Summary: | Tivoli LDAP SDK support in aprutil | ||
---|---|---|---|
Product: | APR | Reporter: | Eric Covener <covener> |
Component: | APR-util | Assignee: | Apache Portable Runtime bugs mailinglist <bugs> |
Status: | NEEDINFO --- | ||
Severity: | enhancement | Keywords: | PatchAvailable |
Priority: | P2 | ||
Version: | HEAD | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | other | ||
Attachments: |
initial tivoli ldap support (ldap, ldaps)
Updated patch with standard apr_ldap_set_option support, and starttls support |
Description
Eric Covener
2007-01-11 09:25:11 UTC
Created attachment 19394 [details]
initial tivoli ldap support (ldap, ldaps)
Following the docs at http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.glpa100/ssl_client_init.htm, I have overhauled the patch to support the ldap_ssl_client_init() and ldap_ssl_init() initialisation sequences, in line with the current behavior of apr-util. The ldap_ssl_client_init() routine has been embedded in apr_ldap_set_options() to be in line with the rest of the apr code. The certificate label in ldap_ssl_init is set to NULL, which causes the following behaviour according to the docs: "Specify NULL for this parameter to use the GSK_KEY_LABEL environment variable. If NULL is specified for this parameter and the GSK_KEY_LABEL environment variable is not defined, the default certificate for the SSL key database or SAF key ring can be used. A client certificate is needed only when the LDAP server is configured for client authentication." Support for starttls has been added in this new patch. Can you test it out for me? I don't have access to a machine... Created attachment 21198 [details]
Updated patch with standard apr_ldap_set_option support, and starttls support
Reset assignee so mails go to list. Graham, Eric: This bug is now > 4 years old. I don't see the code added (in trunk), so I assume it's still outstanding. As of yet the support for Tivoli I can see in the code is very basic. Graham's "advanced" StartTLS is completely missing. This is a confusing PR. This bug was originally for basic Tivoli support, including basic SSL. Basic non-SSL Tivoli support was added in a later mailing-list only thread, and somehow this PR morphed into "SSL support with Tivoli SDK". A half-public/half-private thread with Graham says this 11/27 patch did not work for me. Meanwhile, in the Apache-based webserver that I work with that bundles tivoli LDAP exclusively, we've done the guts of ldaps directly in httpd to get around the issues with the timing of the SSL initialization vs. the APR/APU API. Needs a fresh working session to get beyond NEEDINFO, sometime in future httpd Can you confirm specifically what about the 11/27 patch didn't work for you? Having just looked at mod_ldap, there is an initialisation bug that exists where SSL is hard coded as switched off in util_ldap_post_config() for toolkits that require SSL switched on at the init step. Then, there is a second bug in apr_ldap_ssl_init() itself where the flag being passed is the wrong type. These two would need to be fixed before this patch would work. Actually, looking this deeper, util_ldap_post_config() doesn't seem to have a bug, but apr_ldap_ssl_init() does. This shouldn't affect Tivoli support though. |