On 22-Mar-05, at 5:17 PM, Graham Leggett wrote:
This is also broken - the LDAPTrustedClientCert is supposed to have scope on a per directory basis.
To fix this, we would need to add a directory config creator, and a directory config merger, is that correct?
Sure, but then there is still a problem with .htaccess files. The client_certs array will have been allocated in the request pool during the merge operation for the .htaccess file, but it then may be copied into the global connection cache; currently, the code only copies the array header (at line 525). So you'd end up with dangling pointers after the request finished. If, on the other hand, the strings were copied into the server or config pools, then they would slowly consume memory. The most plausible solution might be to manually manage connection cache memory with malloc instead of using pool-allocated memory.
Although now that I look at the file again, I see that it never would have worked anyway because at line 1546, the function util_ldap_set_trusted_client_cert stores the certificate in st->global_certs instead of st->client_certs.
I also wonder about the two apr_array_append calls at line 1671 in util_ldap_merge_config. The second one would mean that the client certs specified in LDAPTrustedClientCerts would be appended to the list of client certs inherited from some containing section. This might be counter-intuitive if the certs are supposed to be directory scoped. I'm not sure what the use case for this directive would be, so it's hard to know for sure.
