Thanks for the info, Anton. Do you think I need to redo all 3 init
steps after the NSS_Shutdown (ldapssl_clientauth_init, ldapssl_init,
and ldapssl_enable_clientauth)? I tried this approach and got a core
dump in the ldapssl_enable_clientauth call:
> pstack core.ldapUtil_ut
0: core 'core.ldapUtil_ut' ...
1: --------------- lwp# 1 / thread# 1 ---------------
2: fda222e8 PK11_FindCertFromNickname (cfe08, 0, 0, fd841ce4, 222d8,
13b9c) + 8c
3: fdac3858 get_keyandcert(c36f8, ffbe9d7c, ffbe9d84, 222d8, 0) + 18
4: fdac3954 check_client_auth_nickname_and_passwd (f88b0, c36f8,
ffbe9e10, cb4b8, cb4b8, c3058) + 20
5: fdac3498 ldapssl_enable_clientauth (f88b0, c0725, c0726, cb4b8,
cd030, fdb201, f4) + e0
I tried putting a check around this call so it doesn't get called again
after NSS_Shutdown, but then the second sasl_bind cored. I've been
digging through NSS code to try and see what's going on, but was hoping
someone might see this and have more insight.
Mike
Anton Bobrov wrote:
> Mike, i just asked our NSS folks here and this is what i got, quote:
>
> "You can only have one writer process with no readers, or multiple
> readers with no writer ."
>
> so what that essentially means to you is that you cannot modify sec
> db on the fly and have to prevent that from happening by any means
> necessary. from your ldap enabled app i would suggest calling NSSs
> own NSS_Shutdown() then making whatever changes you need to make to
> secdb then calling ldapssl* init functions again which will trigger
> NSS_Init/ialize() further down the line and your ldap app has up to
> date secdb then.
>
> also i been told that NSS folks at work on improving secdb sharing
> features so when they deliver something we will certainly try to
> take those features on board [ if they not transparent by default ]
> .
>
> Mike wrote:
> > I'm wondering if it's possible to re-read certificates after I have
> > initialized my connection and performed the sasl bind? Right now, for
> > example, our C SDK does the following:
> >
> > void connectToServer()
> > {
> > if(!connected)
> > {
> > ldapssl_clientauth_init(...);
> > ldapssl_init(...);
> > ldapssl_enable_clientauth(...);
> >
> > set_option(LDAP_OPT_RECONNECT = ON);
> >
> > connected = true;
> > }
> > ldap_sasl_bind_s(...);
> > }
> >
> > We then check the return from every API call for LDAP_SERVER_DOWN and
> > LDAP_CONNECT_ERROR to see if we need to call this connectToServer
> > method again (and thus only redo the sasl bind). Just as a test I
> > moved the connected flag logic ONLY around the ldapssl_init -- so it
> > never gets called twice -- and re-generated my certificate while the
> > software was running. The software detected this and when it tried to
> > call ldapssl_enable_clientauth again, it failed with error code -1.
> >
> > Is what I'm trying to do possible, and do I need to take the approach
> > of turning off the RECONNECT option and just creating a new ldap
> > connection object each time? We tried this before but had a handful of
> > apps coring, so if possible I'd like to stay away from this approach.
> >
> > Thanks for any help,
> >
> > Mike
> >
> > _______________________________________________
> > dev-tech-ldap mailing list
> > [email protected]
> > https://lists.mozilla.org/listinfo/dev-tech-ldap
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
