[Patch] LDAP SSL support for Tivoli

Graham Leggett Sat, 01 Dec 2007 08:05:49 -0800

Hi all,

Working from the original patch at http://issues.apache.org/bugzilla/show_bug.cgi?id=41351, here is an updated patch to support SSL on the Tivoli

LDAP API.

The new patch follows the pattern of using apr_ldap_set_option to set SSL related parameters, as per the other implementations.


Support for starttls is also included.

I cannot properly test the patch, as I do not have access to a machine with this API.


Can someone give this a try and verify it works correctly?

Regards,
Graham
--

Index: ldap/apr_ldap_init.c
===================================================================
--- ldap/apr_ldap_init.c        (revision 598755)
+++ ldap/apr_ldap_init.c        (working copy)
@@ -110,6 +110,9 @@
 #if APR_HAS_LDAP_SSL && APR_HAS_LDAPSSL_CLIENT_DEINIT
     ldapssl_client_deinit();
 #endif
+#if APR_HAS_LDAP_SSL && APR_HAS_LDAP_SSL_CLIENT_DEINIT
+    ldap_ssl_client_deinit();
+#endif
     return APR_SUCCESS;
 
 }
@@ -149,6 +152,16 @@
     *ldap = ldapssl_init(hostname, portno, 0);
 #elif APR_HAS_LDAP_SSLINIT
     *ldap = ldap_sslinit((char *)hostname, portno, 0);
+#elif APR_HAS_LDAP_SSL_INIT
+    /* Tivoli: Third parameter is null, default CA list provided
+     * with SDK is used.
+     */
+    if (secure == APR_LDAP_SSL) {
+        *ldap = ldap_ssl_init((char *)hostname, portno, NULL);
+    }
+    else {
+        *ldap = ldap_init((char *)hostname, portno);
+    }
 #else
     *ldap = ldap_init((char *)hostname, portno);
 #endif
Index: ldap/apr_ldap_option.c
===================================================================
--- ldap/apr_ldap_option.c      (revision 598755)
+++ ldap/apr_ldap_option.c      (working copy)
@@ -322,6 +322,38 @@
 #endif
 #endif
 
+    /* Tivoli SDK */
+#if APR_HAS_TIVOLI_LDAPSDK
+    if (tls == APR_LDAP_SSL) {
+        result->reason = "LDAP: SSL can only be set at connection "
+                         "initialisation by APR on this version of "
+                         "the Tivoli toolkit";
+        result->rc = -1;
+    }
+#if APR_HAS_LDAP_START_TLS_S_NP
+    else if (tls == APR_LDAP_STARTTLS) {
+        result->rc = ldap_start_tls_s_np(ldap, NULL);
+        if (result->rc != LDAP_SUCCESS) {
+            result->reason = "LDAP: ldap_start_tls_s_np() failed";
+            result->msg = ldap_err2string(result->rc);
+        }
+    }
+    else if (tls == APR_LDAP_STOPTLS) {
+        result->rc = ldap_stop_tls_s_np(ldap);
+        if (result->rc != LDAP_SUCCESS) {
+            result->reason = "LDAP: ldap_stop_tls_s_np() failed";
+            result->msg = ldap_err2string(result->rc);
+        }
+    }
+#else   
+    else if (tls != APR_LDAP_NONE) {
+        result->reason = "LDAP: TLS not yet supported by APR on this "
+                         "version of the Tivoli toolkit";
+        result->rc = -1;
+    }
+#endif
+#endif
+
 #if APR_HAS_OTHER_LDAPSDK
     if (tls != APR_LDAP_NONE) {
         result->reason = "LDAP: SSL/TLS is currently not supported by "
@@ -335,7 +367,7 @@
 }
 
 /**
- * Handle APR_LDAP_OPT_TLS_CACERTFILE
+ * Handle APR_LDAP_OPT_TLS_CERT
  *
  * This function sets the CA certificate for further SSL/TLS connections.
  *
@@ -346,6 +378,7 @@
  * OpenLDAP: PEM (others supported?)
  * Microsoft: unknown
  * Solaris: unknown
+ * Tivoli: CMS database file
  */
 static void option_set_cert(apr_pool_t *pool, LDAP *ldap,
                            const void *invalue, apr_ldap_err_t *result)
@@ -577,6 +610,41 @@
     result->rc = -1;
 #endif
 
+    /* Tivoli SDK */
+#if APR_HAS_TIVOLI_LDAPSDK
+    /* Tivoli accepts a KDB file with both CAs and private keys
+     * during one-time initialization and takes a certificate label
+     * during ldap_ssl_init.
+     */
+    if (ldap) {
+        result->rc = -1;
+        result->reason = "LDAP: The Tivoli LDAP SDK cannot support the setting 
"
+                         "of certificates or keys on a per connection basis.";
+    }
+    /* Tivoli's library needs to be initialised first */
+    else {
+        for (i = 0; i < certs->nelts; i++) {
+            /* Tivoli SDK supports CMS files. */
+            switch (ents[i].type) {
+            case APR_LDAP_CA_TYPE_CMS:
+                ldap_ssl_client_init((const char *)ents[i].path,
+                                     (const char *)ents[i].password,
+                                     0, &result->rc);
+                result->msg = ldap_err2string(result->rc);
+                break;
+            default:
+                result->rc = -1;
+                result->reason = "LDAP: The Tivoli SDK only understands the "
+                                 "CMS database file type.";
+                break;
+            }
+            if (result->rc != LDAP_SUCCESS) {
+                break;
+            }
+        }
+    }
+#endif
+
     /* SDK not recognised */
 #if APR_HAS_OTHER_LDAPSDK
     result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
Index: include/apr_ldap.h.in
===================================================================
--- include/apr_ldap.h.in       (revision 598755)
+++ include/apr_ldap.h.in       (working copy)
@@ -85,12 +85,16 @@
  * Detected standard functions
  */
 #define APR_HAS_LDAPSSL_CLIENT_INIT @apu_has_ldapssl_client_init@
+#define APR_HAS_LDAP_SSL_CLIENT_INIT @apu_has_ldap_ssl_client_init@
 #define APR_HAS_LDAPSSL_CLIENT_DEINIT @apu_has_ldapssl_client_deinit@
+#define APR_HAS_LDAP_SSL_CLIENT_DEINIT @apu_has_ldap_ssl_client_deinit@
 #define APR_HAS_LDAPSSL_ADD_TRUSTED_CERT @apu_has_ldapssl_add_trusted_cert@
 #define APR_HAS_LDAP_START_TLS_S @apu_has_ldap_start_tls_s@
 #define APR_HAS_LDAP_SSLINIT @apu_has_ldap_sslinit@
 #define APR_HAS_LDAPSSL_INIT @apu_has_ldapssl_init@
+#define APR_HAS_LDAP_SSL_INIT @apu_has_ldap_ssl_init@
 #define APR_HAS_LDAPSSL_INSTALL_ROUTINES @apu_has_ldapssl_install_routines@
+#define APR_HAS_LDAP_START_TLS_S_NP @apu_has_ldap_start_tls_s_np@
 
 /*
  * Make sure the secure LDAP port is defined
Index: include/apr_ldap_option.h
===================================================================
--- include/apr_ldap_option.h   (revision 598755)
+++ include/apr_ldap_option.h   (working copy)
@@ -137,6 +137,8 @@
 #define APR_LDAP_CERT_TYPE_PFX      13
 /** PKCS#12 encoded private key */
 #define APR_LDAP_KEY_TYPE_PFX       14
+/** CMS Key Database with private key and cert chain */
+#define APR_LDAP_CA_TYPE_CMS       15
 
 /**
  * Certificate structure.
Index: build/apu-conf.m4
===================================================================
--- build/apu-conf.m4   (revision 598755)
+++ build/apu-conf.m4   (working copy)
@@ -194,12 +194,16 @@
         APR_ADDTO(APRUTIL_EXPORT_LIBS,[-l${ldaplib} ${extralib}])
         APR_ADDTO(APRUTIL_LIBS,[-l${ldaplib} ${extralib}])
         AC_CHECK_LIB(${ldaplib}, ldapssl_client_init, 
apu_has_ldapssl_client_init="1", , ${extralib})
+        AC_CHECK_LIB(${ldaplib}, ldap_ssl_client_init, 
apu_has_ldap_ssl_client_init="1", , ${extralib})
         AC_CHECK_LIB(${ldaplib}, ldapssl_client_deinit, 
apu_has_ldapssl_client_deinit="1", , ${extralib})
+        AC_CHECK_LIB(${ldaplib}, ldap_ssl_client_deinit, 
apu_has_ldap_ssl_client_deinit="1", , ${extralib})
         AC_CHECK_LIB(${ldaplib}, ldapssl_add_trusted_cert, 
apu_has_ldapssl_add_trusted_cert="1", , ${extralib})
         AC_CHECK_LIB(${ldaplib}, ldap_start_tls_s, 
apu_has_ldap_start_tls_s="1", , ${extralib})
         AC_CHECK_LIB(${ldaplib}, ldap_sslinit, apu_has_ldap_sslinit="1", , 
${extralib})
         AC_CHECK_LIB(${ldaplib}, ldapssl_init, apu_has_ldapssl_init="1", , 
${extralib})
+        AC_CHECK_LIB(${ldaplib}, ldap_ssl_init, apu_has_ldap_ssl_init="1", , 
${extralib})
         AC_CHECK_LIB(${ldaplib}, ldapssl_install_routines, 
apu_has_ldapssl_install_routines="1", , ${extralib})
+        AC_CHECK_LIB(${ldaplib}, ldap_start_tls_s_np, 
apu_has_ldap_start_tls_s_np="1", , ${extralib})
         apu_has_ldap="1";
       ], , ${extralib})
   fi
@@ -215,12 +219,16 @@
 
 apu_has_ldap="0";
 apu_has_ldapssl_client_init="0"
+apu_has_ldap_ssl_client_init="0"
 apu_has_ldapssl_client_deinit="0"
+apu_has_ldap_ssl_client_deinit="0"
 apu_has_ldapssl_add_trusted_cert="0"
 apu_has_ldap_start_tls_s="0"
 apu_has_ldapssl_init="0"
+apu_has_ldap_ssl_init="0"
 apu_has_ldap_sslinit="0"
 apu_has_ldapssl_install_routines="0"
+apu_has_ldap_start_tls_s_np="0"
 apu_has_ldap_openldap="0"
 apu_has_ldap_solaris="0"
 apu_has_ldap_novell="0"
@@ -345,6 +353,13 @@
           esac
         fi
         if test "x$apr_cv_ldap_toolkit" = "x"; then
+          AC_EGREP_CPP([International Business Machines], [$lber_h
+                       $ldap_h
+                       LDAP_VENDOR_NAME], [apu_has_ldap_tivoli="1"
+                                           apr_cv_ldap_toolkit="Tivoli"])
+        fi
+
+        if test "x$apr_cv_ldap_toolkit" = "x"; then
           apu_has_ldap_other="1"
           apr_cv_ldap_toolkit="unknown"
         fi
@@ -360,12 +375,16 @@
 AC_SUBST(lber_h)
 AC_SUBST(ldap_ssl_h)
 AC_SUBST(apu_has_ldapssl_client_init)
+AC_SUBST(apu_has_ldap_ssl_client_init)
 AC_SUBST(apu_has_ldapssl_client_deinit)
+AC_SUBST(apu_has_ldap_ssl_client_deinit)
 AC_SUBST(apu_has_ldapssl_add_trusted_cert)
 AC_SUBST(apu_has_ldap_start_tls_s)
 AC_SUBST(apu_has_ldapssl_init)
+AC_SUBST(apu_has_ldap_ssl_init)
 AC_SUBST(apu_has_ldap_sslinit)
 AC_SUBST(apu_has_ldapssl_install_routines)
+AC_SUBST(apu_has_ldap_start_tls_s_np)
 AC_SUBST(apu_has_ldap)
 AC_SUBST(apu_has_ldap_openldap)
 AC_SUBST(apu_has_ldap_solaris)

smime.p7s
Description: S/MIME Cryptographic Signature

[Patch] LDAP SSL support for Tivoli

Reply via email to