httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cove...@apache.org
Subject svn commit: r915660 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ldap.xml include/ap_mmn.h modules/ldap/util_ldap.c
Date Wed, 24 Feb 2010 04:02:06 GMT
Author: covener
Date: Wed Feb 24 04:02:06 2010
New Revision: 915660

URL: http://svn.apache.org/viewvc?rev=915660&view=rev
Log:
make some sense of the difference between "Client" and "Global" certs in mod_ldap.
PR46541

Submitted By: Paul Reder, Eric Covener
Reviewed By: Eric Covener


Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml
    httpd/httpd/trunk/include/ap_mmn.h
    httpd/httpd/trunk/modules/ldap/util_ldap.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=915660&r1=915659&r2=915660&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Feb 24 04:02:06 2010
@@ -2,6 +2,13 @@
 
 Changes with Apache 2.3.7
 
+  *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
+     setting only, matching most of the documentation and examples. 
+     PR 46541 [Paul Reder, Eric Covener] 
+
+  *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument 
+     types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
+
   *) mod_negotiation: Preserve query string over multiviews negotiation.
      This buglet was fixed for type maps in 2.2.6, but the same issue
      affected multiviews and was overlooked.

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml?rev=915660&r1=915659&r2=915660&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml Wed Feb 24 04:02:06 2010
@@ -349,8 +349,10 @@
         SDK to work correctly. These certificates can be specified as
         binary DER or Base64 (PEM) encoded files.</p>
 
-        <p>Client certificates are specified per connection using the
-        LDAPTrustedClientCert directive.</p>
+        <p>Both CA and client certificates may be specified globally
+        (LDAPTrustedGlobalCert) or per-connection (LDAPTrustedClientCert).  
+        When any settings are specified per-connection, the global 
+        settings are superceded.</p>
 
         <p>The documentation for the SDK claims to support both SSL and
         STARTTLS, however STARTTLS does not seem to work on all versions
@@ -372,6 +374,9 @@
                 Allow from yourdomain.example.com<br />
                 LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br />
                 LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem<br />
+                # CA certs respecified due to per-directory client certs<br />
+                LDAPTrustedClientCert CA_DER /certs/cacert1.der<br />
+                LDAPTrustedClientCert CA_BASE64 /certs/cacert2.pem<br />
                 Satisfy any<br />
                 AuthType Basic<br />
                 AuthName "LDAP Protected"<br />
@@ -575,8 +580,7 @@
 connection client certificate. Not all LDAP toolkits support per
 connection client certificates.</description>
 <syntax>LDAPTrustedClientCert <var>type</var> <var>directory-path/filename/nickname</var>
<var>[password]</var></syntax>
-<contextlist><context>server config</context><context>virtual host</context>
-<context>directory</context><context>.htaccess</context></contextlist>
+<contextlist><context>directory</context><context>.htaccess</context></contextlist>
 
 <usage>
     <p>It specifies the directory path, file name or nickname of a
@@ -591,6 +595,8 @@
     The type specifies the kind of certificate parameter being
     set, depending on the LDAP toolkit being used. Supported types are:</p>
     <ul>
+      <li>CA_DER - binary DER encoded CA certificate</li>
+      <li>CA_BASE64 - PEM encoded CA certificate</li>
       <li>CERT_DER - binary DER encoded client certificate</li>
       <li>CERT_BASE64 - PEM encoded client certificate</li>
       <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li>

Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=915660&r1=915659&r2=915660&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Wed Feb 24 04:02:06 2010
@@ -217,15 +217,16 @@
  * 20100208.0 (2.3.6-dev)  ap_socache_provider_t API changes to store and iterate
  * 20100208.1 (2.3.6-dev)  Added forward member to proxy_conn_rec
  * 20100208.2 (2.3.7-dev)  Added ap_log_command_line().
+ * 20100223.1 (2.3.7-dev)  LDAP client_certs per-server moved to per-dir
  *
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
 
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20100208
+#define MODULE_MAGIC_NUMBER_MAJOR 20100223
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 2                     /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 1                     /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

