Attached is a patch for allowing aprutil LDAP to use the Tivoli
Directory Server SDK from IBM.
Simple SSL connections work without any explicit configuration because
the SDK ships with a Key Database that contains the usual public CAs
This Key Database used for Certificate Authorities and private keys
can only effectively be set during the one-time
ldap_ssl_client_init()/apr_ldap_ssl_init() and this does work via
apr-util if the application passes in the cert_auth_file
A private key can be selected for client authentication during the
per-connection ldap_ssl_init()/apr_ldap_init() but this doesn't mesh
very well with the current apr-util LDAP interface. Allowing this
would only require a addl char* passed to apr_ldap_init()
Neither the keyring or the name of the private cert are settable via
the ldap_set_option interface which unfortunately differs from other
supported LDAP SDKs.
I was able to get a small test program to work over ssl, as well as
httpd with a tiny change to actually pass the "secure" parameter to
apr_ldap_init()
v5.2 SDK readme:
http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSCreadme52/en_US/HTML/client.htm
v5.2 SDK programmers reference:
http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSprogref52/en_US/HTML/progref.htm
Product Page: (appears client/SDK bundled in large ldap server package)
http://www-306.ibm.com/software/tivoli/products/directory-server/
--
Eric Covener
[EMAIL PROTECTED]
Index: ldap/apr_ldap_init.c
===================================================================
--- ldap/apr_ldap_init.c (revision 494830)
+++ ldap/apr_ldap_init.c (working copy)
@@ -64,6 +64,9 @@
ldapssl_client_init(NULL, NULL);
#endif
+#if APR_HAS_TIVOLI_LDAPSDK
+ ldap_ssl_client_init((char *)cert_auth_file, NULL, 0, &result->rc);
+#else
/* if a certificate was specified, set it */
if (cert_auth_file) {
apr_ldap_opt_tls_cert_t *cert = (apr_ldap_opt_tls_cert_t *)apr_pcalloc(pool, sizeof(apr_ldap_opt_tls_cert_t));
@@ -71,6 +74,7 @@
cert->path = cert_auth_file;
return apr_ldap_set_option(pool, NULL, APR_LDAP_OPT_TLS_CERT, (void *)cert, result_err);
}
+#endif
#else /* not compiled with SSL Support */
if (cert_auth_file) {
@@ -110,6 +114,9 @@
#if APR_HAS_LDAP_SSL && APR_HAS_LDAPSSL_CLIENT_DEINIT
ldapssl_client_deinit();
#endif
+#if APR_HAS_LDAP_SSL && APR_HAS_LDAP_SSL_CLIENT_DEINIT
+ ldap_ssl_client_deinit();
+#endif
return APR_SUCCESS;
}
@@ -149,6 +156,10 @@
*ldap = ldapssl_init(hostname, portno, 0);
#elif APR_HAS_LDAP_SSLINIT
*ldap = ldap_sslinit((char *)hostname, portno, 0);
+#elif APR_HAS_LDAP_SSL_INIT
+ /* Tivolo: Third parameter is null, defualt CA list provided with SDK is used */
+ if (secure == APR_LDAP_SSL) *ldap = ldap_ssl_init((char *)hostname, portno, NULL);
+ else *ldap = ldap_init((char *)hostname, portno);
#else
*ldap = ldap_init((char *)hostname, portno);
#endif
Index: ldap/apr_ldap_option.c
===================================================================
--- ldap/apr_ldap_option.c (revision 494830)
+++ ldap/apr_ldap_option.c (working copy)
@@ -578,6 +578,15 @@
result->rc = -1;
#endif
+#if APR_HAS_TIVOLI_LDAPSDK
+ /* Tivoli accepts a KDB file with both CAs and private keys during one-time initialization
+ * and takes a certificate label during ldap_ssl_init */
+ result->reason = "LDAP: certificates cannot be set using this method, "
+ "CA must be set during apr_ldap_ssl_init and labels for private "
+ "keys cannot be set at this time";
+ result->rc = -1;
+#endif
+
/* SDK not recognised */
#if APR_HAS_OTHER_LDAPSDK
result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
Index: include/apr_ldap.h.in
===================================================================
--- include/apr_ldap.h.in (revision 494830)
+++ include/apr_ldap.h.in (working copy)
@@ -40,6 +40,7 @@
#define APR_HAS_MOZILLA_LDAPSDK @apu_has_ldap_mozilla@
#define APR_HAS_OPENLDAP_LDAPSDK @apu_has_ldap_openldap@
#define APR_HAS_MICROSOFT_LDAPSDK @apu_has_ldap_microsoft@
+#define APR_HAS_TIVOLI_LDAPSDK @apu_has_ldap_tivoli@
#define APR_HAS_OTHER_LDAPSDK @apu_has_ldap_other@
@@ -79,11 +80,14 @@
* Detected standard functions
*/
#define APR_HAS_LDAPSSL_CLIENT_INIT @apu_has_ldapssl_client_init@
+#define APR_HAS_LDAP_SSL_CLIENT_INIT @apu_has_ldap_ssl_client_init@
#define APR_HAS_LDAPSSL_CLIENT_DEINIT @apu_has_ldapssl_client_deinit@
+#define APR_HAS_LDAP_SSL_CLIENT_DEINIT @apu_has_ldap_ssl_client_deinit@
#define APR_HAS_LDAPSSL_ADD_TRUSTED_CERT @apu_has_ldapssl_add_trusted_cert@
#define APR_HAS_LDAP_START_TLS_S @apu_has_ldap_start_tls_s@
#define APR_HAS_LDAP_SSLINIT @apu_has_ldap_sslinit@
#define APR_HAS_LDAPSSL_INIT @apu_has_ldapssl_init@
+#define APR_HAS_LDAP_SSL_INIT @apu_has_ldap_ssl_init@
#define APR_HAS_LDAPSSL_INSTALL_ROUTINES @apu_has_ldapssl_install_routines@
/*
Index: include/apr_ldap_option.h
===================================================================
--- include/apr_ldap_option.h (revision 494830)
+++ include/apr_ldap_option.h (working copy)
@@ -137,6 +137,10 @@
#define APR_LDAP_CERT_TYPE_PFX 13
/** PKCS#12 encoded private key */
#define APR_LDAP_KEY_TYPE_PFX 14
+/** CMS Key Database with private key and cert chain */
+#define APR_LDAP_KEY_TYPE_CMS 15
+/** Label of a private key in CMS */
+#define APR_LDAP_KEY_TYPE_CMS_LABEL 16
/**
* Certificate structure.
