--- ldap/apr_ldap_init.c (revision 598755) +++ ldap/apr_ldap_init.c (working copy) @@ -110,6 +110,9 @@ #if APR_HAS_LDAP_SSL && APR_HAS_LDAPSSL_CLIENT_DEINIT ldapssl_client_deinit(); #endif +#if APR_HAS_LDAP_SSL && APR_HAS_LDAP_SSL_CLIENT_DEINIT + ldap_ssl_client_deinit(); +#endif return APR_SUCCESS; } @@ -149,6 +152,16 @@ *ldap = ldapssl_init(hostname, portno, 0); #elif APR_HAS_LDAP_SSLINIT *ldap = ldap_sslinit((char *)hostname, portno, 0); +#elif APR_HAS_LDAP_SSL_INIT + /* Tivoli: Third parameter is null, default CA list provided + * with SDK is used. + */ + if (secure == APR_LDAP_SSL) { + *ldap = ldap_ssl_init((char *)hostname, portno, NULL); + } + else { + *ldap = ldap_init((char *)hostname, portno); + } #else *ldap = ldap_init((char *)hostname, portno); #endif --- ldap/apr_ldap_option.c (revision 598755) +++ ldap/apr_ldap_option.c (working copy) @@ -322,6 +322,38 @@ #endif #endif + /* Tivoli SDK */ +#if APR_HAS_TIVOLI_LDAPSDK + if (tls == APR_LDAP_SSL) { + result->reason = "LDAP: SSL can only be set at connection " + "initialisation by APR on this version of " + "the Tivoli toolkit"; + result->rc = -1; + } +#if APR_HAS_LDAP_START_TLS_S_NP + else if (tls == APR_LDAP_STARTTLS) { + result->rc = ldap_start_tls_s_np(ldap, NULL); + if (result->rc != LDAP_SUCCESS) { + result->reason = "LDAP: ldap_start_tls_s_np() failed"; + result->msg = ldap_err2string(result->rc); + } + } + else if (tls == APR_LDAP_STOPTLS) { + result->rc = ldap_stop_tls_s_np(ldap); + if (result->rc != LDAP_SUCCESS) { + result->reason = "LDAP: ldap_stop_tls_s_np() failed"; + result->msg = ldap_err2string(result->rc); + } + } +#else + else if (tls != APR_LDAP_NONE) { + result->reason = "LDAP: TLS not yet supported by APR on this " + "version of the Tivoli toolkit"; + result->rc = -1; + } +#endif +#endif + #if APR_HAS_OTHER_LDAPSDK if (tls != APR_LDAP_NONE) { result->reason = "LDAP: SSL/TLS is currently not supported by " @@ -335,7 +367,7 @@ } /** - * Handle APR_LDAP_OPT_TLS_CACERTFILE + * Handle APR_LDAP_OPT_TLS_CERT * * This function sets the CA certificate for further SSL/TLS connections. * @@ -346,6 +378,7 @@ * OpenLDAP: PEM (others supported?) * Microsoft: unknown * Solaris: unknown + * Tivoli: CMS database file */ static void option_set_cert(apr_pool_t *pool, LDAP *ldap, const void *invalue, apr_ldap_err_t *result) @@ -577,6 +610,41 @@ result->rc = -1; #endif + /* Tivoli SDK */ +#if APR_HAS_TIVOLI_LDAPSDK + /* Tivoli accepts a KDB file with both CAs and private keys + * during one-time initialization and takes a certificate label + * during ldap_ssl_init. + */ + if (ldap) { + result->rc = -1; + result->reason = "LDAP: The Tivoli LDAP SDK cannot support the setting " + "of certificates or keys on a per connection basis."; + } + /* Tivoli's library needs to be initialised first */ + else { + for (i = 0; i < certs->nelts; i++) { + /* Tivoli SDK supports CMS files. */ + switch (ents[i].type) { + case APR_LDAP_CA_TYPE_CMS: + ldap_ssl_client_init((const char *)ents[i].path, + (const char *)ents[i].password, + 0, &result->rc); + result->msg = ldap_err2string(result->rc); + break; + default: + result->rc = -1; + result->reason = "LDAP: The Tivoli SDK only understands the " + "CMS database file type."; + break; + } + if (result->rc != LDAP_SUCCESS) { + break; + } + } + } +#endif + /* SDK not recognised */ #if APR_HAS_OTHER_LDAPSDK result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not " --- include/apr_ldap.h.in (revision 598755) +++ include/apr_ldap.h.in (working copy) @@ -85,12 +85,16 @@ * Detected standard functions */ #define APR_HAS_LDAPSSL_CLIENT_INIT @apu_has_ldapssl_client_init@ +#define