Return-Path:
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 56136 invoked from network); 24 Feb 2010 04:02:31 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
by minotaur.apache.org with SMTP; 24 Feb 2010 04:02:31 -0000
Received: (qmail 7004 invoked by uid 500); 24 Feb 2010 04:02:31 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 6870 invoked by uid 500); 24 Feb 2010 04:02:31 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 6841 invoked by uid 99); 24 Feb 2010 04:02:30 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Feb 2010 04:02:30 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Feb 2010 04:02:28 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
id F121B23888CF; Wed, 24 Feb 2010 04:02:06 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r915660 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ldap.xml include/ap_mmn.h modules/ldap/util_ldap.c
Date: Wed, 24 Feb 2010 04:02:06 -0000
To: cvs@httpd.apache.org
From: covener@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20100224040206.F121B23888CF@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: covener
Date: Wed Feb 24 04:02:06 2010
New Revision: 915660
URL: http://svn.apache.org/viewvc?rev=915660&view=rev
Log:
make some sense of the difference between "Client" and "Global" certs in mod_ldap.
PR46541
Submitted By: Paul Reder, Eric Covener
Reviewed By: Eric Covener
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml
httpd/httpd/trunk/include/ap_mmn.h
httpd/httpd/trunk/modules/ldap/util_ldap.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=915660&r1=915659&r2=915660&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Feb 24 04:02:06 2010
@@ -2,6 +2,13 @@
Changes with Apache 2.3.7
+ *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
+ setting only, matching most of the documentation and examples.
+ PR 46541 [Paul Reder, Eric Covener]
+
+ *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
+ types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
+
*) mod_negotiation: Preserve query string over multiviews negotiation.
This buglet was fixed for type maps in 2.2.6, but the same issue
affected multiviews and was overlooked.
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml?rev=915660&r1=915659&r2=915660&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml Wed Feb 24 04:02:06 2010
@@ -349,8 +349,10 @@
SDK to work correctly. These certificates can be specified as
binary DER or Base64 (PEM) encoded files.
- Client certificates are specified per connection using the
- LDAPTrustedClientCert directive.
+ Both CA and client certificates may be specified globally
+ (LDAPTrustedGlobalCert) or per-connection (LDAPTrustedClientCert).
+ When any settings are specified per-connection, the global
+ settings are superceded.
The documentation for the SDK claims to support both SSL and
STARTTLS, however STARTTLS does not seem to work on all versions
@@ -372,6 +374,9 @@
Allow from yourdomain.example.com
LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem
LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem
+ # CA certs respecified due to per-directory client certs
+ LDAPTrustedClientCert CA_DER /certs/cacert1.der
+ LDAPTrustedClientCert CA_BASE64 /certs/cacert2.pem
Satisfy any
AuthType Basic
AuthName "LDAP Protected"
@@ -575,8 +580,7 @@
connection client certificate. Not all LDAP toolkits support per
connection client certificates.
LDAPTrustedClientCert type directory-path/filename/nickname [password]
-server configvirtual host
-directory.htaccess
+directory.htaccess
It specifies the directory path, file name or nickname of a
@@ -591,6 +595,8 @@
The type specifies the kind of certificate parameter being
set, depending on the LDAP toolkit being used. Supported types are:
+ - CA_DER - binary DER encoded CA certificate
+ - CA_BASE64 - PEM encoded CA certificate
- CERT_DER - binary DER encoded client certificate
- CERT_BASE64 - PEM encoded client certificate
- CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)
Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=915660&r1=915659&r2=915660&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Wed Feb 24 04:02:06 2010
@@ -217,15 +217,16 @@
* 20100208.0 (2.3.6-dev) ap_socache_provider_t API changes to store and iterate
* 20100208.1 (2.3.6-dev) Added forward member to proxy_conn_rec
* 20100208.2 (2.3.7-dev) Added ap_log_command_line().
