Return-Path: Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 26970 invoked by uid 500); 14 Feb 2003 16:04:02 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 26959 invoked by uid 500); 14 Feb 2003 16:04:02 -0000 Delivered-To: apmail-httpd-2.0-cvs@apache.org Date: 14 Feb 2003 16:04:01 -0000 Message-ID: <20030214160401.6824.qmail@icarus.apache.org> From: bnicholes@apache.org To: httpd-2.0-cvs@apache.org Subject: cvs commit: httpd-2.0/modules/experimental util_ldap.c NWGNUutilldap NWGNUauthldap mod_auth_ldap.c X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N bnicholes 2003/02/14 08:04:01 Modified: include util_ldap.h modules/experimental util_ldap.c NWGNUutilldap NWGNUauthldap mod_auth_ldap.c Log: Added support for Novell LDAP SDK and standardized the SSL support across the various LDAP SDKs. Isolated the SSL functionality to mod_ldap rather than speading it across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA and LDAPTrustedCAType directives to allow for a more common method of specifying the SSL certificate. Revision Changes Path 1.11 +16 -13 httpd-2.0/include/util_ldap.h Index: util_ldap.h =================================================================== RCS file: /home/cvs/httpd-2.0/include/util_ldap.h,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- util_ldap.h 3 Feb 2003 17:52:54 -0000 1.10 +++ util_ldap.h 14 Feb 2003 16:04:00 -0000 1.11 @@ -126,11 +126,7 @@ const char *binddn; /* DN to bind to server (can be NULL) */ const char *bindpw; /* Password to bind to server (can be NULL) */ - int netscapessl; /* True if use Netscape SSL connection */ - const char *certdb; /* Path to Netscape CA database */ - - int starttls; /* True if StartTLS is enabled */ - int withtls; /* True if StartTLS on this connection */ + int secure; /* True if use SSL connection */ const char *reason; /* Reason for an error failure */ @@ -151,9 +147,9 @@ long compare_cache_size; /* Size (in entries) of compare cache */ struct util_ldap_connection_t *connections; -#ifdef APU_HAS_LDAP_NETSCAPE_SSL - int have_certdb; -#endif + char *cert_auth_file; + int cert_file_type; + int ssl_support; } util_ldap_state_t; @@ -166,9 +162,11 @@ * connect if already connected (ldc->ldap != NULL). Does not bind * if already bound. * @return If successful LDAP_SUCCESS is returned. - * @deffunc int util_ldap_connection_open(util_ldap_connection_t *ldc) + * @deffunc int util_ldap_connection_open(request_rec *r, + * util_ldap_connection_t *ldc) */ -LDAP_DECLARE(int) util_ldap_connection_open(util_ldap_connection_t *ldc); +LDAP_DECLARE(int) util_ldap_connection_open(request_rec *r, + util_ldap_connection_t *ldc); /** * Close a connection to an LDAP server @@ -199,8 +197,7 @@ * @param binddn The DN to bind with * @param bindpw The password to bind with * @param deref The dereferencing behavior - * @param netscapessl Start SSL on the connection using ldapssl_client_init() [0|1] - * @param starttls Start TLS using STARTTLS parameter [0|1] + * @param secure use SSL on the connection * @tip Once a connection is found and returned, a lock will be acquired to * lock that particular connection, so that another thread does not try and * use this connection while it is busy. Once you are finished with a connection, @@ -211,7 +208,7 @@ */ LDAP_DECLARE(util_ldap_connection_t *) util_ldap_connection_find(request_rec *r, const char *host, int port, const char *binddn, const char *bindpw, deref_options