Bug 41352 - openldap and per-connection client certificates in apr-util LDAP
Summary: openldap and per-connection client certificates in apr-util LDAP
Status: NEEDINFO
Alias: None
Product: APR
Classification: Unclassified
Component: APR-util (show other bugs)
Version: HEAD
Hardware: Other other
: P2 minor (vote)
Target Milestone: ---
Assignee: Apache Portable Runtime bugs mailinglist
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2007-01-11 09:31 UTC by Eric Covener
Modified: 2011-05-31 20:13 UTC (History)
0 users



Attachments
correct current openldap client cert behavior, prepare for future support (1.22 KB, patch)
2007-01-11 09:32 UTC, Eric Covener
Details | Diff
Updated patch with standard apr_ldap_set_option support, and starttls support (8.66 KB, patch)
2007-11-27 14:38 UTC, Graham Leggett
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Covener 2007-01-11 09:31:07 UTC
The release (2.3.x) version of OpenLDAP does not support
per-connection TLS settings, which apr-util will try to set if
requested  (manifests as bad RC from ldap_set_option when ldap!=null)

In the alpha release (2.4.x), OpenLDAP does allow you to set
per-connection TLS settings but requires that you ask for a new
(openssl) TLS context by setting the LDAP_OPT_X_TLS_NEWCTX ldap option
to make them active.

As an additional complication, requesting a new TLS context likely
doesn't work until the next alpha OpenLDAP is released (the broken
behavior of the released alphas is not accounted for in the patch)
see:
http://www.openldap.org/its/index.cgi?findid=4726

Possibly more background at this dev@httpd discussion:
http://mail-archives.apache.org/mod_mbox/httpd-dev/200610.mbox/%3c1404e5910610232040q6dd4137aj408ac48cc59bb9ba@mail.gmail.com%3e

apr-util patch attached that lets apr-util attempt to set
per-connection TLS settings with openldap when the
LDAP_OPT_X_TLS_NEWCTX  was available at build time, and otherwise
bails out informatively (in the same fashion is Novell).
Comment 1 Eric Covener 2007-01-11 09:32:32 UTC
Created attachment 19395 [details]
correct current openldap client cert behavior, prepare for future support
Comment 2 Graham Leggett 2007-11-27 14:38:17 UTC
Created attachment 21197 [details]
Updated patch with standard apr_ldap_set_option support, and starttls support
Comment 3 Graham Leggett 2007-11-27 14:42:16 UTC
Oops - attached to wrong bug report :(
Comment 4 Mark Thomas 2009-06-10 13:34:38 UTC
Reset assignee so e-mail goes to list
Comment 5 Igor Galić 2011-05-29 16:18:39 UTC
It looks like Eric's patch has been added (by him) in r915649
Does this mean this bug is now resolved?
Comment 6 Eric Covener 2011-05-31 20:13:04 UTC
Probably worth leaving as Needinfo until someone can conform with current levels  of openldap.