Return-Path: 
 <dev-return-13512-apmail-apr-dev-archive=apr.apache.org@apr.apache.org>
Delivered-To: apmail-apr-dev-archive@www.apache.org
Received: (qmail 91864 invoked from network); 6 Jan 2005 19:45:44 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 6 Jan 2005 19:45:44 -0000
Received: (qmail 45803 invoked by uid 500); 6 Jan 2005 19:45:43 -0000
Delivered-To: apmail-apr-dev-archive@apr.apache.org
Received: (qmail 45762 invoked by uid 500); 6 Jan 2005 19:45:43 -0000
Mailing-List: contact dev-help@apr.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:dev@apr.apache.org>
List-Help: <mailto:dev-help@apr.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@apr.apache.org>
List-Subscribe: <mailto:dev-subscribe@apr.apache.org>
Delivered-To: mailing list dev@apr.apache.org
Received: (qmail 45747 invoked by uid 99); 6 Jan 2005 19:45:43 -0000
X-ASF-Spam-Status: No, hits=0.1 required=10.0
	tests=FORGED_RCVD_HELO
X-Spam-Check-By: apache.org
Received-SPF: neutral (hermes.apache.org: local policy)
Received: from firstmarine.cust-gw.jnb6.alter.net (HELO gatekeeper.fma.co.za)
 (196.31.24.162)
  by apache.org (qpsmtpd/0.28) with ESMTP; Thu, 06 Jan 2005 11:45:42 -0800
Received: from localhost (localhost.localdomain [127.0.0.1])
	by gatekeeper.fma.co.za (Postfix) with ESMTP id B7EFE861DA;
	Thu,  6 Jan 2005 21:45:19 +0200 (SAST)
Received: from gatekeeper.fma.co.za ([127.0.0.1])
 by localhost (gatekeeper.fma.co.za [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 12853-02; Thu,  6 Jan 2005 21:45:17 +0200 (SAST)
Received: from [192.168.0.147] (myw-stp-66-18-83-95.sentechsa.net
 [66.18.83.95])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by gatekeeper.fma.co.za (Postfix) with ESMTP id 55F8984302;
	Thu,  6 Jan 2005 21:45:03 +0200 (SAST)
Message-ID: <41DD9529.6070300@sharp.fm>
Date: Thu, 06 Jan 2005 21:44:41 +0200
From: Graham Leggett <minfrin@sharp.fm>
User-Agent: Mozilla Thunderbird 0.9 (Macintosh/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Brad Nicholes <BNICHOLES@novell.com>
Cc: dev@apr.apache.org, wrowe@rowe-clan.net
Subject: Re: LDAP changes in apr-util 1.0.x
References: <s1dd0678.050@sinclair.provo.novell.com>
In-Reply-To: <s1dd0678.050@sinclair.provo.novell.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
 micalg=sha1; boundary="------------ms020206070301000000010200"
X-Virus-Scanned: by amavisd-new at fma.co.za
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

This is a cryptographically signed message in MIME format.

--------------ms020206070301000000010200
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Brad Nicholes wrote:

>>How are client certificates specified within the Novell toolkit?

> With the API's ldapssl_set_client_cert() and
> ldapssl_set_client_private_key()

Can you do this after ldap_init()?

My thinking is to teach apr_ldap_set_option(ld, APR_LDAP_OPT_TLS_*CERT*, 
cert|key) to do this:

apr_ldap_set_option(ld, option, value) {

   if (toolkit == novell) {
     if (option = set-client-cert) {
       ldapssl_set_client_cert()
       return
     }

     if (option == set-client-key) {
       ldapssl_set_client_private_key()
       return
     }

     if (option == set-tls-to-start-tls) {
       ldapssl_start_tls()
       return
     }
   }

   if (toolkit == microsoft) {
     do microsoft flavoured stuff
     return
   }

   // else default to simple setting of options
   ldap_set_option(option, value)

}

This causes the Novell toolkit and Microsoft toolkit to behave like the 
OpenLDAP toolkit, which has the cleanest interface out of all of them.

First you do apr_ldap_init(...secure = 0...), then you do 
apr_set_option() for clients certs and starttls/ssl, then you do 
ldap_bind().

The secure flag in apr_ldap_init() can be for legacy toolkits that 
cannot support upgrading the connection after the fact, but my research 
so far hasn't uncovered any toolkit where this is a problem.