deref, - int netscapessl, int starttls); + int secure); /** @@ -274,6 +271,12 @@ LDAP_DECLARE(int) util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc, const char *url, const char *basedn, int scope, char **attrs, const char *filter, const char *bindpw, const char **binddn, const char ***retvals); + +/** + * Checks if SSL support is available in mod_ldap + * @deffunc int util_ldap_ssl_supported(request_rec *r) + */ +LDAP_DECLARE(int) util_ldap_ssl_supported(request_rec *r); /* from apr_ldap_cache.c */ 1.11 +367 -157 httpd-2.0/modules/experimental/util_ldap.c Index: util_ldap.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/experimental/util_ldap.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- util_ldap.c 21 Jan 2003 11:06:47 -0000 1.10 +++ util_ldap.c 14 Feb 2003 16:04:01 -0000 1.11 @@ -81,6 +81,14 @@ #error mod_ldap requires APR-util to have LDAP support built in #endif + /* defines for certificate file types + */ +#define LDAP_CA_TYPE_UNKNOWN 0 +#define LDAP_CA_TYPE_DER 1 +#define LDAP_CA_TYPE_BASE64 2 +#define LDAP_CA_TYPE_CERT7_DB 3 + + module AP_MODULE_DECLARE_DATA ldap_module; int util_ldap_handler(request_rec *r); @@ -238,138 +246,125 @@ * * Returns LDAP_SUCCESS on success; and an error code on failure */ -LDAP_DECLARE(int) util_ldap_connection_open(util_ldap_connection_t *ldc) +LDAP_DECLARE(int) util_ldap_connection_open(request_rec *r, + util_ldap_connection_t *ldc) { int result = 0; int failures = 0; + int version = LDAP_VERSION3; + util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config( + r->server->module_config, &ldap_module); -start_over: - if (failures++ > 10) { - /* too many failures - leave */ - return result; + /* If the connection is already bound, return + */ + if (ldc->bound) + { + ldc->reason = "LDAP: connection open successful (already bound)"; + return LDAP_SUCCESS; } - if (!ldc->ldap) { - ldc->bound = 0; - - /* opening connection to LDAP server */ - if ((ldc->ldap = ldap_init(ldc->host, ldc->port)) == NULL) { - /* couldn't connect */ - ldc->reason = "ldap_init() failed"; - return -1; + /* create the ldap session handle + */ + if (NULL == ldc->ldap) + { + /* clear connection requested */ + if (!ldc->secure) + { + ldc->ldap = ldap_init(const_cast(ldc->host), ldc->port); } - - /* add the cleanup to the pool */ - apr_pool_cleanup_register(ldc->pool, ldc, - util_ldap_connection_destroy, - apr_pool_cleanup_null); - -#if LDAP_VENDOR_VERSION >= 20000 - /* set protocol version 3 on this connection */ + else /* ssl connnection requested */ { - int version = LDAP_VERSION3; + /* check configuration to make sure it supports SSL + */ + if (st->ssl_support) + { + #if APR_HAS_LDAP_SSL + + #if APR_HAS_NOVELL_LDAPSDK + ldc->ldap = ldapssl_init(ldc->host, ldc->port, 1); + + #elif APR_HAS_NETSCAPE_LDAPSDK + ldc->ldap = ldapssl_init(ldc->host, ldc->port, 1); + + #elif APR_HAS_OPENLDAP_LDAPSDK + ldc->ldap = ldap_init(ldc->host, ldc->port); + if (NULL != ldc->ldap) + { + int SSLmode = LDAP_OPT_X_TLS_HARD; + result = ldap_set_option(ldc->ldap, LDAP_OPT_X_TLS, &SSLmode); + if (LDAP_SUCCESS != result) + { + ldap_unbind_s(ldc->ldap); + ldc->reason = "LDAP: ldap_set_option - LDAP_OPT_X_TLS_HARD failed"; + ldc->ldap = NULL; + } + } + + #elif APR_HAS_MICROSOFT_LDAPSDK + ldc->ldap = ldap_sslinit(const_cast(ldc->host), ldc->port, 1); - if ((result = ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, - &version)) != LDAP_SUCCESS) { - /* setting