use asynchronous Start TLS exop; allow propagating TLS if used in the original connec...

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index c9253f9d1f99fc2f4ff15fc999577875c95ac837..cde1d7e5e5cc93ad3aeb65b7260e3ae9c18d07dd 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -249,12 +249,20 @@ underlying libldap, with rebinding eventually performed if the
 .RE
 
 .LP
-.B start-tls
+.B tls-start
 .br
-.B try-start-tls
+.B tls-try-start
+.br
+.B tls-propagate
+.br
+.B tls-try-propagate
 .RS
-execute the start TLS extended operation when the connection is initialized.
-\fBtry-start-tls\fP continues operations if start TLS fails.
+execute the start TLS extended operation when the connection is initialized;
+only works if the URI directive protocol scheme is not \fBldaps://\fP.
+The \fBtls-propagate\fP version issues the Start TLS exop only if the original
+connection did.
+\fBtry-start-tls\fP and \fBtry-propagate-tls\fP continue operations
+if start TLS failed.
 .RE
 
 

diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h
index f881c387495f499e684b0cf691884c8682b04d35..48b2e949ad14c4f1e718cfd72ec087037dbf5d00 100644 (file)
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@@ -94,8 +94,16 @@ struct ldapinfo {
 #define LDAP_BACK_F_NONE               0x00U
 #define LDAP_BACK_F_SAVECRED           0x01U
 #define LDAP_BACK_F_USE_TLS            0x02U
-#define LDAP_BACK_F_TLS_CRITICAL       ( 0x04U | LDAP_BACK_F_USE_TLS )
-#define LDAP_BACK_F_CHASE_REFERRALS    0x8U
+#define LDAP_BACK_F_PROPAGATE_TLS      0x04U
+#define LDAP_BACK_F_TLS_CRITICAL       0x08U
+#define LDAP_BACK_F_CHASE_REFERRALS    0x10U
+
+#define LDAP_BACK_SAVECRED(li)         ( (li)->flags & LDAP_BACK_F_SAVECRED )
+#define LDAP_BACK_USE_TLS(li)          ( (li)->flags & LDAP_BACK_F_USE_TLS )
+#define LDAP_BACK_PROPAGATE_TLS(li)    ( (li)->flags & LDAP_BACK_F_PROPAGATE_TLS )
+#define LDAP_BACK_TLS_CRITICAL(li)     ( (li)->flags & LDAP_BACK_F_TLS_CRITICAL )
+#define LDAP_BACK_CHASE_REFERRALS(li)  ( (li)->flags & LDAP_BACK_F_CHASE_REFERRALS )
+
        Avlnode         *conntree;
 
        int             rwm_started;

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 817235ee3a36d7d957bac16540b95c534bbe6111..c1c9791fd7350387dad4a049be8f43012197215f 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -87,7 +87,7 @@ ldap_back_bind( Operation *op, SlapReply *rs )
                lc->lc_bound = 1;
                ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn );
 
-               if ( li->flags & LDAP_BACK_F_SAVECRED ) {
+               if ( LDAP_BACK_SAVECRED( li ) ) {
                        if ( !BER_BVISNULL( &lc->lc_cred ) ) {
                                memset( lc->lc_cred.bv_val, 0,
                                                lc->lc_cred.bv_len );
@@ -242,21 +242,64 @@ ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, lda
        ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers );
 
        /* automatically chase referrals ("chase-referrals"/"dont-chase-referrals" statement) */
-       if ( li->flags & LDAP_BACK_F_CHASE_REFERRALS ) {
+       if ( LDAP_BACK_CHASE_REFERRALS( li ) ) {
                ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON );
        }
 