Regards,
Graham
--

--------------ms020206070301000000010200
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJGzCC
AugwggJRoAMCAQICAwyZ8DANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNjMwMTUxNjQ1WhcNMDUwNjMwMTUxNjQ1
WjBdMRAwDgYDVQQEEwdMZWdnZXR0MQ8wDQYDVQQqEwZHcmFoYW0xFzAVBgNVBAMTDkdyYWhh
bSBMZWdnZXR0MR8wHQYJKoZIhvcNAQkBFhBtaW5mcmluQHNoYXJwLmZtMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbwE90xkX5511UvMm4pwnFvv0nIIORsm+b+7Vgf04cob
H+fQaDVSDgKfZBm4lgoKQtv/2N+jXxzKtubau6yNMYvN+7iVkQJuLIjpo4DQ2tb+hIvVsFvc
WkkFpm2+a8lIop1grh2OVIfxHfI/3OA4LbX1Ryq2qAou7TzQh6Te8KjdSigbf1l2gAyCT4ex
wLosSdHcTzv2WrYePJP107czC9gE237E68b+63Wmrc42Q4toz09XAaJnxebqSXWKhSx4h8cv
10hweAYXF5WiEUbINGoRD3V7pWRTbOBcz/oPpD8kh6kSu7iyDuchdOfIpy150ff/FCtI8h7f
LEXnBvh16wIDAQABoy0wKzAbBgNVHREEFDASgRBtaW5mcmluQHNoYXJwLmZtMAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAgTOjVmbVAi4gtKNhUI2UcMWE56z6nG7KxQZ2EmJS
IDhXopbZsXtuOugBDxI1X49aqyQqOktHgWjiii/G0poKhNei3IrUuPB2bp9zo8MtiyB2brXg
lvj5N90jsA94MEMtnDLcdlP4C+XkyzarbUAh9TJxxmleateHTyZWIOZcPR0wggLoMIICUaAD
AgECAgMMmfAwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBMB4XDTA0MDYzMDE1MTY0NVoXDTA1MDYzMDE1MTY0NVowXTEQMA4G
A1UEBBMHTGVnZ2V0dDEPMA0GA1UEKhMGR3JhaGFtMRcwFQYDVQQDEw5HcmFoYW0gTGVnZ2V0
dDEfMB0GCSqGSIb3DQEJARYQbWluZnJpbkBzaGFycC5mbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMG8BPdMZF+eddVLzJuKcJxb79JyCDkbJvm/u1YH9OHKGx/n0Gg1Ug4C
n2QZuJYKCkLb/9jfo18cyrbm2rusjTGLzfu4lZECbiyI6aOA0NrW/oSL1bBb3FpJBaZtvmvJ
SKKdYK4djlSH8R3yP9zgOC219UcqtqgKLu080Iek3vCo3UooG39ZdoAMgk+HscC6LEnR3E87
9lq2HjyT9dO3MwvYBNt+xOvG/ut1pq3ONkOLaM9PVwGiZ8Xm6kl1ioUseIfHL9dIcHgGFxeV
ohFGyDRqEQ91e6VkU2zgXM/6D6Q/JIepEru4sg7nIXTnyKctedH3/xQrSPIe3yxF5wb4desC
AwEAAaMtMCswGwYDVR0RBBQwEoEQbWluZnJpbkBzaGFycC5mbTAMBgNVHRMBAf8EAjAAMA0G
CSqGSIb3DQEBBAUAA4GBAIEzo1Zm1QIuILSjYVCNlHDFhOes+pxuysUGdhJiUiA4V6KW2bF7
bjroAQ8SNV+PWqskKjpLR4Fo4oovxtKaCoTXotyK1Ljwdm6fc6PDLYsgdm614Jb4+TfdI7AP
eDBDLZwy3HZT+Avl5Ms2q21AIfUyccZpXmrXh08mViDmXD0dMIIDPzCCAqigAwIBAgIBDTAN
BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES
MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0
aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK
MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX
p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB
Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl
cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD
VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as
Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe
JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT
HUb/XV9lTzGCAzswggM3AgEBMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD
b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBJc3N1aW5nIENBAgMMmfAwCQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUwMTA2MTk0NDQxWjAjBgkqhkiG9w0BCQQxFgQUsbHi
iQnyVr1GDmcrUo2XtUFjyVwwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG
9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYB
BAGCNxAEMWswaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg
KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0ECAwyZ8DB6BgsqhkiG9w0BCRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBAgMMmfAwDQYJKoZIhvcNAQEBBQAEggEAEncYlVnJekBkOW9+
PyQSwnGq11TMkGIZbaxHUxPhQ/lHLEcshGoveoHXKANxWejk9t0iZxJ4AiwpKe8BzWRE7lsR
grha0KauqXEoGu32p/SWUzdER8c+n/LTF08ZWbyRK9rIt6KayJigV2Wg1MMnmqGRvKS+F4pT
RpBe3MnGDH3g07Bv6Z7hd1xjNK4q5mlA4DtV3c64Z5KpUWeteGgK4LGs0xwVZpweps4DntZc
BW+ZGoxJ/sJ35Y4AN2/pb6lPEPr/igZQKWGyOf8lfJqrZdDomTjhLWfLljRxF7MoYy1rjgbU
9TC1g6P9opxxEQuYL2HXDW1qdbdLUYWPQuW9aAAAAAAAAA==
--------------ms020206070301000000010200--