Fixed slapd-bdb error propogation to overlays (ITS#6633)
Fixed slapd-ldap debug output of timeout (ITS#6721)
Fixed slapd-ldap DNSSRV referral chaining (ITS#6565)
+ Fixed slapd-ldap with SASL/EXTERNAL (ITS#6642)
Fixed slapd-ndb to honor rootpw setting (ITS#6661)
Fixed slapd-meta anon retry with failed auth method (ITS#6643)
Fixed slapd-meta rebind proc (ITS#6665)
LDAP *ld = NULL;
#ifdef HAVE_TLS
int is_tls = op->o_conn->c_is_tls;
+ int flags = li->li_flags;
time_t lctime = (time_t)(-1);
slap_bindconf *sb;
#endif /* HAVE_TLS */
ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
}
+ /* if required by the bindconf configuration, force TLS */
+ if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) &&
+ sb->sb_tls_ctx )
+ {
+ flags |= LDAP_BACK_F_USE_TLS;
+ }
+
ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
assert( li->li_uri_mutex_do_not_lock == 0 );
li->li_uri_mutex_do_not_lock = 1;
rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls,
- li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text );
+ li->li_uri, flags, li->li_nretries, &rs->sr_text );
li->li_uri_mutex_do_not_lock = 0;
ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex );
if ( rs->sr_err != LDAP_SUCCESS ) {
struct berval mt_binddn;
struct berval mt_bindpw;
+ /* we only care about the TLS options here */
+ slap_bindconf mt_tls;
+
slap_idassert_t mt_idassert;
#define mt_idassert_mode mt_idassert.si_mode
#define mt_idassert_authcID mt_idassert.si_bc.sb_authcId
fname, lineno, 0 );
return 1;
}
-
+
if ( argc != 2 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: missing password in \"bindpw <password>\" line\n",
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
: &mi->mi_flags;
- if ( argc != 2 ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: \"tls <what>\" needs 1 argument.\n",
- fname, lineno, 0 );
- return( 1 );
- }
-
/* start */
if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
*flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
return( 1 );
}
+ if ( argc > 2 ) {
+ metatarget_t *mt = NULL;
+ int i;
+
+ if ( mi->mi_ntargets - 1 < 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: need \"uri\" directive first\n",
+ fname, lineno, 0 );
+ return 1;
+ }
+
+ mt = mi->mi_targets[ mi->mi_ntargets - 1 ];
+
+ for ( i = 2; i < argc; i++ ) {
+ if ( bindconf_tls_parse( argv[i], &mt->mt_tls ))
+ return 1;
+ }
+ bindconf_tls_defaults( &mt->mt_tls );
+ }
+
} else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
unsigned *flagsp = mi->mi_ntargets ?
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
int do_return = 0;
#ifdef HAVE_TLS
int is_ldaps = 0;
+ int do_start_tls = 0;
#endif /* HAVE_TLS */
/* if the server is quarantined, and
META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
#ifdef HAVE_TLS
+ if ( !is_ldaps ) {
+ slap_bindconf *sb = NULL;
+
+ if ( ispriv ) {
+ sb = &mt->mt_idassert.si_bc;
+ } else {
+ sb = &mt->mt_tls;
+ }
+
+ if ( sb->sb_tls_do_init ) {
+ bindconf_tls_set( sb, msc->msc_ld );
+ } else if ( sb->sb_tls_ctx ) {
+ ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
+ }
+
+ if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
+ do_start_tls = 1;
+
+ } else if ( META_BACK_TGT_USE_TLS( mt )
+ || ( op->o_conn->c_is_tls && META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
+ {
+ do_start_tls = 1;
+ }
+ }
+
/* start TLS ("tls [try-]{start|propagate}" statement) */
- if ( ( META_BACK_TGT_USE_TLS( mt )
- || ( op->o_conn->c_is_tls
- && META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
- && !is_ldaps )
- {
+ if ( do_start_tls ) {
#ifdef SLAP_STARTTLS_ASYNCHRONOUS
/*
* use asynchronous StartTLS; in case, chase referral
projects / openldap / commitdiff