At 04:11 PM 1/6/2005, Graham Leggett wrote: >William A. Rowe, Jr. wrote: > >>Wouldn't it be *much* more economical to do something similar >>to apr_procattr_t, where we set up all the choices beforehand, >>and can reuse the apr_ldapopt_t over and over on each ldap >>connection for options which do not change? > >All the LDAP toolkits have this concept already - you just call >ldap_set_option with a NULL ldap handle and you set system wide properties >(like defaults, and SSL params).
I ment from the perspective of apr_ldap() - for both an individual setting and global config. >The issue is the supporting of client certificates - which in some cases >(openldap, microsoft) are set on a per connection basis (which makes the most >sense), and in other cases are set on a system wide sense (novell in my >understanding). Yes, it will vary a bit. The global flavor apr_ldap_default_set() would be supported mostly everywhere, and per-connection options passed to apr_ldap_init() would be supported only if available. >Not only do we have to somehow handle this in APR, but we also need to handle >this in httpd. Perhaps we need an httpd directive with global only scope that >sets "system wide" certificates (AKA CA certs, but in the Novell case it could >also be a client side cert valid system wide), as well as a local scoped per >connection directive for "client certificates" (ie a per connection client >cert, supported by Microsoft and OpenLDAP but fails with a graceful error on >Novell). Well, the very same directives in the global config would help choose the 'default', while if restricted to a single ldap entry they would apply only to that host.
