mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Make syncrepl inherit default TLS settings from main slapd config (except

Browse Source 
for reqcert, default demand)
This commit is contained in:
Howard Chu 2007-01-08 20:16:45 +00:00
parent 813cca89a6
commit 1cc1f9b18a
4 changed files with 84 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
servers/slapd/bconfig.c
View File

@ -3094,22 +3094,9 @@ config_tls_option(ConfigArgs *c) {
static int static int
config_tls_config(ConfigArgs *c) { config_tls_config(ConfigArgs *c) {
int i, flag; int i, flag;
slap_verbmasks crlkeys[] = {
{ BER_BVC("none"), LDAP_OPT_X_TLS_CRL_NONE },
{ BER_BVC("peer"), LDAP_OPT_X_TLS_CRL_PEER },
{ BER_BVC("all"), LDAP_OPT_X_TLS_CRL_ALL },
{ BER_BVNULL, 0 }
};
slap_verbmasks vfykeys[] = {
{ BER_BVC("never"), LDAP_OPT_X_TLS_NEVER },
{ BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND },
{ BER_BVC("try"), LDAP_OPT_X_TLS_TRY },
{ BER_BVC("hard"), LDAP_OPT_X_TLS_HARD },
{ BER_BVNULL, 0 }
}, *keys;
switch(c->type) { switch(c->type) {
case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; keys = crlkeys; break; case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; break;
case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; keys = vfykeys; break; case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; break;
default: default:
Debug(LDAP_DEBUG_ANY, "%s: " Debug(LDAP_DEBUG_ANY, "%s: "
"unknown tls_option <0x%x>\n", "unknown tls_option <0x%x>\n",
@ -3117,14 +3104,7 @@ config_tls_config(ConfigArgs *c) {
return 1; return 1;
} }
if (c->op == SLAP_CONFIG_EMIT) { if (c->op == SLAP_CONFIG_EMIT) {
ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int ); return slap_tls_get_config( slap_tls_ld, flag, &c->value_string );
for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
if (keys[i].mask == c->value_int) {
c->value_string = ch_strdup( keys[i].word.bv_val );
return 0;
}
}
return 1;
} else if ( c->op == LDAP_MOD_DELETE ) { } else if ( c->op == LDAP_MOD_DELETE ) {
int i = 0; int i = 0;
return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i ); return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i );

73
servers/slapd/config.c
View File

@ -998,6 +998,21 @@ static slap_verbmasks tlskey[] = {
{ BER_BVC("critical"), SB_TLS_CRITICAL }, { BER_BVC("critical"), SB_TLS_CRITICAL },
{ BER_BVNULL, 0 } { BER_BVNULL, 0 }
}; };
static slap_verbmasks crlkeys[] = {
{ BER_BVC("none"), LDAP_OPT_X_TLS_CRL_NONE },
{ BER_BVC("peer"), LDAP_OPT_X_TLS_CRL_PEER },
{ BER_BVC("all"), LDAP_OPT_X_TLS_CRL_ALL },
{ BER_BVNULL, 0 }
};
static slap_verbmasks vfykeys[] = {
{ BER_BVC("never"), LDAP_OPT_X_TLS_NEVER },
{ BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND },
{ BER_BVC("try"), LDAP_OPT_X_TLS_TRY },
{ BER_BVC("hard"), LDAP_OPT_X_TLS_HARD },
{ BER_BVNULL, 0 }
};
#endif #endif
static slap_verbmasks methkey[] = { static slap_verbmasks methkey[] = {
@ -1232,6 +1247,33 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0
return 0; return 0;
} }
int
slap_tls_get_config( LDAP *ld, int opt, char **val )
{
slap_verbmasks *keys;
int i, ival;
*val = NULL;
switch( opt ) {
case LDAP_OPT_X_TLS_CRLCHECK:
keys = crlkeys;
break;
case LDAP_OPT_X_TLS_REQUIRE_CERT:
keys = vfykeys;
break;
default:
return -1;
}
ldap_pvt_tls_get_option( ld, opt, &ival );
for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
if (keys[i].mask == ival) {
*val = ch_strdup( keys[i].word.bv_val );
return 0;
}
}
return -1;
}
int int
bindconf_parse( const char *word, slap_bindconf *bc ) bindconf_parse( const char *word, slap_bindconf *bc )
{ {
@ -1324,6 +1366,37 @@ void bindconf_free( slap_bindconf *bc ) {
#endif #endif
} }
void
bindconf_tls_defaults( slap_bindconf *bc )
{
#ifdef HAVE_TLS
if ( bc->sb_tls_do_init ) {
if ( !bc->sb_tls_cacert )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTFILE,
&bc->sb_tls_cacert );
if ( !bc->sb_tls_cacertdir )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTDIR,
&bc->sb_tls_cacertdir );
if ( !bc->sb_tls_cert )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CERTFILE,
&bc->sb_tls_cert );
if ( !bc->sb_tls_key )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_KEYFILE,
&bc->sb_tls_key );
if ( !bc->sb_tls_cipher_suite )
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
&bc->sb_tls_cipher_suite );
if ( !bc->sb_tls_reqcert )
bc->sb_tls_reqcert = ch_strdup("demand");
#ifdef HAVE_OPENSSL_CRL
if ( !bc->sb_tls_crlcheck )
slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
&bc->sb_tls_crlcheck );
#endif
}
#endif
}
#ifdef HAVE_TLS #ifdef HAVE_TLS
static struct { static struct {
const char *key; const char *key;

3
servers/slapd/proto-slap.h
View File

@ -632,6 +632,9 @@ LDAP_SLAPD_F (int) slap_verbmasks_init LDAP_P(( slap_verbmasks **vp, slap_verbma
LDAP_SLAPD_F (int) slap_verbmasks_destroy LDAP_P(( slap_verbmasks *v )); LDAP_SLAPD_F (int) slap_verbmasks_destroy LDAP_P(( slap_verbmasks *v ));
LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp, LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp,
slap_mask_t m, struct berval *v, slap_mask_t *ignore )); slap_mask_t m, struct berval *v, slap_mask_t *ignore ));
LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P((
LDAP *ld, int opt, char **val ));
LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_parse LDAP_P(( LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
const char *word, slap_bindconf *bc )); const char *word, slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_unparse LDAP_P(( LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((

5
servers/slapd/syncrepl.c
View File

@ -3248,6 +3248,11 @@ add_syncrepl(
if ( !si->si_re ) if ( !si->si_re )
rc = -1; rc = -1;
} }
#ifdef HAVE_TLS
/* Use main slapd defaults */
bindconf_tls_defaults( &si->si_bindconf );
#endif
if ( rc < 0 ) { if ( rc < 0 ) {
Debug( LDAP_DEBUG_ANY, "failed to add syncinfo\n", 0, 0, 0 ); Debug( LDAP_DEBUG_ANY, "failed to add syncinfo\n", 0, 0, 0 );
syncinfo_free( si ); syncinfo_free( si );