LDAP version failed - ignore error */ + #else + ldc->reason = "LDAP: ssl connections not supported"; + #endif /* APR_HAS_NOVELL_LDAPSDK */ + + #endif /* APR_HAS_LDAP_SSL */ } + else + ldc->reason = "LDAP: ssl connections not supported"; } -#endif - /* Set the alias dereferencing option */ -#if LDAP_VERSION_MAX == 2 - ldc->ldap->ld_deref = ldc->deref; -#else - result = ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref)); - if (result != LDAP_SUCCESS) { - /* setting LDAP dereference option failed */ - /* we ignore this error */ + if (NULL == ldc->ldap) + { + ldc->bound = 0; + if (NULL == ldc->reason) + ldc->reason = "LDAP: ldap initialization failed"; + return(-1); } -#endif /* LDAP_VERSION_MAX */ -#ifdef APU_HAS_LDAP_NETSCAPE_SSL - if (ldc->netscapessl) { - if (!ldc->certdb) { - /* secure LDAP requested, but no CA cert defined */ - ldc->reason = "secure LDAP requested, but no CA cert defined"; - return -1; - } else { - result = ldapssl_install_routines(ldc->ldap); - if (result != LDAP_SUCCESS) { - /* SSL initialisation failed */ - ldc->reason = "ldapssl_install_routines() failed"; - return result; - } - result = ldap_set_option(ldc->ldap, LDAP_OPT_SSL, LDAP_OPT_ON); - if (result != LDAP_SUCCESS) { - /* SSL option failed */ - ldc->reason = "ldap_set_option() failed trying to set LDAP_OPT_SSL"; - return result; - } - } - } -#endif /* APU_HAS_LDAP_NETSCAPE_SSL */ + /* Set the alias dereferencing option */ + ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref)); -#ifdef APU_HAS_LDAP_STARTTLS - if (ldc->starttls) { - /* LDAP protocol version 3 is required for TLS */ - - /* - * In util_ldap_connection_find, we compare ldc->withtls to - * sec->starttls to see if we have a cache match. On the off - * chance that apache's config processing rotines set starttls to - * some other true value besides 1, we set it to 1 here to ensure - * that the comparison succeeds. - */ - ldc->starttls = 1; - - result = ldap_start_tls_s(ldc->ldap, NULL, NULL); - if (result != LDAP_SUCCESS) { - /* start TLS failed */ - ldc->withtls = 0; - ldc->reason = "ldap_start_tls_s() failed"; - return result; - } - ldc->withtls = 1; - } else { - ldc->withtls = 0; - } -#endif /* APU_HAS_LDAP_STARTTLS */ - } + /* always default to LDAP V3 */ + ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version); - /* - * At this point the LDAP connection is guaranteed alive. If bound says - * that we're bound already, we can just return. - */ - if (ldc->bound) { - ldc->reason = "LDAP connection open successful (already bound)"; - return LDAP_SUCCESS; - } - /* - * Now bind with the username/password provided by the - * configuration. It will be an anonymous bind if no u/p was - * provided. - */ - if ((result = ldap_simple_bind_s(ldc->ldap, ldc->binddn, ldc->bindpw)) - == LDAP_SERVER_DOWN) { - /* couldn't connect - try again */ - ldc->reason = "ldap_simple_bind_s() failed with server down"; - goto start_over; + /* add the cleanup to the pool */ + apr_pool_cleanup_register(ldc->pool, ldc, + util_ldap_connection_destroy, + apr_pool_cleanup_null); } - if (result != LDAP_SUCCESS) { - /* LDAP fatal error occured */ - ldc->reason = "ldap_simple_bind_s() failed"; - return result; + + /* loop trying to bind up to 10 times if LDAP_SERVER_DOWN error is + * returned. Break out of the loop on Success or any other error. + * + * NOTE: Looping is probably not a great idea. If the server isn't + * responding