Victor Duchovni: > With OpenLDAP 2.4 it is possible to set the TLS properties for > a particular LDAP connection (not just global properties), and to > associate a new OpenLDAP managed TLS context for the connection via the > new "LDAP_OPT_X_TLS_NEWCTX" option. > > Try this completely untested patch (it may not even compile, but it > looks promising):
Is this the version that is ready, or have there been furth changes? Wietse > Index: src/global/dict_ldap.c > --- src/global/dict_ldap.c 28 Jan 2008 04:29:48 -0000 1.1.1.2 > +++ src/global/dict_ldap.c 26 Feb 2009 00:04:18 -0000 > @@ -484,10 +484,16 @@ > { > const char *myname = "dict_ldap_set_tls_options"; > int rc; > +#ifdef LDAP_OPT_X_TLS_NEWCTX > + int am_server = 0; > + LDAP *ld = dict_ldap->ld; > +#else > + LDAP *ld = 0; > +#endif > > if (dict_ldap->start_tls || dict_ldap->ldap_ssl) { > if (*dict_ldap->tls_random_file) { > - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE, > + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE, > dict_ldap->tls_random_file)) != LDAP_SUCCESS) { > msg_warn("%s: Unable to set tls_random_file to %s: %d: %s", > myname, dict_ldap->tls_random_file, > @@ -496,7 +502,7 @@ > } > } > if (*dict_ldap->tls_ca_cert_file) { > - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, > + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, > dict_ldap->tls_ca_cert_file)) != LDAP_SUCCESS) { > msg_warn("%s: Unable to set tls_ca_cert_file to %s: %d: %s", > myname, dict_ldap->tls_ca_cert_file, > @@ -505,7 +511,7 @@ > } > } > if (*dict_ldap->tls_ca_cert_dir) { > - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, > + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, > dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS) { > msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s", > myname, dict_ldap->tls_ca_cert_dir, > @@ -514,7 +520,7 @@ > } > } > if (*dict_ldap->tls_cert) { > - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, > + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, > dict_ldap->tls_cert)) != LDAP_SUCCESS) { > msg_warn("%s: Unable to set tls_cert to %s: %d: %s", > myname, dict_ldap->tls_cert, > @@ -523,7 +529,7 @@ > } > } > if (*dict_ldap->tls_key) { > - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, > + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, > dict_ldap->tls_key)) != LDAP_SUCCESS) { > msg_warn("%s: Unable to set tls_key to %s: %d: %s", > myname, dict_ldap->tls_key, > @@ -532,7 +538,7 @@ > } > } > if (*dict_ldap->tls_cipher_suite) { > - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, > + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, > dict_ldap->tls_cipher_suite)) != LDAP_SUCCESS) { > msg_warn("%s: Unable to set tls_cipher_suite to %s: %d: %s", > myname, dict_ldap->tls_cipher_suite, > @@ -540,13 +546,21 @@ > return (-1); > } > } > - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, > + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, > &(dict_ldap->tls_require_cert))) != LDAP_SUCCESS) { > msg_warn("%s: Unable to set tls_require_cert to %d: %d: %s", > myname, dict_ldap->tls_require_cert, > rc, ldap_err2string(rc)); > return (-1); > } > +#ifdef LDAP_OPT_X_TLS_NEWCTX > + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server)) > + != LDAP_SUCCESS) { > + msg_warn("%s: Unable to allocate new TLS context %d: %s", > + myname, rc, ldap_err2string(rc)); > + return (-1); > + } > +#endif > } > return (0); > } > @@ -592,10 +606,6 @@ > > #ifdef LDAP_OPT_NETWORK_TIMEOUT > #ifdef LDAP_API_FEATURE_X_OPENLDAP > - if (dict_ldap_set_tls_options(dict_ldap) != 0) { > - dict_errno = DICT_ERR_RETRY; > - return (-1); > - } > ldap_initialize(&(dict_ldap->ld), dict_ldap->server_host); > #else > dict_ldap->ld = ldap_init(dict_ldap->server_host, > @@ -700,6 +710,8 @@ > #endif > > #ifdef LDAP_API_FEATURE_X_OPENLDAP > + if (dict_ldap_set_tls_options(dict_ldap) != 0) > + DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1); > if (dict_ldap->start_tls) { > if ((saved_alarm = signal(SIGALRM, dict_ldap_timeout)) == SIG_ERR) { > msg_warn("%s: Error setting signal handler for STARTTLS timeout: > %m", > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > >