On Dec 1, 2007 11:05 AM, Graham Leggett <[EMAIL PROTECTED]> wrote: > Hi all, > > Working from the original patch at > http://issues.apache.org/bugzilla/show_bug.cgi?id=41351, here is an > updated patch to support SSL on the Tivoli > LDAP API. > > The new patch follows the pattern of using apr_ldap_set_option to set > SSL related parameters, as per the other implementations. >
ldap_ssl_client_init() should be called once per process, not once per connection. Novell has a 1-time SSL initialization function called from apr_ldap_ssl_init() already. While the z/os manual says calling into ldap_ssl_client_init() repeatedly just produces error, I've seen some reports that doing so with different values (for the keyring) does have affect (on non-z/OS, where this SDK is equally useful). It also struck me as a little odd that in apr_ldap_init (establish a connection) calling apr_ldap_set_option(..., APR_LDAP_OPT_TLS) wasn't conditional on SSL in either form being requested. >From a general 1.3 perspective, the Tivoli and z/OS LDAP SDK problem with client certs is resolvable by allowing apr_ldap_init() be passed something indicating client cert selection (these SDKS must specify the client cert "label" at connection time). Just mentioning in this case this meshes with anything else you're looking at. -- Eric Covener [EMAIL PROTECTED]