APR_HAS_LDAP_SSL_CLIENT_INIT @apu_has_ldap_ssl_client_init@ #define APR_HAS_LDAPSSL_CLIENT_DEINIT @apu_has_ldapssl_client_deinit@ +#define APR_HAS_LDAP_SSL_CLIENT_DEINIT @apu_has_ldap_ssl_client_deinit@ #define APR_HAS_LDAPSSL_ADD_TRUSTED_CERT @apu_has_ldapssl_add_trusted_cert@ #define APR_HAS_LDAP_START_TLS_S @apu_has_ldap_start_tls_s@ #define APR_HAS_LDAP_SSLINIT @apu_has_ldap_sslinit@ #define APR_HAS_LDAPSSL_INIT @apu_has_ldapssl_init@ +#define APR_HAS_LDAP_SSL_INIT @apu_has_ldap_ssl_init@ #define APR_HAS_LDAPSSL_INSTALL_ROUTINES @apu_has_ldapssl_install_routines@ +#define APR_HAS_LDAP_START_TLS_S_NP @apu_has_ldap_start_tls_s_np@ /* * Make sure the secure LDAP port is defined --- include/apr_ldap_option.h (revision 598755) +++ include/apr_ldap_option.h (working copy) @@ -137,6 +137,8 @@ #define APR_LDAP_CERT_TYPE_PFX 13 /** PKCS#12 encoded private key */ #define APR_LDAP_KEY_TYPE_PFX 14 +/** CMS Key Database with private key and cert chain */ +#define APR_LDAP_CA_TYPE_CMS 15 /** * Certificate structure. --- build/apu-conf.m4 (revision 598755) +++ build/apu-conf.m4 (working copy) @@ -194,12 +194,16 @@ APR_ADDTO(APRUTIL_EXPORT_LIBS,[-l${ldaplib} ${extralib}]) APR_ADDTO(APRUTIL_LIBS,[-l${ldaplib} ${extralib}]) AC_CHECK_LIB(${ldaplib}, ldapssl_client_init, apu_has_ldapssl_client_init="1", , ${extralib}) + AC_CHECK_LIB(${ldaplib}, ldap_ssl_client_init, apu_has_ldap_ssl_client_init="1", , ${extralib}) AC_CHECK_LIB(${ldaplib}, ldapssl_client_deinit, apu_has_ldapssl_client_deinit="1", , ${extralib}) + AC_CHECK_LIB(${ldaplib}, ldap_ssl_client_deinit, apu_has_ldap_ssl_client_deinit="1", , ${extralib}) AC_CHECK_LIB(${ldaplib}, ldapssl_add_trusted_cert, apu_has_ldapssl_add_trusted_cert="1", , ${extralib}) AC_CHECK_LIB(${ldaplib}, ldap_start_tls_s, apu_has_ldap_start_tls_s="1", , ${extralib}) AC_CHECK_LIB(${ldaplib}, ldap_sslinit, apu_has_ldap_sslinit="1", , ${extralib}) AC_CHECK_LIB(${ldaplib}, ldapssl_init, apu_has_ldapssl_init="1", , ${extralib}) + AC_CHECK_LIB(${ldaplib}, ldap_ssl_init, apu_has_ldap_ssl_init="1", , ${extralib}) AC_CHECK_LIB(${ldaplib}, ldapssl_install_routines, apu_has_ldapssl_install_routines="1", , ${extralib}) + AC_CHECK_LIB(${ldaplib}, ldap_start_tls_s_np, apu_has_ldap_start_tls_s_np="1", , ${extralib}) apu_has_ldap="1"; ], , ${extralib}) fi @@ -215,12 +219,16 @@ apu_has_ldap="0"; apu_has_ldapssl_client_init="0" +apu_has_ldap_ssl_client_init="0" apu_has_ldapssl_client_deinit="0" +apu_has_ldap_ssl_client_deinit="0" apu_has_ldapssl_add_trusted_cert="0" apu_has_ldap_start_tls_s="0" apu_has_ldapssl_init="0" +apu_has_ldap_ssl_init="0" apu_has_ldap_sslinit="0" apu_has_ldapssl_install_routines="0" +apu_has_ldap_start_tls_s_np="0" apu_has_ldap_openldap="0" apu_has_ldap_solaris="0" apu_has_ldap_novell="0" @@ -345,6 +353,13 @@ esac fi if test "x$apr_cv_ldap_toolkit" = "x"; then + AC_EGREP_CPP([International Business Machines], [$lber_h + $ldap_h + LDAP_VENDOR_NAME], [apu_has_ldap_tivoli="1" + apr_cv_ldap_toolkit="Tivoli"]) + fi + + if test "x$apr_cv_ldap_toolkit" = "x"; then apu_has_ldap_other="1" apr_cv_ldap_toolkit="unknown" fi @@ -360,12 +375,16 @@ AC_SUBST(lber_h) AC_SUBST(ldap_ssl_h) AC_SUBST(apu_has_ldapssl_client_init) +AC_SUBST(apu_has_ldap_ssl_client_init) AC_SUBST(apu_has_ldapssl_client_deinit) +AC_SUBST(apu_has_ldap_ssl_client_deinit) AC_SUBST(apu_has_ldapssl_add_trusted_cert) AC_SUBST(apu_has_ldap_start_tls_s) AC_SUBST(apu_has_ldapssl_init) +AC_SUBST(apu_has_ldap_ssl_init) AC_SUBST(apu_has_ldap_sslinit) AC_SUBST(apu_has_ldapssl_install_routines) +AC_SUBST(apu_has_ldap_start_tls_s_np) AC_SUBST(apu_has_ldap) AC_SUBST(apu_has_ldap_openldap) AC_SUBST(apu_has_ldap_solaris)