apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: LDAP changes in apr-util 1.0.x
Date Thu, 06 Jan 2005 23:01:16 GMT
At 04:11 PM 1/6/2005, Graham Leggett wrote:
>William A. Rowe, Jr. wrote:
>
>>Wouldn't it be *much* more economical to do something similar
>>to apr_procattr_t, where we set up all the choices beforehand,
>>and can reuse the apr_ldapopt_t over and over on each ldap
>>connection for options which do not change?
>
>All the LDAP toolkits have this concept already - you just call ldap_set_option with a
NULL ldap handle and you set system wide properties (like defaults, and SSL params).

I ment from the perspective of apr_ldap() - for both an individual
setting and global config.

>The issue is the supporting of client certificates - which in some cases (openldap, microsoft)
are set on a per connection basis (which makes the most sense), and in other cases are set
on a system wide sense (novell in my understanding).

Yes, it will vary a bit.  The global flavor apr_ldap_default_set()
would be supported mostly everywhere, and per-connection options
passed to apr_ldap_init() would be supported only if available.

>Not only do we have to somehow handle this in APR, but we also need to handle this in
httpd. Perhaps we need an httpd directive with global only scope that sets "system wide" certificates
(AKA CA certs, but in the Novell case it could also be a client side cert valid system wide),
as well as a local scoped per connection directive for "client certificates" (ie a per connection
client cert, supported by Microsoft and OpenLDAP but fails with a graceful error on Novell).

Well, the very same directives in the global config would help
choose the 'default', while if restricted to a single ldap entry
they would apply only to that host.




Mime
View raw message