the chances it will respond after a few tries are poor. + * However, the original code looped and it only happens on + * the error condition. + */ + for (failures=0; failures<10; failures++) + { + result = ldap_simple_bind_s(ldc->ldap, const_cast(ldc->binddn), const_cast(ldc->bindpw)); + if (LDAP_SERVER_DOWN != result) + break; } - /* note how we are bound */ ldc->bound = 1; + ldc->reason = "LDAP: connection open successful"; - ldc->reason = "LDAP connection open successful"; - return LDAP_SUCCESS; + /* free the handle if there was an error + */ + if (LDAP_SUCCESS != result) + { + ldap_unbind_s(ldc->ldap); + ldc->ldap = NULL; + ldc->bound = 0; + ldc->reason = "LDAP: ldap_simple_bind_s() failed"; + } + + return(result); } @@ -383,7 +378,7 @@ */ LDAP_DECLARE(util_ldap_connection_t *)util_ldap_connection_find(request_rec *r, const char *host, int port, const char *binddn, const char *bindpw, deref_options deref, - int netscapessl, int starttls) + int secure ) { struct util_ldap_connection_t *l, *p; /* To traverse the linked list */ @@ -414,12 +409,7 @@ && ( (!l->binddn && !binddn) || (l->binddn && binddn && !strcmp(l->binddn, binddn)) ) && ( (!l->bindpw && !bindpw) || (l->bindpw && bindpw && !strcmp(l->bindpw, bindpw)) ) && l->deref == deref -#ifdef APU_HAS_LDAP_NETSCAPE_SSL - && l->netscapessl == netscapessl -#endif -#ifdef APU_HAS_LDAP_STARTTLS - && l->withtls == starttls -#endif + && l->secure == secure ) break; p = l; @@ -438,12 +428,7 @@ l->port == port && strcmp(l->host, host) == 0 && l->deref == deref -#ifdef APU_HAS_LDAP_NETSCAPE_SSL - && l->netscapessl == netscapessl -#endif -#ifdef APU_HAS_LDAP_STARTTLS - && l->withtls == starttls -#endif + && l->secure == secure ) { /* the bind credentials have changed */ l->bound = 0; @@ -481,9 +466,7 @@ l->deref = deref; l->binddn = apr_pstrdup(st->pool, binddn); l->bindpw = apr_pstrdup(st->pool, bindpw); - l->netscapessl = netscapessl; - l->starttls = starttls; - l->withtls = 0; + l->secure = secure; if (p) { p->next = l; @@ -577,7 +560,7 @@ } /* make a server connection */ - if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { + if (LDAP_SUCCESS != (result = util_ldap_connection_open(r, ldc))) { /* connect to server failed */ return result; } @@ -703,13 +686,12 @@ /* too many failures */ return result; } - if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { + if (LDAP_SUCCESS != (result = util_ldap_connection_open(r, ldc))) { /* connect failed */ return result; } - if ((result = ldap_compare_s(ldc->ldap, const_cast(dn), - const_cast(attrib), const_cast(value))) + if ((result = ldap_compare_s(ldc->ldap, const_cast(dn), const_cast(attrib), const_cast(value))) == LDAP_SERVER_DOWN) { /* connection failed - try again */ util_ldap_connection_close(ldc); @@ -819,14 +801,14 @@ if (failures++ > 10) { return result; } - if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { + if (LDAP_SUCCESS != (result = util_ldap_connection_open(r, ldc))) { return result; } /* try do the search */ if ((result = ldap_search_ext_s(ldc->ldap, - basedn, scope, - filter, attrs, 0, + const_cast(basedn), scope, + const_cast(filter), attrs, 0, NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) { ldc->reason = "ldap_search_ext_s() for user failed with server down"; goto start_over; @@ -843,9 +825,13 @@ * number is an error. */ count = ldap_count_entries(ldc->ldap, res); - if (count != 1) { + if (count != 1) + { + if (count == 0 ) + ldc->reason = "User not found"; + else + ldc->reason = "User is not unique (search found two or more matches)"; ldap_msgfree(res); - ldc->reason = "User is not unique (search found two or more matches)"; return LDAP_NO_SUCH_OBJECT; } @@ -875,15 +861,17 @@ * exists, since we just retrieved it) */ if ((result = - ldap_simple_bind_s(ldc->ldap, *binddn, bindpw)) == + ldap_simple_bind_s(ldc->ldap, const_cast(*binddn), const_cast(bindpw))) == LDAP_SERVER_DOWN) { ldc->reason = "ldap_simple_bind_s() to check user credentials failed with server down"; + ldap_msgfree(res); goto start_over; } /* failure? if so - return */ if (result != LDAP_SUCCESS) { ldc->reason = "ldap_simple_bind_s() to check user credentials failed"; + ldap_msgfree(res); return result; } @@ -905,6 +893,7 @@ str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL) : apr_pstrdup(r->pool, values[j]); j++; } + ldap_value_free(values); vals[i] = str; i++; } @@ -928,6 +917,18 @@ return LDAP_SUCCESS; } +/* + * Reports if ssl support is enabled + * + * 1 = enabled, 0 = not enabled + */ +LDAP_DECLARE(int) util_ldap_ssl_supported(request_rec *r) +{ + util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config( + r->server->module_config, &ldap_module); + + return(st->ssl_support); +} /* ---------------------------------------- */ @@ -1016,26 +1017,47 @@ return NULL; } -#ifdef APU_HAS_LDAP_NETSCAPE_SSL -static const char *util_ldap_set_certdbpath(cmd_parms *cmd, void *dummy, const char *path) +static const char *util_ldap_set_cert_auth(cmd_parms *cmd, void *dummy, const char *file) { util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, - "[%d] ldap cache: Setting LDAP SSL client certificate dbpath to %s.", - getpid(), path); + "LDAP: SSL trusted certificate authority file - %s", + file); - st->have_certdb = 1; - if (ldapssl_client_init(path, NULL) != 0) { - return "Could not initialize SSL client"; - } - else { - return NULL; - } + st->cert_auth_file = apr_pstrdup(cmd->pool, file); + + return(NULL); } -#endif + + +const char *util_ldap_set_cert_type(cmd_parms *cmd, void *dummy, const char *Type) +{ + util_ldap_state_t *st = + (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, + &ldap_module); + + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, + "LDAP: SSL trusted certificate authority file type - %s", + Type); + + if (0 == strcmp("DER_FILE", Type)) + st->cert_file_type = LDAP_CA_TYPE_DER; + + else if (0 == strcmp("BASE64_FILE", Type)) + st->cert_file_type = LDAP_CA_TYPE_BASE64; + + else if (0 == strcmp("CERT7_DB_PATH", Type)) + st->cert_file_type = LDAP_CA_TYPE_CERT7_DB; + + else + st->cert_file_type = LDAP_CA_TYPE_UNKNOWN; + + return(NULL); +} + void *util_ldap_create_config(apr_pool_t *p, server_rec *s) { @@ -1049,11 +1071,10 @@ st->search_cache_size = 1024; st->compare_cache_ttl = 600000000; st->compare_cache_size = 1024; - st->connections = NULL; -#ifdef APU_HAS_LDAP_NETSCAPE_SSL - st->have_certdb = 0; -#endif + st->cert_auth_file = NULL; + st->cert_file_type = LDAP_CA_TYPE_UNKNOWN; + st->ssl_support = 0; return st; } @@ -1074,6 +1095,191 @@ } +static apr_status_t util_ldap_cleanup_module(void *data) +{ + server_rec *s = data; + + util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config( + s->module_config, &ldap_module); + + #if APR_HAS_LDAP_SSL + #if APR_HAS_NOVELL_LDAPSDK + if (st->ssl_support) + ldapssl_client_deinit(); + #endif + #endif + + return(APR_SUCCESS); +} + +static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, + apr_pool_t *ptemp, server_rec *s) +{ + int rc = LDAP_SUCCESS; + + util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config( + s->module_config, + &ldap_module); + + /* log the LDAP SDK used + */ + #if APR_HAS_NETSCAPE_LDAPSDK + + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "LDAP: Built with Netscape LDAP SDK" ); + + #elif APR_HAS_NOVELL_LDAPSDK + + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "LDAP: Built with Novell LDAP SDK" ); + + #elif APR_HAS_OPENLDAP_LDAPSDK + + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "LDAP: Built with OpenLDAP LDAP SDK" ); + + #elif APR_HAS_MICROSOFT_LDAPSDK + + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "LDAP: Built with Microsoft LDAP SDK" ); + #else + + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "LDAP: Built with unknown LDAP SDK" ); + + #endif /* APR_HAS_NETSCAPE_LDAPSDK */ + + + + apr_pool_cleanup_register(p, s, util_ldap_cleanup_module, + util_ldap_cleanup_module); + + /* initialize SSL support if requested + */ + if (st->cert_auth_file) + { + #if APR_HAS_LDAP_SSL /* compiled with ssl support */ + + #if APR_HAS_NETSCAPE_LDAPSDK + + /* Netscape sdk only supports a cert7.db file + */ + if (st->cert_file_type == LDAP_CA_TYPE_CERT7_DB) + { + rc = ldapssl_client_init(st->cert_auth_file, NULL); + } + else + { + ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, + "LDAP: Invalid LDAPTrustedCAType directive - " + "CERT7_DB_PATH type required"); + rc = -1; + } + + #elif APR_HAS_NOVELL_LDAPSDK + + /* Novell SDK supports DER or BASE64 files + */ + if (st->cert_file_type == LDAP_CA_TYPE_DER || + st->cert_file_type == LDAP_CA_TYPE_BASE64 ) + { + rc = ldapssl_client_init(NULL, NULL); + if (LDAP_SUCCESS == rc) + { + if (st->cert_file_type == LDAP_CA_TYPE_BASE64) + rc = ldapssl_add_trusted_cert(st->cert_auth_file, + LDAPSSL_CERT_FILETYPE_B64); + else + rc = ldapssl_add_trusted_cert(st->cert_auth_file, + LDAPSSL_CERT_FILETYPE_DER); + + if (LDAP_SUCCESS != rc) + ldapssl_client_deinit(); + } + } + else + { + ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, + "LDAP: Invalid LDAPTrustedCAType directive - " + "DER_FILE or BASE64_FILE type required"); + rc = -1; + } + + #elif APR_HAS_OPENLDAP_LDAPSDK + + /* OpenLDAP SDK supports BASE64 files + */ + if (st->cert_file_type == LDAP_CA_TYPE_BASE64) + { + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, st->cert_auth_file); + } + else + { + ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, + "LDAP: Invalid LDAPTrustedCAType directive - " + "BASE64_FILE type required"); + rc = -1; + } + + + #elif APR_HAS_MICROSOFT_LDAPSDK + + /* Microsoft SDK use the registry certificate store - always + * assume support is always available + */ + rc = LDAP_SUCCESS; + + #else + rc = -1; + #endif /* APR_HAS_NETSCAPE_LDAPSDK */ + + #else /* not compiled with SSL Support */ + + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "LDAP: Not built with SSL support." ); + rc = -1; + + #endif /* APR_HAS_LDAP_SSL */ + + if (LDAP_SUCCESS == rc) + { + st->ssl_support = 1; + } + else + { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "LDAP: SSL initialization failed"); + st->ssl_support = 0; + } + } + + /* The Microsoft SDK uses the registry certificate store - + * always assume support is available + */ + #if APR_HAS_MICROSOFT_LDAPSDK + st->ssl_support = 1; + #endif + + + /* log SSL status - If SSL isn't available it