        /* start TLS ("start-tls"/"try-start-tls" statements) */
-       if ( ( li->flags & LDAP_BACK_F_USE_TLS )
-                       && !ldap_is_ldaps_url( li->url )
-                       && ( rs->sr_err = ldap_start_tls_s( ld, NULL, NULL ) ) != LDAP_SUCCESS )
-       {
+       if ( ( LDAP_BACK_USE_TLS( li ) || ( op->o_conn->c_is_tls && LDAP_BACK_PROPAGATE_TLS( li ) ) )
+                               && !ldap_is_ldaps_url( li->url ) ) {
+               int             rc, msgid;
+               LDAPMessage     *res;
+               int             retries = 1;
+
+retry:;
+               rc = ldap_start_tls( ld, NULL, NULL, &msgid );
+               if ( rc == LDAP_SUCCESS ) {
+                       struct timeval  tv = { 0, 0 };
+
+                       rc = ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res );
+                       if ( rc < 0 ) {
+                               rs->sr_err = LDAP_OTHER;
+
+                       } else if ( rc == 0 ) {
+                               if ( retries ) {
+                                       retries--;
+                                       tv.tv_sec = 0;
+                                       tv.tv_usec = 100000;
+                                       goto retry;
+                               }
+                               rs->sr_err = LDAP_OTHER;
+
+                       } else {
+                               if ( rc == LDAP_RES_EXTENDED ) {
+                                       rc = ldap_parse_result( ld, res,
+                                               &rs->sr_err, NULL, NULL, NULL, NULL, 1 );
+                                       if ( rc != LDAP_SUCCESS ) {
+                                               rs->sr_err = rc;
+
+                                       /* FIXME: in case a referral 
+                                        * is returned, should we try
+                                        * using it instead of the 
+                                        * configured URI? */
+                                       } else if ( rs->sr_err == LDAP_REFERRAL ) {
+                                               rs->sr_err = LDAP_OTHER;
+                                               rs->sr_text = "unwilling to chase referral returned by Start TLS exop";
+                                       }
+
+                               } else {
+                                       ldap_msgfree( res );
+                                       rs->sr_err = LDAP_OTHER;
+                               }
+                       }
+               }
+
                /* if StartTLS is requested, only attempt it if the URL
                 * is not "ldaps://"; this may occur not only in case
                 * of misconfiguration, but also when used in the chain 
                 * overlay, where the "uri" can be parsed out of a referral */
                if ( rs->sr_err == LDAP_SERVER_DOWN
-                               || ( li->flags & LDAP_BACK_F_TLS_CRITICAL ) )
+                               || ( rs->sr_err != LDAP_SUCCESS && LDAP_BACK_TLS_CRITICAL( li ) ) )
                {
                        ldap_unbind_ext_s( ld, NULL, NULL );
                        goto error_return;

diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index afd8f712041c8a4b2f86764607f3ed35516be5a8..436c713c573671045a21fc92d0b10032adbce3bb 100644 (file)
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -213,26 +213,50 @@ ldap_back_db_config(
                li->url = ch_strdup( argv[ 1 ] );
 #endif
 
-       /* start tls */
-       } else if ( strcasecmp( argv[0], "start-tls" ) == 0 ) {
-               if ( argc != 1 ) {
-                       fprintf( stderr,
-       "%s: line %d: start-tls takes no arguments\n",
-                                       fname, lineno );
-                       return( 1 );
-               }
-               li->flags |= LDAP_BACK_F_TLS_CRITICAL;
+       } else if ( strncasecmp( argv[0], "tls-", STRLENOF( "tls-" ) ) == 0 ) {
+
+               /* start tls */
+               if ( strcasecmp( argv[0], "tls-start" ) == 0 ) {
+                       if ( argc != 1 ) {
+                               fprintf( stderr,
+               "%s: line %d: tls-start takes no arguments\n",
+                                               fname, lineno );
+                               return( 1 );
+                       }
+                       li->flags |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
        
-       /* try start tls */
-       } else if ( strcasecmp( argv[0], "try-start-tls" ) == 0 ) {
-               if ( argc != 1 ) {
-                       fprintf( stderr,
-       "%s: line %d: try-start-tls takes no arguments\n",
-                                       fname, lineno );
-                       return( 1 );
+               /* try start tls */
+               } else if ( strcasecmp( argv[0], "tls-try-start" ) == 0 ) {
+                       if ( argc != 1 ) {
+                               fprintf( stderr,
+               "%s: line %d: tls-try-start takes no arguments\n",
+                                               fname, lineno );
+                               return( 1 );
+                       }
+                       li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
+                       li->flags |= LDAP_BACK_F_USE_TLS;
+       
+               /* propagate start tls */
+               } else if ( strcasecmp( argv[0], "tls-propagate" ) == 0 ) {
+                       if ( argc != 1 ) {
+                               fprintf( stderr,
+               "%s: line %d: tls-propagate takes no arguments\n",
+                                               fname, lineno );
+                               return( 1 );
+                       }
+                       li->flags |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+               
+               /* try start tls */
+               } else if ( strcasecmp( argv[0], "tls-try-propagate" ) == 0 ) {
+                       if ( argc != 1 ) {
+                               fprintf( stderr,
+               "%s: line %d: tls-try-propagate takes no arguments\n",
+                                               fname, lineno );
+                               return( 1 );
+                       }
+                       li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
+                       li->flags |= LDAP_BACK_F_PROPAGATE_TLS;
                }
-               li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
-               li->flags |= LDAP_BACK_F_USE_TLS;
        
        /* name to use for ldap_back_group */
        } else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
@@ -723,7 +747,7 @@ parse_idassert(
                                                li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
 
                                        } else {
-                                               fprintf( stderr, "%s: line %s: "
+                                               fprintf( stderr, "%s: line %d: "
                                                        "unknown authz mode \"%s\"\n",
                                                        fname, lineno, val );
                                                return 1;