httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: LDAP SDK behaviour and mod_ldap
Date Fri, 21 May 2004 21:31:59 GMT
>At the moment if you place LDAPTrustedCA directives inside virtual 
>hosts, it silently ignores the options instead of throwing errors,
which 
>is also bad.

You're right.  I thought it was throwing an error.  The following patch
should probably be added to util_ldap.c:



Index: modules/experimental/util_ldap.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/experimental/util_ldap.c,v
retrieving revision 1.28
diff -u -r1.28 util_ldap.c
--- modules/experimental/util_ldap.c	20 May 2004 22:41:25
-0000	1.28
+++ modules/experimental/util_ldap.c	21 May 2004 21:28:29 -0000
@@ -1071,6 +1071,10 @@
     util_ldap_state_t *st = 
         (util_ldap_state_t
*)ap_get_module_config(cmd->server->module_config, 
 						  &ldap_module);
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err != NULL) {
+        return err;
+    }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, 
                       "LDAP: SSL trusted certificate authority file -
%s", 
@@ -1087,6 +1091,10 @@
     util_ldap_state_t *st = 
     (util_ldap_state_t
*)ap_get_module_config(cmd->server->module_config, 
                                               &ldap_module);
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err != NULL) {
+        return err;
+    }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, 
                       "LDAP: SSL trusted certificate authority file
type - %s", 



Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

>>> Graham Leggett <minfrin@sharp.fm> Friday, May 21, 2004 2:11:17 PM
>>>
Brad Nicholes wrote:

>   My feeling is that about the best we could do is to allow the
> LDAPTrustedCA and LDAPTrustedCAType directives to be callable from
> within a virtualhost configurtion and keep a list of certificates
that
> can then be passed to the LDAP libraries during the post_config. 
But
> this would really only make sense for OpenLDAP and Novell.  Since
> Netscape requires a CERT7 database file, it wouldn't know how to
handle
> multiple files and these directives are NOOPs for Microsoft.  Then
it
> might lead the administrator to believe that certain virtual hosts
are
> using certain certificates when in fact that wouldn't be the case. 
All
> virtual hosts would use all specified certificates.

At the moment if you place LDAPTrustedCA directives inside virtual 
hosts, it silently ignores the options instead of throwing errors,
which 
is also bad.

In theory there shouldn't be too much a a need for setting per 
virtualhost client certs, as it's Apache doing the connecting to LDAP,

not the other way around. (I'm not sure whether saying "this solution
is 
good enough for everybody" is the right thing either, just wondering 
what is practical.)

Regards,
Graham
--

Mime
View raw message