ITS#4072 ldap_pvt_tls_init_def_ctx() returns LDAP_NO_SUPPORT if not

sufficiently configured. Update slapd/slurpd to act appropriately.

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 6b3d998bfdda0d8e17cc67c7d7d8bdc598026624..093d3360efa3e3604be1ba5c2d6e680c2024800c 100644 (file)
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -203,6 +203,12 @@ ldap_pvt_tls_init_def_ctx( void )
        char *certfile = tls_opt_certfile;
        char *keyfile = tls_opt_keyfile;
 
+#ifdef LDAP_R_COMPILE
+       ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+#endif
+       if (( !cacertfile && !cacertdir ) || !certfile || !keyfile )
+               return LDAP_NOT_SUPPORTED;
+
 #ifdef HAVE_EBCDIC
        /* This ASCII/EBCDIC handling is a real pain! */
        if ( ciphersuite ) {
@@ -226,10 +232,6 @@ ldap_pvt_tls_init_def_ctx( void )
                __atoe( keyfile );
        }
 #endif
-
-#ifdef LDAP_R_COMPILE
-       ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
-#endif
        if ( tls_def_ctx == NULL ) {
                int i;
                tls_def_ctx = SSL_CTX_new( SSLv23_method() );

diff --git a/servers/slapd/extended.c b/servers/slapd/extended.c
index 33a8a11807be07f392305a05ac79844c4f1b9b0c..bef3b965604c05eb7a7da277da331cd659850258 100644 (file)
--- a/servers/slapd/extended.c
+++ b/servers/slapd/extended.c
@@ -69,9 +69,6 @@ static struct {
        { &slap_EXOP_CANCEL, SLAP_EXOP_HIDE, cancel_extop },
        { &slap_EXOP_WHOAMI, 0, whoami_extop },
        { &slap_EXOP_MODIFY_PASSWD, SLAP_EXOP_WRITES, passwd_extop },
-#ifdef HAVE_TLS
-       { &slap_EXOP_START_TLS, 0, starttls_extop },
-#endif
        { NULL, 0, NULL }
 };
 

diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index 6a7ebec0ffd20434644936205fa1c0965eba7666..7de2855ba472ea9ee90ade3032709e1e3e9e36fd 100644 (file)
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -669,7 +669,12 @@ unhandled_option:;
                ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL );
 
                rc = ldap_pvt_tls_init_def_ctx();
-               if( rc != 0) {
+               if( rc == 0) {
+                       ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
+                       /* Restore previous ctx */
+                       ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx );
+                       load_extop( &slap_EXOP_START_TLS, 0, starttls_extop );
+               } else if ( rc != LDAP_NOT_SUPPORTED ) {
                        Debug( LDAP_DEBUG_ANY,
                            "main: TLS init def ctx failed: %d\n",
                            rc, 0, 0 );
@@ -677,10 +682,6 @@ unhandled_option:;
                        SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
                        goto destroy;
                }
-               /* Retrieve slapd's own ctx */
-               ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
-               /* Restore previous ctx */
-               ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx );
        }
 #endif
 

diff --git a/servers/slurpd/main.c b/servers/slurpd/main.c
index 4984a6a50f8da9e4a9f34019a61fd959eb2c52d7..ccd75e7ed0398f6227fea53a7c2c87289fb394e4 100644 (file)
--- a/servers/slurpd/main.c
+++ b/servers/slurpd/main.c
@@ -156,10 +156,20 @@ int main( int argc, char **argv )
 
 #ifdef HAVE_TLS
        if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
-               fprintf( stderr, "TLS Initialization failed.\n" );
-               SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
-               rc = 1;
-               goto stop;
+               rc = 0;
+               /* See if we actually need TLS */
+               for ( i=0; i < sglob->num_replicas; i++ ) {
+                       if ( sglob->replicas[i]->ri_tls || ( sglob->replicas[i]->ri_uri &&
+                               !strncmp( sglob->replicas[i]->ri_uri, "ldaps:", 6 ))) {
+                               rc = 1;
+                               break;
+                       }
+               }
+               if ( rc ) {
+                       fprintf( stderr, "TLS Initialization failed.\n" );
+                       SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
+                       goto stop;
+               }
        }
 #endif