Index: build/apu-conf.m4
===================================================================
--- build/apu-conf.m4 (revision 494830)
+++ build/apu-conf.m4 (working copy)
@@ -186,11 +186,14 @@
APR_ADDTO(APRUTIL_EXPORT_LIBS,[-l${ldaplib} ${extralib}])
APR_ADDTO(APRUTIL_LIBS,[-l${ldaplib} ${extralib}])
AC_CHECK_LIB(${ldaplib}, ldapssl_client_init, apu_has_ldapssl_client_init="1", , ${extralib})
+ AC_CHECK_LIB(${ldaplib}, ldap_ssl_client_init, apu_has_ldap_ssl_client_init="1", , ${extralib})
AC_CHECK_LIB(${ldaplib}, ldapssl_client_deinit, apu_has_ldapssl_client_deinit="1", , ${extralib})
+ AC_CHECK_LIB(${ldaplib}, ldap_ssl_client_deinit, apu_has_ldap_ssl_client_deinit="1", , ${extralib})
AC_CHECK_LIB(${ldaplib}, ldapssl_add_trusted_cert, apu_has_ldapssl_add_trusted_cert="1", , ${extralib})
AC_CHECK_LIB(${ldaplib}, ldap_start_tls_s, apu_has_ldap_start_tls_s="1", , ${extralib})
AC_CHECK_LIB(${ldaplib}, ldap_sslinit, apu_has_ldap_sslinit="1", , ${extralib})
AC_CHECK_LIB(${ldaplib}, ldapssl_init, apu_has_ldapssl_init="1", , ${extralib})
+ AC_CHECK_LIB(${ldaplib}, ldap_ssl_init, apu_has_ldap_ssl_init="1", , ${extralib})
AC_CHECK_LIB(${ldaplib}, ldapssl_install_routines, apu_has_ldapssl_install_routines="1", , ${extralib})
apu_has_ldap="1";
], , ${extralib})
@@ -207,10 +210,13 @@
apu_has_ldap="0";
apu_has_ldapssl_client_init="0"
+apu_has_ldap_ssl_client_init="0"
apu_has_ldapssl_client_deinit="0"
+apu_has_ldap_ssl_client_deinit="0"
apu_has_ldapssl_add_trusted_cert="0"
apu_has_ldap_start_tls_s="0"
apu_has_ldapssl_init="0"
+apu_has_ldap_ssl_init="0"
apu_has_ldap_sslinit="0"
apu_has_ldapssl_install_routines="0"
apu_has_ldap_openldap="0"
@@ -219,6 +225,7 @@
apu_has_ldap_microsoft="0"
apu_has_ldap_netscape="0"
apu_has_ldap_mozilla="0"
+apu_has_ldap_tivoli="0"
apu_has_ldap_other="0"
AC_ARG_WITH(ldap-include,[ --with-ldap-include=path path to ldap include files with trailing slash])
@@ -320,6 +327,13 @@
apr_cv_ldap_toolkit="Mozilla"])
fi
if test "x$apr_cv_ldap_toolkit" = "x"; then
+ AC_EGREP_CPP([International Business Machines], [$lber_h
+ $ldap_h
+ LDAP_VENDOR_NAME], [apu_has_ldap_tivoli="1"
+ apr_cv_ldap_toolkit="Tivoli"])
+ fi
+
+ if test "x$apr_cv_ldap_toolkit" = "x"; then
apu_has_ldap_other="1"
apr_cv_ldap_toolkit="unknown"
fi
@@ -335,10 +349,13 @@
AC_SUBST(lber_h)
AC_SUBST(ldap_ssl_h)
AC_SUBST(apu_has_ldapssl_client_init)
+AC_SUBST(apu_has_ldap_ssl_client_init)
AC_SUBST(apu_has_ldapssl_client_deinit)
+AC_SUBST(apu_has_ldap_ssl_client_deinit)
AC_SUBST(apu_has_ldapssl_add_trusted_cert)
AC_SUBST(apu_has_ldap_start_tls_s)
AC_SUBST(apu_has_ldapssl_init)
+AC_SUBST(apu_has_ldap_ssl_init)
AC_SUBST(apu_has_ldap_sslinit)
AC_SUBST(apu_has_ldapssl_install_routines)
AC_SUBST(apu_has_ldap)
@@ -348,6 +365,7 @@
AC_SUBST(apu_has_ldap_microsoft)
AC_SUBST(apu_has_ldap_netscape)
AC_SUBST(apu_has_ldap_mozilla)
+AC_SUBST(apu_has_ldap_tivoli)
AC_SUBST(apu_has_ldap_other)
])
