Attached is a patch for allowing aprutil LDAP to use the Tivoli
Directory Server SDK from IBM.
Simple SSL connections work without any explicit configuration because
the SDK ships with a Key Database that contains the usual public CAs
This Key Database used for Certificate Authorities and private keys
can only effectively be set during the one-time
ldap_ssl_client_init()/apr_ldap_ssl_init() and this does work via
apr-util if the application passes in the cert_auth_file
A private key can be selected for client authentication during the
per-connection ldap_ssl_init()/apr_ldap_init() but this doesn't mesh
very well with the current apr-util LDAP interface. Allowing this
would only require a addl char* passed to apr_ldap_init()
Neither the keyring or the name of the private cert are settable via
the ldap_set_option interface which unfortunately differs from other
supported LDAP SDKs.
I was able to get a small test program to work over ssl, as well as
httpd with a tiny change to actually pass the "secure" parameter to
apr_ldap_init()
v5.2 SDK readme:
http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSCreadme52/en_US/HTML/client.htm
v5.2 SDK programmers reference:
http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSprogref52/en_US/HTML/progref.htm
Product Page: (appears client/SDK bundled in large ldap server package)
http://www-306.ibm.com/software/tivoli/products/directory-server/
--
Eric Covener
covener@gmail.com
|