isn't necessarily + * an error because the modules asking for LDAP connections + * may not ask for SSL support + */ + if (st->ssl_support) + { + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "LDAP: SSL support available" ); + } + else + { + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "LDAP: SSL support unavailable" ); + } + + return(OK); +} + + command_rec util_ldap_cmds[] = { AP_INIT_TAKE1("LDAPSharedCacheSize", util_ldap_set_cache_bytes, NULL, RSRC_CONF, "Sets the size of the shared memory cache in bytes. " @@ -1097,18 +1303,22 @@ "Sets the maximum time (in seconds) that an item is cached in the LDAP " "operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."), -#ifdef APU_HAS_LDAP_NETSCAPE_SSL - AP_INIT_TAKE1("LDAPCertDBPath", util_ldap_set_certdbpath, NULL, RSRC_CONF, - "Specifies the file containing Certificate Authority certificates " - "for validating secure LDAP server certificates. This file must be the " - "cert7.db database used by Netscape Communicator"), -#endif - + AP_INIT_TAKE1("LDAPTrustedCA", util_ldap_set_cert_auth, NULL, RSRC_CONF, + "Sets the file containing the trusted Certificate Authority certificate. " + "Used to validate the LDAP server certificate for SSL connections."), + + AP_INIT_TAKE1("LDAPTrustedCAType", util_ldap_set_cert_type, NULL, RSRC_CONF, + "Specifies the type of the Certificate Authority file. " + "The following types are supported: " + " DER_FILE - file in binary DER format " + " BASE64_FILE - file in Base64 format " + " CERT7_DB_PATH - Netscape certificate database file "), {NULL} }; static void util_ldap_register_hooks(apr_pool_t *p) { + ap_hook_post_config(util_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE); ap_hook_child_init(util_ldap_init_module, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_handler(util_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE); } 1.8 +3 -0 httpd-2.0/modules/experimental/NWGNUutilldap Index: NWGNUutilldap =================================================================== RCS file: /home/cvs/httpd-2.0/modules/experimental/NWGNUutilldap,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- NWGNUutilldap 22 Jan 2003 16:34:37 -0000 1.7 +++ NWGNUutilldap 14 Feb 2003 16:04:01 -0000 1.8 @@ -21,6 +21,7 @@ $(AP_WORK)/srclib/apr/include \ $(AP_WORK)/srclib/apr-util/include \ $(AP_WORK)/srclib/apr \ + $(LDAPSDK)/inc \ $(EOLIST) # @@ -212,6 +213,7 @@ @$(NWOS)/httpd.imp \ @libc.imp \ @$(LDAPSDK)/imports/lldapsdk.imp \ + @$(LDAPSDK)/imports/lldapssl.imp \ $(EOLIST) # @@ -225,6 +227,7 @@ util_ldap_cache_checkuserid \ util_ldap_cache_compare \ util_ldap_cache_comparedn \ + util_ldap_ssl_supported \ $(EOLIST) # 1.10 +1 -0 httpd-2.0/modules/experimental/NWGNUauthldap Index: NWGNUauthldap =================================================================== RCS file: /home/cvs/httpd-2.0/modules/experimental/NWGNUauthldap,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- NWGNUauthldap 6 Feb 2003 19:15:29 -0000 1.9 +++ NWGNUauthldap 14 Feb 2003 16:04:01 -0000 1.10 @@ -21,6 +21,7 @@ $(AP_WORK)/srclib/apr/include \ $(AP_WORK)/srclib/apr-util/include \ $(AP_WORK)/srclib/apr \ + $(LDAPSDK)/inc \ $(EOLIST) # 1.12 +34 -30 httpd-2.0/modules/experimental/mod_auth_ldap.c Index: mod_auth_ldap.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/experimental/mod_auth_ldap.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- mod_auth_ldap.c 21 Jan 2003 10:53:09 -0000 1.11 +++ mod_auth_ldap.c 14 Feb 2003 16:04:01 -0000 1.12 @@ -116,8 +116,7 @@ int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise, it's the exact string passed by the HTTP client */ - int netscapessl; /* True if Netscape SSL is enabled */ - int starttls; /* True if StartTLS is enabled */ + int secure; /* True if SSL connections are requested */ } mod_auth_ldap_config_t; typedef struct mod_auth_ldap_request_t { @@ -331,7 +330,7 @@ if (sec->host) { ldc = util_ldap_connection_find(r, sec->host, sec->port, sec->binddn, sec->bindpw, sec->deref, - sec->netscapessl, sec->starttls); + sec->secure); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, @@ -469,7 +468,7 @@ if (sec->host) { ldc = util_ldap_connection_find(r, sec->host, sec->port, sec->binddn, sec->bindpw, sec->deref, - sec->netscapessl, sec->starttls); + sec->secure); apr_pool_cleanup_register(r->pool, ldc, mod_auth_ldap_cleanup_connection_close, apr_pool_cleanup_null); @@ -712,8 +711,7 @@ sec->group_attrib_is_dn = 1; sec->frontpage_hack = 0; - sec->netscapessl = 0; - sec->starttls = 0; + sec->secure = 0; sec->user_is_dn = 0; sec->compare_dn_on_server = 0; @@ -819,27 +817,22 @@ else { sec->filter = "objectclass=*"; } - if (strncmp(url, "ldaps", 5) == 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, - cmd->server, "[%d] auth_ldap parse url: requesting secure LDAP", getpid()); -#ifdef APU_HAS_LDAP_STARTTLS - sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT; - sec->starttls = 1; -#else -#ifdef APU_HAS_LDAP_NETSCAPE_SSL + + /* "ldaps" indicates secure ldap connections desired + */ + if (strnicmp(url, "ldaps", 5) == 0) + { + sec->secure = 1; sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT; - sec->netscapessl = 1; -#else - return "Secure LDAP (ldaps://) not supported. Rebuild APR-Util"; -#endif -#endif + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, + "LDAP: auth_ldap using SSL connections"); } - else { - ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, - cmd->server, "[%d] auth_ldap parse url: not requesting secure LDAP", getpid()); - sec->netscapessl = 0; - sec->starttls = 0; + else + { + sec->secure = 0; sec->port = urld->lud_port? urld->lud_port : LDAP_PORT; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, + "LDAP: auth_ldap not using SSL connections"); } sec->have_ldap_url = 1; @@ -891,6 +884,7 @@ return NULL; } + command_rec mod_auth_ldap_cmds[] = { AP_INIT_TAKE1("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG, "URL to define LDAP connection. This should be an RFC 2255 complaint\n" @@ -969,12 +963,6 @@ "Character set conversion configuration file. If omitted, character set" "conversion is disabled."), -#ifdef APU_HAS_LDAP_STARTTLS - AP_INIT_FLAG("AuthLDAPStartTLS", ap_set_flag_slot, - (void *)APR_OFFSETOF(mod_auth_ldap_config_t, starttls), OR_AUTHCFG, - "Set to 'on' to start TLS after connecting to the LDAP server."), -#endif /* APU_HAS_LDAP_STARTTLS */ - {NULL} }; @@ -985,6 +973,22 @@ const char *charset_confname = ap_get_module_config(s->module_config, &auth_ldap_module); apr_status_t status; + + /* + mod_auth_ldap_config_t *sec = (mod_auth_ldap_config_t *) + ap_get_module_config(s->module_config, + &auth_ldap_module); + + if (sec->secure) + { + if (!util_ldap_ssl_supported(s)) + { + ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, + "LDAP: SSL connections (ldaps://) not supported by utilLDAP"); + return(!OK); + } + } + */ if (!charset_confname) { return OK;