+ * 20100223.1 (2.3.7-dev) LDAP client_certs per-server moved to per-dir
*
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20100208
+#define MODULE_MAGIC_NUMBER_MAJOR 20100223
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 2 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Modified: httpd/httpd/trunk/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap.c?rev=915660&r1=915659&r2=915660&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/trunk/modules/ldap/util_ldap.c Wed Feb 24 04:02:06 2010
@@ -686,7 +686,7 @@
&& ((!l->bindpw && !bindpw) || (l->bindpw && bindpw
&& !strcmp(l->bindpw, bindpw)))
&& (l->deref == deref) && (l->secure == secureflag)
- && !compare_client_certs(st->client_certs, l->client_certs))
+ && !compare_client_certs(dc->client_certs, l->client_certs))
{
break;
}
@@ -711,7 +711,7 @@
#endif
if ((l->port == port) && (strcmp(l->host, host) == 0) &&
(l->deref == deref) && (l->secure == secureflag) &&
- !compare_client_certs(st->client_certs, l->client_certs))
+ !compare_client_certs(dc->client_certs, l->client_certs))
{
/* the bind credentials have changed */
l->bound = 0;
@@ -779,7 +779,7 @@
l->secure = secureflag;
/* save away a copy of the client cert list that is presently valid */
- l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);
+ l->client_certs = apr_array_copy_hdr(l->pool, dc->client_certs);
l->keep = 1;
@@ -2300,9 +2300,7 @@
const char *file,
const char *password)
{
- util_ldap_state_t *st =
- (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
- &ldap_module);
+ util_ldap_config_t *dc = config;
apr_finfo_t finfo;
apr_status_t rv;
int cert_type = 0;
@@ -2314,21 +2312,21 @@
if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
"not recognised. It should be one "
- "of CERT_DER, CERT_BASE64, "
- "CERT_NICKNAME, CERT_PFX,"
+ "of CA_DER, CA_BASE64, "
+ "CERT_DER, CERT_BASE64, "
+ "CERT_NICKNAME, CERT_PFX, "
"KEY_DER, KEY_BASE64, KEY_PFX",
type);
}
- else if (APR_LDAP_CA_TYPE_DER == cert_type ||
- APR_LDAP_CA_TYPE_BASE64 == cert_type ||
- APR_LDAP_CA_TYPE_CERT7_DB == cert_type ||
+ else if ( APR_LDAP_CA_TYPE_CERT7_DB == cert_type ||
APR_LDAP_CA_TYPE_SECMOD == cert_type ||
APR_LDAP_CERT_TYPE_PFX == cert_type ||
APR_LDAP_CERT_TYPE_KEY3_DB == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
"only valid within a "
"LDAPTrustedGlobalCert directive. "
- "Only CERT_DER, CERT_BASE64, "
+ "Only CA_DER, CA_BASE64, "
+ "CERT_DER, CERT_BASE64, "
"CERT_NICKNAME, KEY_DER, and "
"KEY_BASE64 may be used.", type);
}
@@ -2341,8 +2339,8 @@
"LDAP: SSL trusted client cert - %s (type %s)",
file, type);
- /* add the certificate to the global array */
- cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
+ /* add the certificate to the client array */
+ cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(dc->client_certs);
cert->type = cert_type;
cert->path = file;
cert->password = password;
@@ -2520,6 +2518,7 @@
(util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
/* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */
+ dc->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
dc->ReferralHopLimit = AP_LDAP_HOPLIMIT_UNSET;
@@ -2598,7 +2597,6 @@
st->connections = NULL;
st->ssl_supported = 0;
st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
- st->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
st->secure = APR_LDAP_NONE;
st->secure_set = 0;
st->connectionTimeout = 10;
@@ -2635,8 +2633,6 @@
st->ssl_supported = 0;
st->global_certs = apr_array_append(p, base->global_certs,
overrides->global_certs);
- st->client_certs = apr_array_append(p, base->client_certs,
- overrides->client_certs);
st->secure = (overrides->secure_set == 0) ? base->secure
: overrides->secure;
@@ -2891,7 +2887,7 @@
"passphrase if applicable."),
AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert,
- NULL, RSRC_CONF,
+ NULL, OR_AUTHCFG,
"Takes three arguments: the first argument is the certificate "
"type of the second argument, one of CA_DER, CA_BASE64, "
"CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "