httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject svn commit: r169705 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
Date Wed, 11 May 2005 22:34:20 GMT
Author: bnicholes
Date: Wed May 11 15:34:18 2005
New Revision: 169705

URL: http://svn.apache.org/viewcvs?rev=169705&view=rev
Log:
Add the LDAPVerifyServerCert directive to util_ldap to force
verification of a server certificate when establishing an SSL connection
to the LDAP server

Modified:
    httpd/httpd/trunk/include/util_ldap.h
    httpd/httpd/trunk/modules/ldap/util_ldap.c

Modified: httpd/httpd/trunk/include/util_ldap.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/include/util_ldap.h?rev=169705&r1=169704&r2=169705&view=diff
==============================================================================
--- httpd/httpd/trunk/include/util_ldap.h (original)
+++ httpd/httpd/trunk/include/util_ldap.h Wed May 11 15:34:18 2005
@@ -131,6 +131,7 @@
     void *util_ldap_cache;
     char *lock_file;           /* filename for shm lock mutex */
     long  connectionTimeout;
+    int   verify_svr_cert;
 
 } util_ldap_state_t;
 

Modified: httpd/httpd/trunk/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ldap/util_ldap.c?rev=169705&r1=169704&r2=169705&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/trunk/modules/ldap/util_ldap.c Wed May 11 15:34:18 2005
@@ -330,6 +330,9 @@
         /* always default to LDAP V3 */
         ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
 
+        apr_ldap_set_option(ldc->pool, ldc->ldap, 
+                            APR_LDAP_OPT_VERIFY_CERT, &(st->verify_svr_cert), &(result));
+
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
         if (st->connectionTimeout > 0) {
             timeOut.tv_sec = st->connectionTimeout;
@@ -1556,7 +1559,6 @@
                          cert->path == NULL ? file : cert->path);
             return "Invalid global certificate file path";
         }
-
     }
 
     return(NULL);
@@ -1684,6 +1686,24 @@
     return(NULL);
 }
 
+static const char *util_ldap_set_verify_srv_cert(cmd_parms *cmd, 
+                                                 void *dummy, 
+                                                 int mode)
+{
+    util_ldap_state_t *st =
+    (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
+                                              &ldap_module);
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
+                      "LDAP: SSL verify server certificate - %s", 
+                      mode?"TRUE":"FALSE");
+
+    st->verify_svr_cert = mode;
+
+    return(NULL);
+}
+
+
 static const char *util_ldap_set_connection_timeout(cmd_parms *cmd, 
                                                     void *dummy, 
                                                     const char *ttl)
@@ -1732,6 +1752,7 @@
     st->secure = APR_LDAP_NONE;
     st->secure_set = 0;
     st->connectionTimeout = 10;
+    st->verify_svr_cert = 1;
 
     return st;
 }
@@ -2013,6 +2034,11 @@
                   NULL, RSRC_CONF,
                   "Specify the type of security that should be applied to "
                   "an LDAP connection. One of; NONE, SSL or STARTTLS."),
+
+    AP_INIT_FLAG("LDAPVerifyServerCert", util_ldap_set_verify_srv_cert, 
+                  NULL, RSRC_CONF,
+                  "Set to 'ON' requires that the server certificate be verified "
+                  "before a secure LDAP connection can be establish.  Default 'ON'"),
 
     AP_INIT_TAKE1("LDAPConnectionTimeout", util_ldap_set_connection_timeout, 
                   NULL, RSRC_CONF,



Mime
View raw message