Bug 41351

Summary: Tivoli LDAP SDK support in aprutil
Product: APR Reporter: Eric Covener <covener>
Component: APR-utilAssignee: Apache Portable Runtime bugs mailinglist <bugs>
Status: NEEDINFO ---    
Severity: enhancement Keywords: PatchAvailable
Priority: P2    
Version: HEAD   
Target Milestone: ---   
Hardware: All   
OS: other   
Attachments: initial tivoli ldap support (ldap, ldaps)
Updated patch with standard apr_ldap_set_option support, and starttls support

Description Eric Covener 2007-01-11 09:25:11 UTC
Attached is a patch for allowing aprutil LDAP to use the Tivoli
Directory Server SDK from IBM.

Simple SSL connections work without any explicit configuration because
the SDK ships with a Key Database that contains the usual public CAs
This Key Database used for Certificate Authorities and private keys
can only effectively be set during the one-time
ldap_ssl_client_init()/apr_ldap_ssl_init() and this does work via
apr-util if the application passes in the cert_auth_file

A private key can be selected for client authentication during the
per-connection ldap_ssl_init()/apr_ldap_init() but this doesn't mesh
very well with the current apr-util LDAP interface.  Allowing this
would only require a addl char* passed to apr_ldap_init()

Neither the keyring or the name of the private cert are settable via
the ldap_set_option interface which unfortunately differs from other
supported LDAP SDKs.

I was able to get a small test program to work over ssl, as well as
httpd with a tiny change to actually pass the "secure" parameter to
apr_ldap_init()

v5.2 SDK readme:
http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSCreadme52/en_US/HTML/client.htm
v5.2 SDK programmers reference:
http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSprogref52/en_US/HTML/progref.htm
Product Page: (appears client/SDK bundled in large ldap server package)
http://www-306.ibm.com/software/tivoli/products/directory-server/
Comment 1 Eric Covener 2007-01-11 09:26:04 UTC
Created attachment 19394 [details]
initial tivoli ldap support (ldap, ldaps)
Comment 2 Graham Leggett 2007-11-27 14:37:08 UTC
Following the docs at
http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.glpa100/ssl_client_init.htm,
I have overhauled the patch to support the ldap_ssl_client_init() and
ldap_ssl_init() initialisation sequences, in line with the current behavior of
apr-util.

The ldap_ssl_client_init() routine has been embedded in apr_ldap_set_options()
to be in line with the rest of the apr code.

The certificate label in ldap_ssl_init is set to NULL, which causes the
following behaviour according to the docs:

"Specify NULL for this parameter to use the GSK_KEY_LABEL environment variable.
If NULL is specified for this parameter and the GSK_KEY_LABEL environment
variable is not defined, the default certificate for the SSL key database or SAF
key ring can be used. A client certificate is needed only when the LDAP server
is configured for client authentication."

Support for starttls has been added in this new patch.

Can you test it out for me? I don't have access to a machine...
Comment 3 Graham Leggett 2007-11-27 14:41:14 UTC
Created attachment 21198 [details]
Updated patch with standard apr_ldap_set_option support, and starttls support
Comment 4 Mark Thomas 2009-06-10 13:31:40 UTC
Reset assignee so mails go to list.
Comment 5 Mina Galić 2011-05-29 16:08:19 UTC
Graham, Eric: This bug is now > 4 years old. I don't see the code added (in trunk), so I assume it's still outstanding. As of yet the support for Tivoli I can see in the code is very basic. Graham's "advanced" StartTLS is completely missing.
Comment 6 Eric Covener 2011-05-31 20:29:19 UTC
This is a confusing PR.

This bug was originally for basic Tivoli support, including basic SSL.  

Basic non-SSL Tivoli support was added in a later mailing-list only thread, and somehow this PR morphed into "SSL support with Tivoli SDK".

A half-public/half-private thread with Graham says this 11/27 patch did not work for me.  

Meanwhile, in the Apache-based webserver that I work with that bundles tivoli LDAP exclusively, we've done the guts of ldaps directly in httpd to get around the issues with the timing of the SSL initialization vs. the APR/APU API.

Needs a fresh working session to get beyond NEEDINFO, sometime in future httpd
Comment 7 Graham Leggett 2011-06-26 10:49:51 UTC
Can you confirm specifically what about the 11/27 patch didn't work for you?

Having just looked at mod_ldap, there is an initialisation bug that exists where SSL is hard coded as switched off in util_ldap_post_config() for toolkits that require SSL switched on at the init step. Then, there is a second bug in apr_ldap_ssl_init() itself where the flag being passed is the wrong type. These two would need to be fixed before this patch would work.
Comment 8 Graham Leggett 2011-06-26 11:37:02 UTC
Actually, looking this deeper, util_ldap_post_config() doesn't seem to have a bug, but apr_ldap_ssl_init() does. This shouldn't affect Tivoli support though.