add per-target tls options; start tls if required by idassert (ITS#6642)

author Pierangelo Masarati <ando@openldap.org>

Thu, 9 Sep 2010 01:30:19 +0000 (01:30 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Thu, 9 Sep 2010 01:30:19 +0000 (01:30 +0000)
author Pierangelo Masarati <ando@openldap.org>
Thu, 9 Sep 2010 01:30:19 +0000 (01:30 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Thu, 9 Sep 2010 01:30:19 +0000 (01:30 +0000)
diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h

index 52276bc722273e88c72bf85391f04d161ac7b04b..e285ef4bf38b941751ea9c11fe51b652ea98938a 100644 (file)
--- a/servers/slapd/back-meta/back-meta.h
+++ b/servers/slapd/back-meta/back-meta.h
@@ -274,6 +274,9 @@ typedef struct metatarget_t {
         struct berval           mt_binddn;
         struct berval           mt_bindpw;
  
+       /* we only care about the TLS options here */
+       slap_bindconf           mt_tls;
+
         slap_idassert_t         mt_idassert;
  #define        mt_idassert_mode        mt_idassert.si_mode
  #define        mt_idassert_authcID     mt_idassert.si_bc.sb_authcId
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c

index fecc0a4e89c283163785bda7527ff9d485017092..e6de08a8ebec085754efaf606f7b7ebbac0e5d8c 100644 (file)
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -620,7 +620,7 @@ meta_back_db_config(
                                 fname, lineno, 0 );
                         return 1;
                 }
-               
+
                 if ( argc != 2 ) {
                         Debug( LDAP_DEBUG_ANY,
         "%s: line %d: missing password in \"bindpw <password>\" line\n",
@@ -709,13 +709,6 @@ meta_back_db_config(
                                 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
                                 : &mi->mi_flags;
  
-               if ( argc != 2 ) {
-                       Debug( LDAP_DEBUG_ANY,
-               "%s: line %d: \"tls <what>\" needs 1 argument.\n",
-                               fname, lineno, 0 );
-                       return( 1 );
-               }
-
                 /* start */
                 if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
                         *flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
@@ -741,6 +734,26 @@ meta_back_db_config(
                         return( 1 );
                 }
  
+               if ( argc > 2 ) {
+                       metatarget_t    *mt = NULL;
+                       int             i;
+
+                       if ( mi->mi_ntargets - 1 < 0 ) {
+                               Debug( LDAP_DEBUG_ANY,
+               "%s: line %d: need \"uri\" directive first\n",
+                                       fname, lineno, 0 );
+                               return 1;
+                       }
+
+                       mt = mi->mi_targets[ mi->mi_ntargets - 1 ];
+
+                       for ( i = 2; i < argc; i++ ) {
+                               if ( bindconf_tls_parse( argv[i], &mt->mt_tls ))
+                                       return 1;
+                       }
+                       bindconf_tls_defaults( &mt->mt_tls );
+               }
+
         } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
                 unsigned        *flagsp = mi->mi_ntargets ?
                                 &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c

index 43511baf852166ac9b960acb7abdac6fb5b956a4..7d7cc92507108e7a0c9b3f5f0e42a0e44a3aaefa 100644 (file)
--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@@ -281,6 +281,7 @@ meta_back_init_one_conn(
         int                     do_return = 0;
  #ifdef HAVE_TLS
         int                     is_ldaps = 0;
+       int                     do_start_tls = 0;
  #endif /* HAVE_TLS */
  
         /* if the server is quarantined, and
@@ -421,12 +422,33 @@ retry_lock:;
                 META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
  
  #ifdef HAVE_TLS
+       if ( !is_ldaps ) {
+               slap_bindconf *sb = NULL;
+
+               if ( ispriv ) {
+                       sb = &mt->mt_idassert.si_bc;
+               } else {
+                       sb = &mt->mt_tls;
+               }
+
+               if ( sb->sb_tls_do_init ) {
+                       bindconf_tls_set( sb, msc->msc_ld );
+               } else if ( sb->sb_tls_ctx ) {
+                       ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
+               }
+
+               if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
+                       do_start_tls = 1;
+
+               } else if ( META_BACK_TGT_USE_TLS( mt )
+                       || ( op->o_conn->c_is_tls && META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
+               {
+                       do_start_tls = 1;
+               }
+       }
+
         /* start TLS ("tls [try-]{start|propagate}" statement) */
-       if ( ( META_BACK_TGT_USE_TLS( mt )
-               || ( op->o_conn->c_is_tls
-                       && META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
-               && !is_ldaps )
-       {
+       if ( do_start_tls ) {
  #ifdef SLAP_STARTTLS_ASYNCHRONOUS
                 /*
                  * use asynchronous StartTLS; in case, chase referral
author	Pierangelo Masarati <ando@openldap.org>
	Thu, 9 Sep 2010 01:30:19 +0000 (01:30 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Thu, 9 Sep 2010 01:30:19 +0000 (01:30 +0000)
servers/slapd/back-meta/back-meta.h		patch \| blob \| history
servers/slapd/back-meta/config.c		patch \| blob \| history
servers/slapd/back-meta/conn.c		patch \| blob \| history