retry_lock:

 	/* Looks like we didn't get a bind. Open a new session... */
 	if ( lc == NULL ) {
-		if ( ldap_back_prepare_conn( &lc, op, rs, sendok ) != LDAP_SUCCESS ) {
+		lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) );
+		lc->lc_flags = li->li_flags;
+		lc->lc_lcflags = lc_curr.lc_lcflags;
+		if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) {
+			ch_free( lc );
 			return NULL;
 		}

--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@ -83,7 +83,7 @@ static ConfigTable ldapcfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
-	{ "tls", "what", 2, 2, 0,
+	{ "tls", "what", 2, 0, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_TLS,
 		ldap_back_cf_gen, "( OLcfgDbAt:3.1 "
 			"NAME 'olcDbStartTLS' "
@ -352,6 +352,7 @@ static slap_verbmasks tls_mode[] = {
 	{ BER_BVC( "try-propagate" ),	LDAP_BACK_F_PROPAGATE_TLS },
 	{ BER_BVC( "start" ),		LDAP_BACK_F_TLS_USE_MASK },
 	{ BER_BVC( "try-start" ),	LDAP_BACK_F_USE_TLS },
+	{ BER_BVC( "ldaps" ),		LDAP_BACK_F_TLS_LDAPS },
 	{ BER_BVC( "none" ),		LDAP_BACK_F_NONE },
 	{ BER_BVNULL,			0 }
 };
@ -712,6 +713,7 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
 			return 1;
 		}
 	}
+	bindconf_tls_defaults( &si->si_bc );

 	return 0;
 }
@ -776,10 +778,23 @@ ldap_back_cf_gen( ConfigArgs *c )
 			}
 			break;

-		case LDAP_BACK_CFG_TLS:
+		case LDAP_BACK_CFG_TLS: {
+			struct berval bc = BER_BVNULL, bv2;
 			enum_to_verb( tls_mode, ( li->li_flags & LDAP_BACK_F_TLS_MASK ), &bv );
 			assert( !BER_BVISNULL( &bv ) );
-			value_add_one( &c->rvalue_vals, &bv );
+			bindconf_tls_unparse( &li->li_tls, &bc );
+
+			if ( !BER_BVISEMPTY( &bc )) {
+				bv2.bv_len = bv.bv_len + bc.bv_len + 1;
+				bv2.bv_val = ch_malloc(bv2.bv_len + 1 );
+				strcpy( bv2.bv_val, bv.bv_val );
+				bv2.bv_val[bv.bv_len] = ' ';
+				strcpy( bv2.bv_val+bv.bv_len+1, bc.bv_val );
+				ber_bvarray_add( &c->rvalue_vals, &bv2 );
+			} else {
+				value_add_one( &c->rvalue_vals, &bv );
+			}
+			}
 			break;

 		case LDAP_BACK_CFG_ACL_AUTHCDN:
@ -1379,6 +1394,13 @@ done_url:;
 		}
 		li->li_flags &= ~LDAP_BACK_F_TLS_MASK;
 		li->li_flags |= tls_mode[i].mask;
+		if ( c->argc > 2 ) {
+			for ( i=0; i<c->argc; i++ ) {
+				if ( bindconf_tls_parse( c->argv[i], &li->li_tls ))
+					return 1;
+			}
+			bindconf_tls_defaults( &li->li_tls );
+		}
 		break;

 	case LDAP_BACK_CFG_ACL_AUTHCDN:
@ -1437,6 +1459,7 @@ done_url:;
 				return 1;
 			}
 		}
+		bindconf_tls_defaults( &li->li_acl );
 		break;

 	case LDAP_BACK_CFG_IDASSERT_MODE:
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -1274,13 +1274,30 @@ slap_tls_get_config( LDAP *ld, int opt, char **val )
 	return -1;
 }

+int
+bindconf_tls_parse( const char *word, slap_bindconf *bc )
+{
+#ifdef HAVE_TLS
+	if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) {
+		bc->sb_tls_do_init = 1;
+		return 0;
+	}
+#endif
+	return -1;
+}
+
+int
+bindconf_tls_unparse( slap_bindconf *bc, struct berval *bv )
+{
+	return slap_cf_aux_table_unparse( bc, bv, aux_TLS );
+}
+
 int
 bindconf_parse( const char *word, slap_bindconf *bc )
 {
 #ifdef HAVE_TLS
 	/* Detect TLS config changes explicitly */
-	if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) {
-		bc->sb_tls_do_init = 1;
+	if ( bindconf_tls_parse( word, bc ) == 0 ) {
 		return 0;
 	}
 #endif
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -635,6 +635,10 @@ LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp,
 LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P((
 	LDAP *ld, int opt, char **val ));
 LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc ));
+LDAP_SLAPD_F (int) bindconf_tls_parse LDAP_P((
+	const char *word,  slap_bindconf *bc ));
+LDAP_SLAPD_F (int) bindconf_tls_unparse LDAP_P((
+	slap_bindconf *bc, struct berval *bv ));
 LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
 	const char *word,  slap_bindconf *bc ));
 LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((