add per-target tls options; start tls if required by idassert (ITS#6642)

2025-03-07 14:18:15 +08:00 · 2010-09-09 01:30:19 +00:00 · 2010-09-09 01:30:19 +00:00 · 1760501cea
commit 1760501cea
parent aa63f21e4f
3 changed files with 51 additions and 13 deletions
--- a/servers/slapd/back-meta/back-meta.h
+++ b/servers/slapd/back-meta/back-meta.h
@ -274,6 +274,9 @@ typedef struct metatarget_t {
 	struct berval		mt_binddn;
 	struct berval		mt_bindpw;

+	/* we only care about the TLS options here */
+	slap_bindconf		mt_tls;
+
 	slap_idassert_t		mt_idassert;
 #define	mt_idassert_mode	mt_idassert.si_mode
 #define	mt_idassert_authcID	mt_idassert.si_bc.sb_authcId
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@ -620,7 +620,7 @@ meta_back_db_config(
 				fname, lineno, 0 );
 			return 1;
 		}
-		
+
 		if ( argc != 2 ) {
 			Debug( LDAP_DEBUG_ANY,
 	"%s: line %d: missing password in \"bindpw <password>\" line\n",
@ -709,13 +709,6 @@ meta_back_db_config(
 				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
 				: &mi->mi_flags;

-		if ( argc != 2 ) {
-			Debug( LDAP_DEBUG_ANY,
-		"%s: line %d: \"tls <what>\" needs 1 argument.\n",
-				fname, lineno, 0 );
-			return( 1 );
-		}
-
 		/* start */
 		if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
 			*flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
@ -741,6 +734,26 @@ meta_back_db_config(
 			return( 1 );
 		}

+		if ( argc > 2 ) {
+			metatarget_t	*mt = NULL;
+			int 		i;
+
+			if ( mi->mi_ntargets - 1 < 0 ) {
+				Debug( LDAP_DEBUG_ANY,
+		"%s: line %d: need \"uri\" directive first\n",
+					fname, lineno, 0 );
+				return 1;
+			}
+
+			mt = mi->mi_targets[ mi->mi_ntargets - 1 ];
+
+			for ( i = 2; i < argc; i++ ) {
+				if ( bindconf_tls_parse( argv[i], &mt->mt_tls ))
+					return 1;
+			}
+			bindconf_tls_defaults( &mt->mt_tls );
+		}
+
 	} else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
 		unsigned	*flagsp = mi->mi_ntargets ?
 				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@ -281,6 +281,7 @@ meta_back_init_one_conn(
 	int			do_return = 0;
 #ifdef HAVE_TLS
 	int			is_ldaps = 0;
+	int			do_start_tls = 0;
 #endif /* HAVE_TLS */

 	/* if the server is quarantined, and
@ -421,12 +422,33 @@ retry_lock:;
 		META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF );

 #ifdef HAVE_TLS
+	if ( !is_ldaps ) {
+		slap_bindconf *sb = NULL;
+
+		if ( ispriv ) {
+			sb = &mt->mt_idassert.si_bc;
+		} else {
+			sb = &mt->mt_tls;
+		}
+
+		if ( sb->sb_tls_do_init ) {
+			bindconf_tls_set( sb, msc->msc_ld );
+		} else if ( sb->sb_tls_ctx ) {
+			ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
+		}
+
+		if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
+			do_start_tls = 1;
+
+		} else if ( META_BACK_TGT_USE_TLS( mt )
+			|| ( op->o_conn->c_is_tls && META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
+		{
+			do_start_tls = 1;
+		}
+	}
+
 	/* start TLS ("tls [try-]{start|propagate}" statement) */
-	if ( ( META_BACK_TGT_USE_TLS( mt )
-		|| ( op->o_conn->c_is_tls
-			&& META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
-		&& !is_ldaps )
-	{
+	if ( do_start_tls ) {
 #ifdef SLAP_STARTTLS_ASYNCHRONOUS
 		/*
 		 * use asynchronous StartTLS; in case, chase referral