From 1760501cea561c2794b1bfaf0e619a531a654799 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Thu, 9 Sep 2010 01:30:19 +0000 Subject: [PATCH] add per-target tls options; start tls if required by idassert (ITS#6642) --- servers/slapd/back-meta/back-meta.h | 3 +++ servers/slapd/back-meta/config.c | 29 ++++++++++++++++++-------- servers/slapd/back-meta/conn.c | 32 ++++++++++++++++++++++++----- 3 files changed, 51 insertions(+), 13 deletions(-) diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h index 52276bc722..e285ef4bf3 100644 --- a/servers/slapd/back-meta/back-meta.h +++ b/servers/slapd/back-meta/back-meta.h @@ -274,6 +274,9 @@ typedef struct metatarget_t { struct berval mt_binddn; struct berval mt_bindpw; + /* we only care about the TLS options here */ + slap_bindconf mt_tls; + slap_idassert_t mt_idassert; #define mt_idassert_mode mt_idassert.si_mode #define mt_idassert_authcID mt_idassert.si_bc.sb_authcId diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c index fecc0a4e89..e6de08a8eb 100644 --- a/servers/slapd/back-meta/config.c +++ b/servers/slapd/back-meta/config.c @@ -620,7 +620,7 @@ meta_back_db_config( fname, lineno, 0 ); return 1; } - + if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: missing password in \"bindpw \" line\n", @@ -709,13 +709,6 @@ meta_back_db_config( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags : &mi->mi_flags; - if ( argc != 2 ) { - Debug( LDAP_DEBUG_ANY, - "%s: line %d: \"tls \" needs 1 argument.\n", - fname, lineno, 0 ); - return( 1 ); - } - /* start */ if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) { *flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL ); @@ -741,6 +734,26 @@ meta_back_db_config( return( 1 ); } + if ( argc > 2 ) { + metatarget_t *mt = NULL; + int i; + + if ( mi->mi_ntargets - 1 < 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: need \"uri\" directive first\n", + fname, lineno, 0 ); + return 1; + } + + mt = mi->mi_targets[ mi->mi_ntargets - 1 ]; + + for ( i = 2; i < argc; i++ ) { + if ( bindconf_tls_parse( argv[i], &mt->mt_tls )) + return 1; + } + bindconf_tls_defaults( &mt->mt_tls ); + } + } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) { unsigned *flagsp = mi->mi_ntargets ? &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c index 43511baf85..7d7cc92507 100644 --- a/servers/slapd/back-meta/conn.c +++ b/servers/slapd/back-meta/conn.c @@ -281,6 +281,7 @@ meta_back_init_one_conn( int do_return = 0; #ifdef HAVE_TLS int is_ldaps = 0; + int do_start_tls = 0; #endif /* HAVE_TLS */ /* if the server is quarantined, and @@ -421,12 +422,33 @@ retry_lock:; META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF ); #ifdef HAVE_TLS + if ( !is_ldaps ) { + slap_bindconf *sb = NULL; + + if ( ispriv ) { + sb = &mt->mt_idassert.si_bc; + } else { + sb = &mt->mt_tls; + } + + if ( sb->sb_tls_do_init ) { + bindconf_tls_set( sb, msc->msc_ld ); + } else if ( sb->sb_tls_ctx ) { + ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx ); + } + + if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) { + do_start_tls = 1; + + } else if ( META_BACK_TGT_USE_TLS( mt ) + || ( op->o_conn->c_is_tls && META_BACK_TGT_PROPAGATE_TLS( mt ) ) ) + { + do_start_tls = 1; + } + } + /* start TLS ("tls [try-]{start|propagate}" statement) */ - if ( ( META_BACK_TGT_USE_TLS( mt ) - || ( op->o_conn->c_is_tls - && META_BACK_TGT_PROPAGATE_TLS( mt ) ) ) - && !is_ldaps ) - { + if ( do_start_tls ) { #ifdef SLAP_STARTTLS_ASYNCHRONOUS /* * use asynchronous StartTLS; in case, chase referral -- 2.39.5