mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Use TLS context stuff in syncrepl
This commit is contained in:
parent
571ac24b33
commit
c6d0edc3b7
@ -45,6 +45,10 @@
|
||||
#include "lutil.h"
|
||||
#include "config.h"
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
|
||||
#define ARGS_STEP 512
|
||||
|
||||
/*
|
||||
@ -1255,6 +1259,10 @@ void bindconf_free( slap_bindconf *bc ) {
|
||||
BER_BVZERO( &bc->sb_authzId );
|
||||
}
|
||||
#ifdef HAVE_TLS
|
||||
if ( bc->sb_tls_ctx ) {
|
||||
SSL_CTX_free( bc->sb_tls_ctx );
|
||||
bc->sb_tls_ctx = NULL;
|
||||
}
|
||||
if ( bc->sb_tls_cert ) {
|
||||
ch_free( bc->sb_tls_cert );
|
||||
bc->sb_tls_cert = NULL;
|
||||
@ -1288,6 +1296,72 @@ void bindconf_free( slap_bindconf *bc ) {
|
||||
#endif
|
||||
}
|
||||
|
||||
static struct {
|
||||
const char *key;
|
||||
size_t offset;
|
||||
int opt;
|
||||
} bindtlsopts[] = {
|
||||
{ "tls_cert", offsetof(slap_bindconf, sb_tls_cert), LDAP_OPT_X_TLS_CERTFILE },
|
||||
{ "tls_key", offsetof(slap_bindconf, sb_tls_key), LDAP_OPT_X_TLS_KEYFILE },
|
||||
{ "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE },
|
||||
{ "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR },
|
||||
{ "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE },
|
||||
{0, 0}
|
||||
};
|
||||
|
||||
int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
|
||||
{
|
||||
int i, rc, newctx = 0, res = 0;
|
||||
char *ptr = (char *)bc, **word;
|
||||
|
||||
for (i=0; bindtlsopts[i].opt; i++) {
|
||||
word = (char **)(ptr + bindtlsopts[i].offset);
|
||||
if ( *word ) {
|
||||
rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
|
||||
if ( rc ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"bindconf_tls_set: failed to set %s to %s\n",
|
||||
bindtlsopts[i].key, *word, 0 );
|
||||
res = -1;
|
||||
} else
|
||||
newctx = 1;
|
||||
}
|
||||
}
|
||||
if ( bc->sb_tls_reqcert ) {
|
||||
rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
|
||||
bc->sb_tls_reqcert );
|
||||
if ( rc ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"bindconf_tls_set: failed to set tls_reqcert to %s\n",
|
||||
bc->sb_tls_reqcert, 0, 0 );
|
||||
res = -1;
|
||||
} else
|
||||
newctx = 1;
|
||||
}
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
if ( bc->sb_tls_crlcheck ) {
|
||||
rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
|
||||
bc->sb_tls_crlcheck );
|
||||
if ( rc ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
|
||||
bc->sb_tls_crlcheck, 0, 0 );
|
||||
res = -1;
|
||||
} else
|
||||
newctx = 1;
|
||||
}
|
||||
#endif
|
||||
if ( newctx ) {
|
||||
int opt = 0;
|
||||
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
|
||||
if ( rc )
|
||||
res = rc;
|
||||
else
|
||||
ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
|
||||
}
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
/* -------------------------------------- */
|
||||
|
||||
|
@ -606,6 +606,8 @@ LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
|
||||
const char *word, slap_bindconf *bc ));
|
||||
LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
|
||||
slap_bindconf *bc, struct berval *bv ));
|
||||
LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
|
||||
slap_bindconf *bc, LDAP *ld ));
|
||||
LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
|
||||
LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
|
||||
const char *fname, int lineno, int argc, char **argv ));
|
||||
|
@ -1521,6 +1521,7 @@ typedef struct slap_bindconf {
|
||||
struct berval sb_authcId;
|
||||
struct berval sb_authzId;
|
||||
#ifdef HAVE_TLS
|
||||
void *sb_tls_ctx;
|
||||
char *sb_tls_cert;
|
||||
char *sb_tls_key;
|
||||
char *sb_tls_cacert;
|
||||
|
@ -83,6 +83,9 @@ typedef struct syncinfo_s {
|
||||
int si_syncdata;
|
||||
int si_logstate;
|
||||
int si_conn_setup;
|
||||
#ifdef HAVE_TLS
|
||||
int si_check_tls;
|
||||
#endif
|
||||
Avlnode *si_presentlist;
|
||||
LDAP *si_ld;
|
||||
LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist;
|
||||
@ -435,6 +438,21 @@ do_syncrep1(
|
||||
op->o_protocol = LDAP_VERSION3;
|
||||
ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION, &op->o_protocol );
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
if ( si->si_check_tls ) {
|
||||
si->si_check_tls = 0;
|
||||
rc = bindconf_tls_set( &si->si_bindconf, si->si_ld );
|
||||
} else if ( si->si_bindconf.sb_tls_ctx ) {
|
||||
rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX,
|
||||
si->si_bindconf.sb_tls_ctx );
|
||||
}
|
||||
if ( rc ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"do_syncrep1: TLS context initialization failed\n", 0, 0, 0 );
|
||||
return rc;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Bind to master */
|
||||
|
||||
if ( si->si_bindconf.sb_tls ) {
|
||||
@ -3202,6 +3220,10 @@ add_syncrepl(
|
||||
si->si_slimit = 0;
|
||||
si->si_conn_setup = 0;
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
si->si_check_tls = 1;
|
||||
#endif
|
||||
|
||||
si->si_presentlist = NULL;
|
||||
LDAP_LIST_INIT( &si->si_nonpresentlist );
|
||||
ldap_pvt_thread_mutex_init( &si->si_mutex );
|
||||
|
Loading…
Reference in New Issue
Block a user