nsdb_start_tls() is called only when FEDFS_SEC_TLS is set for an NSDB. It doesn't make sense to return success if no certfile is passed to it: it should be a failure, since the connection to the NSDB is not secured if there is no certificate to use.
Signed-off-by: Chuck Lever <[email protected]> --- src/libnsdb/ldap.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) diff --git a/src/libnsdb/ldap.c b/src/libnsdb/ldap.c index 5436a1e..5916c19 100644 --- a/src/libnsdb/ldap.c +++ b/src/libnsdb/ldap.c @@ -564,10 +564,6 @@ nsdb_bind(LDAP *ld, const char *binddn, const char *passwd, * @param certfile NUL-terminated C string containing pathname of X.509 cert file * @param ldap_err OUT: possibly an LDAP error code * @return a FedFsStatus code - * - * If "certfile" is not NULL, then the certfile contents are used to - * authenticate the server, and TLS must be started and operating - * before this function returns true. */ FedFsStatus nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err) @@ -575,9 +571,9 @@ nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err) int value, rc; char *uri; - /* Nothing to do if no certfile was provided */ if (certfile == NULL) - return FEDFS_OK; + return FEDFS_ERR_INVAL; + xlog(D_CALL, "%s: Using certfile %s", __func__, certfile); rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, certfile); if (rc != LDAP_OPT_SUCCESS) { _______________________________________________ fedfs-utils-devel mailing list [email protected] https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
