diff options
author | Gunter Knauf <gk@gknw.de> | 2007-08-20 16:30:41 +0000 |
---|---|---|
committer | Gunter Knauf <gk@gknw.de> | 2007-08-20 16:30:41 +0000 |
commit | acb905231d5ee721966d26449301a7474e8996e7 (patch) | |
tree | 9ff03a6cd77fe162e3ab1a36be931d06a7187369 | |
parent | c915eac93c8825e0200b207bd9d7a715acf52f21 (diff) |
fixed ldaps section for OpenLDAP. Still not working, but at least it compiles now, and should serve as base to get it finally working. Also seems that the ifdefs can be arranged some better because the Solaris and Netscape/iPlanet/Mozilla LDAP SDKs seem to be closer to the Novell section than the OpenLDAP one.
-rw-r--r-- | lib/ldap.c | 120 |
1 files changed, 94 insertions, 26 deletions
diff --git a/lib/ldap.c b/lib/ldap.c index 464f2cf98..56d6190e4 100644 --- a/lib/ldap.c +++ b/lib/ldap.c @@ -48,9 +48,9 @@ #else #define LDAP_DEPRECATED 1 /* Be sure ldap_init() is defined. */ # include <ldap.h> -#ifdef HAVE_LDAP_SSL +#if (defined(HAVE_LDAP_SSL) && defined(HAVE_LDAP_SSL_H)) # include <ldap_ssl.h> -#endif /* CURL_LDAP_USE_SSL */ +#endif /* HAVE_LDAP_SSL && HAVE_LDAP_SSL_H */ #endif #ifdef HAVE_UNISTD_H @@ -110,15 +110,6 @@ static void _ldap_free_urldesc (LDAPURLDesc *ludp); #ifndef LDAP_OPT_PROTOCOL_VERSION #define LDAP_OPT_PROTOCOL_VERSION 0x0011 #endif -#ifndef LDAP_OPT_NETWORK_TIMEOUT /* socket level timeout */ -#define LDAP_OPT_NETWORK_TIMEOUT 0x5005 -#endif -#ifndef LDAPSSL_VERIFY_NONE -#define LDAPSSL_VERIFY_NONE 0x00 -#endif -#ifndef LDAPSSL_VERIFY_SERVER -#define LDAPSSL_VERIFY_SERVER 0x01 -#endif #ifdef DEBUG_LDAP #define LDAP_TRACE(x) do { \ @@ -144,11 +135,16 @@ CURLcode Curl_ldap(struct connectdata *conn, bool *done) struct SessionHandle *data=conn->data; int ldap_proto; int ldap_ssl = 0; + int ldap_option; char *val_b64; size_t val_b64_sz; +#ifdef LDAP_OPT_NETWORK_TIMEOUT struct timeval ldap_timeout = {10,0}; /* 10 sec connection/search timeout */ +#endif *done = TRUE; /* unconditionally */ + infof(data, "LDAP local: LDAP Vendor = %s ; LDAP Version = %d\n", + LDAP_VENDOR_NAME, LDAP_VENDOR_VERSION); infof(data, "LDAP local: %s\n", data->change.url); #ifndef HAVE_LDAP_URL_PARSE @@ -168,7 +164,9 @@ CURLcode Curl_ldap(struct connectdata *conn, bool *done) infof(data, "LDAP local: trying to establish %s connection\n", ldap_ssl ? "encrypted" : "cleartext"); +#ifdef LDAP_OPT_NETWORK_TIMEOUT ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); +#endif ldap_proto = LDAP_VERSION3; ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); @@ -178,31 +176,103 @@ CURLcode Curl_ldap(struct connectdata *conn, bool *done) server = ldap_sslinit(conn->host.name, (int)conn->port, 1); ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); #else - rc = ldapssl_client_init(NULL, /* DER encoded cert file */ - NULL); /* reserved, use NULL */ + char* ldap_ca = NULL; /* XXX fix me: need to get CA path option here! */ + int verify_cert = 0; /* XXX fix me: need to get insecure option here! */ +#if defined(CURL_HAS_NOVELL_LDAPSDK) + rc = ldapssl_client_init(NULL, NULL); if (rc != LDAP_SUCCESS) { failf(data, "LDAP local: %s", ldap_err2string(rc)); status = CURLE_SSL_CERTPROBLEM; goto quit; } - rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE); + if (verify_cert) { + /* Novell SDK supports DER or BASE64 files. */ + rc = ldapssl_add_trusted_cert(ldap_ca, LDAPSSL_CERT_FILETYPE_B64); + if (rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting PEM CA cert: %s", + ldap_err2string(rc)); + status = CURLE_SSL_CERTPROBLEM; + goto quit; + } + ldap_option = LDAPSSL_VERIFY_SERVER; + } else { + ldap_option = LDAPSSL_VERIFY_NONE; + } + rc = ldapssl_set_verify_mode(ldap_option); if (rc != LDAP_SUCCESS) { - failf(data, "LDAP local: ldapssl_set_verify_mode error: %d", rc); + failf(data, "LDAP local: ERROR setting verify mode: %s", + ldap_err2string(rc)); status = CURLE_SSL_CERTPROBLEM; goto quit; } server = ldapssl_init(conn->host.name, (int)conn->port, 1); + if (server == NULL) { + failf(data, "LDAP local: Cannot connect to %s:%d", + conn->host.name, conn->port); + status = CURLE_COULDNT_CONNECT; + goto quit; + } +#elif defined(LDAP_OPT_X_TLS) + if (verify_cert) { + /* OpenLDAP SDK supports BASE64 files. */ + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); + if (rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting PEM CA cert: %s", + ldap_err2string(rc)); + status = CURLE_SSL_CERTPROBLEM; + goto quit; + } + ldap_option = LDAP_OPT_X_TLS_DEMAND; + } else { + ldap_option = LDAP_OPT_X_TLS_NEVER; + } + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); + if (rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting verify mode: %s", + ldap_err2string(rc)); + status = CURLE_SSL_CERTPROBLEM; + goto quit; + } + server = ldap_init(conn->host.name, (int)conn->port); + if (server == NULL) { + failf(data, "LDAP local: Cannot connect to %s:%d", + conn->host.name, conn->port); + status = CURLE_COULDNT_CONNECT; + goto quit; + } + ldap_option = LDAP_OPT_X_TLS_HARD; + rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option); + if (rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR setting SSL/TLS mode: %s", + ldap_err2string(rc)); + status = CURLE_SSL_CERTPROBLEM; + goto quit; + } + rc = ldap_start_tls_s(server, NULL, NULL); + if (rc != LDAP_SUCCESS) { + failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s", + ldap_err2string(rc)); + status = CURLE_SSL_CERTPROBLEM; + goto quit; + } +#else + /* we should probably never come up to here since configure + should check in first place if we can support LDAP SSL/TLS */ + failf(data, "LDAP local: SSL/TLS not supported with this version " + "of the OpenLDAP toolkit\n"); + status = CURLE_SSL_CERTPROBLEM; + goto quit; +#endif #endif #endif /* CURL_LDAP_USE_SSL */ } else { server = ldap_init(conn->host.name, (int)conn->port); - } - - if (server == NULL) { - failf(data, "LDAP local: Cannot connect to %s:%d", - conn->host.name, conn->port); - status = CURLE_COULDNT_CONNECT; - goto quit; + if (server == NULL) { + failf(data, "LDAP local: Cannot connect to %s:%d", + conn->host.name, conn->port); + status = CURLE_COULDNT_CONNECT; + goto quit; + } } rc = ldap_simple_bind_s(server, @@ -298,12 +368,10 @@ quit: ldap_free_urldesc(ludp); if (server) ldap_unbind_s(server); -#ifdef HAVE_LDAP_SSL -#ifndef CURL_LDAP_WIN +#if defined(HAVE_LDAP_SSL) && defined(CURL_HAS_NOVELL_LDAPSDK) if (ldap_ssl) ldapssl_client_deinit(); -#endif -#endif /* CURL_LDAP_USE_SSL */ +#endif /* HAVE_LDAP_SSL && CURL_HAS_NOVELL_LDAPSDK */ /* no data to transfer */ Curl_setup_transfer(conn, -1, -1, FALSE, NULL, -1, NULL); |