Modified: httpd/httpd/trunk/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap.c?rev=915660&r1=915659&r2=915660&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/trunk/modules/ldap/util_ldap.c Wed Feb 24 04:02:06 2010
@@ -686,7 +686,7 @@
             && ((!l->bindpw && !bindpw) || (l->bindpw && bindpw
                                              && !strcmp(l->bindpw, bindpw)))
             && (l->deref == deref) && (l->secure == secureflag)
-            && !compare_client_certs(st->client_certs, l->client_certs))
+            && !compare_client_certs(dc->client_certs, l->client_certs))
         {
             break;
         }
@@ -711,7 +711,7 @@
 #endif
             if ((l->port == port) && (strcmp(l->host, host) == 0) &&
                 (l->deref == deref) && (l->secure == secureflag) &&
-                !compare_client_certs(st->client_certs, l->client_certs))
+                !compare_client_certs(dc->client_certs, l->client_certs))
             {
                 /* the bind credentials have changed */
                 l->bound = 0;
@@ -779,7 +779,7 @@
         l->secure = secureflag;
 
         /* save away a copy of the client cert list that is presently valid */
-        l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);
+        l->client_certs = apr_array_copy_hdr(l->pool, dc->client_certs);
 
         l->keep = 1;
 
@@ -2300,9 +2300,7 @@
                                                      const char *file,
                                                      const char *password)
 {
-    util_ldap_state_t *st =
-        (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
-                                                  &ldap_module);
+    util_ldap_config_t *dc =  config;
     apr_finfo_t finfo;
     apr_status_t rv;
     int cert_type = 0;
@@ -2314,21 +2312,21 @@
         if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
             return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
                                            "not recognised. It should be one "
-                                           "of CERT_DER, CERT_BASE64, "
-                                           "CERT_NICKNAME, CERT_PFX,"
+                                           "of CA_DER, CA_BASE64, "
+                                           "CERT_DER, CERT_BASE64, "
+                                           "CERT_NICKNAME, CERT_PFX, "
                                            "KEY_DER, KEY_BASE64, KEY_PFX",
                                            type);
         }
-        else if (APR_LDAP_CA_TYPE_DER == cert_type ||
-                 APR_LDAP_CA_TYPE_BASE64 == cert_type ||
-                 APR_LDAP_CA_TYPE_CERT7_DB == cert_type ||
+        else if ( APR_LDAP_CA_TYPE_CERT7_DB == cert_type ||
                  APR_LDAP_CA_TYPE_SECMOD == cert_type ||
                  APR_LDAP_CERT_TYPE_PFX == cert_type ||
                  APR_LDAP_CERT_TYPE_KEY3_DB == cert_type) {
             return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
                                            "only valid within a "
                                            "LDAPTrustedGlobalCert directive. "
-                                           "Only CERT_DER, CERT_BASE64, "
+                                           "Only CA_DER, CA_BASE64, "
+                                           "CERT_DER, CERT_BASE64, "
                                            "CERT_NICKNAME, KEY_DER, and "
                                            "KEY_BASE64 may be used.", type);
         }
@@ -2341,8 +2339,8 @@
                       "LDAP: SSL trusted client cert - %s (type %s)",
                        file, type);
 
-    /* add the certificate to the global array */
-    cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
+    /* add the certificate to the client array */
+    cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(dc->client_certs);
     cert->type = cert_type;
     cert->path = file;
     cert->password = password;
@@ -2520,6 +2518,7 @@
        (util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
 
    /* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */
+   dc->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
    dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
    dc->ReferralHopLimit = AP_LDAP_HOPLIMIT_UNSET;
 
@@ -2598,7 +2597,6 @@
     st->connections = NULL;
     st->ssl_supported = 0;
     st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
-    st->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
     st->secure = APR_LDAP_NONE;
     st->secure_set = 0;
     st->connectionTimeout = 10;
@@ -2635,8 +2633,6 @@
     st->ssl_supported = 0;
     st->global_certs = apr_array_append(p, base->global_certs,
                                            overrides->global_certs);
-    st->client_certs = apr_array_append(p, base->client_certs,
-                                           overrides->client_certs);
     st->secure = (overrides->secure_set == 0) ? base->secure
                                               : overrides->secure;
 
@@ -2891,7 +2887,7 @@
                    "passphrase if applicable."),
 
     AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert,
-                   NULL, RSRC_CONF,
+                   NULL, OR_AUTHCFG,
                    "Takes three arguments: the first argument is the certificate "
                    "type of the second argument, one of CA_DER, CA_BASE64, "
                    "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "



Mime
View raw message