apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: [Patch] LDAP SSL support for Tivoli
Date Sat, 01 Dec 2007 16:38:02 GMT
On Dec 1, 2007 11:05 AM, Graham Leggett <minfrin@sharp.fm> wrote:
> Hi all,
> Working from the original patch at
> http://issues.apache.org/bugzilla/show_bug.cgi?id=41351, here is an
> updated patch to support SSL on the Tivoli
> The new patch follows the pattern of using apr_ldap_set_option to set
> SSL related parameters, as per the other implementations.

ldap_ssl_client_init() should be called once per process, not once per
connection.  Novell has a 1-time SSL initialization function called
from apr_ldap_ssl_init() already.
While the z/os manual says calling into ldap_ssl_client_init()
repeatedly just produces error, I've seen some reports that doing so
with different values (for the keyring) does have affect (on non-z/OS,
where this SDK is equally useful).

It also struck me as a little odd that in apr_ldap_init (establish a
connection) calling  apr_ldap_set_option(..., APR_LDAP_OPT_TLS) wasn't
conditional on SSL in either form being requested.

>From a general 1.3 perspective, the Tivoli and z/OS LDAP SDK problem
with client certs is resolvable by allowing apr_ldap_init() be passed
something indicating client cert selection (these SDKS must specify
the client cert "label" at connection time). Just mentioning in this
case this meshes with anything else you're looking at.

Eric Covener

View raw message