apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: [Patch] LDAP SSL support for Tivoli
Date Sat, 01 Dec 2007 16:38:02 GMT
On Dec 1, 2007 11:05 AM, Graham Leggett <minfrin@sharp.fm> wrote:
> Hi all,
>
> Working from the original patch at
> http://issues.apache.org/bugzilla/show_bug.cgi?id=41351, here is an
> updated patch to support SSL on the Tivoli
> LDAP API.
>
> The new patch follows the pattern of using apr_ldap_set_option to set
> SSL related parameters, as per the other implementations.
>

ldap_ssl_client_init() should be called once per process, not once per
connection.  Novell has a 1-time SSL initialization function called
from apr_ldap_ssl_init() already.
While the z/os manual says calling into ldap_ssl_client_init()
repeatedly just produces error, I've seen some reports that doing so
with different values (for the keyring) does have affect (on non-z/OS,
where this SDK is equally useful).


It also struck me as a little odd that in apr_ldap_init (establish a
connection) calling  apr_ldap_set_option(..., APR_LDAP_OPT_TLS) wasn't
conditional on SSL in either form being requested.

>From a general 1.3 perspective, the Tivoli and z/OS LDAP SDK problem
with client certs is resolvable by allowing apr_ldap_init() be passed
something indicating client cert selection (these SDKS must specify
the client cert "label" at connection time). Just mentioning in this
case this meshes with anything else you're looking at.

-- 
Eric Covener
covener@gmail.com

Mime
View raw message