1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* apr_ldap_option.c -- LDAP options
19 * The LDAP SDK allows the getting and setting of options on an LDAP
26 #include "apu_config.h"
29 #define APU_DSO_LDAP_BUILD
33 #include "apr_errno.h"
34 #include "apr_pools.h"
35 #include "apr_strings.h"
36 #include "apr_tables.h"
40 static void option_set_cert(apr_pool_t *pool, LDAP *ldap, const void *invalue,
41 apr_ldap_err_t *result);
42 static void option_set_tls(apr_pool_t *pool, LDAP *ldap, const void *invalue,
43 apr_ldap_err_t *result);
46 * APR LDAP get option function
48 * This function gets option values from a given LDAP session if
51 APU_DECLARE_LDAP(int) apr_ldap_get_option(apr_pool_t *pool,
55 apr_ldap_err_t **result_err)
57 apr_ldap_err_t *result;
59 result = apr_pcalloc(pool, sizeof(apr_ldap_err_t));
65 /* get the option specified using the native LDAP function */
66 result->rc = ldap_get_option(ldap, option, outvalue);
68 /* handle the error case */
69 if (result->rc != LDAP_SUCCESS) {
70 result->msg = ldap_err2string(result-> rc);
71 result->reason = apr_pstrdup(pool, "LDAP: Could not get an option");
80 * APR LDAP set option function
82 * This function sets option values to a given LDAP session if
85 * Where an option is not supported by an LDAP toolkit, this function
86 * will try and apply legacy functions to achieve the same effect,
87 * depending on the platform.
89 APU_DECLARE_LDAP(int) apr_ldap_set_option(apr_pool_t *pool,
93 apr_ldap_err_t **result_err)
95 apr_ldap_err_t *result;
97 result = apr_pcalloc(pool, sizeof(apr_ldap_err_t));
104 case APR_LDAP_OPT_TLS_CERT:
105 option_set_cert(pool, ldap, invalue, result);
108 case APR_LDAP_OPT_TLS:
109 option_set_tls(pool, ldap, invalue, result);
112 case APR_LDAP_OPT_VERIFY_CERT:
113 #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
114 result->reason = "LDAP: Verify certificate not yet supported by APR on the "
115 "Netscape, Solaris or Mozilla LDAP SDKs";
119 #if APR_HAS_NOVELL_LDAPSDK
120 if (*((int*)invalue)) {
121 result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER);
124 result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE);
127 #if APR_HAS_OPENLDAP_LDAPSDK
128 #ifdef LDAP_OPT_X_TLS
129 /* This is not a per-connection setting so just pass NULL for the
130 Ldap connection handle */
131 if (*((int*)invalue)) {
132 int i = LDAP_OPT_X_TLS_DEMAND;
133 result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
136 int i = LDAP_OPT_X_TLS_NEVER;
137 result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
140 result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
141 "version of the OpenLDAP toolkit";
147 /* handle the error case */
148 if (result->rc != LDAP_SUCCESS) {
149 result->msg = ldap_err2string(result->rc);
150 result->reason = "LDAP: Could not set verify mode";
154 case APR_LDAP_OPT_REFERRALS:
155 /* Setting this option is supported on at least TIVOLI_SDK and OpenLDAP. Folks
156 * who know the NOVELL, NETSCAPE, MOZILLA, and SOLARIS SDKs should note here if
157 * the SDK at least tolerates this option being set, or add an elif to handle
158 * special cases (i.e. different LDAP_OPT_X value).
160 result->rc = ldap_set_option(ldap, LDAP_OPT_REFERRALS, (void *)invalue);
162 if (result->rc != LDAP_SUCCESS) {
163 result->reason = "Unable to set LDAP_OPT_REFERRALS.";
168 case APR_LDAP_OPT_REFHOPLIMIT:
169 #if !defined(LDAP_OPT_REFHOPLIMIT) || APR_HAS_NOVELL_LDAPSDK
170 /* If the LDAP_OPT_REFHOPLIMIT symbol is missing, assume that the
171 * particular LDAP library has a reasonable default. So far certain
172 * versions of the OpenLDAP SDK miss this symbol (but default to 5),
173 * and the Microsoft SDK misses the symbol (the default is not known).
175 result->rc = LDAP_SUCCESS;
177 /* Setting this option is supported on at least TIVOLI_SDK. Folks who know
178 * the NOVELL, NETSCAPE, MOZILLA, and SOLARIS SDKs should note here if
179 * the SDK at least tolerates this option being set, or add an elif to handle
180 * special cases so an error isn't returned if there is a perfectly good
181 * default value that just can't be changed (like openLDAP).
183 result->rc = ldap_set_option(ldap, LDAP_OPT_REFHOPLIMIT, (void *)invalue);
186 if (result->rc != LDAP_SUCCESS) {
187 result->reason = "Unable to set LDAP_OPT_REFHOPLIMIT.";
193 /* set the option specified using the native LDAP function */
194 result->rc = ldap_set_option(ldap, option, (void *)invalue);
196 /* handle the error case */
197 if (result->rc != LDAP_SUCCESS) {
198 result->msg = ldap_err2string(result->rc);
199 result->reason = "LDAP: Could not set an option";
204 /* handle the error case */
205 if (result->rc != LDAP_SUCCESS) {
214 * Handle APR_LDAP_OPT_TLS
216 * This function sets the type of TLS to be applied to this connection.
218 * APR_LDAP_NONE: no encryption
219 * APR_LDAP_SSL: SSL encryption (ldaps://)
220 * APR_LDAP_STARTTLS: STARTTLS encryption
221 * APR_LDAP_STOPTLS: Stop existing TLS connecttion
223 static void option_set_tls(apr_pool_t *pool, LDAP *ldap, const void *invalue,
224 apr_ldap_err_t *result)
226 #if APR_HAS_LDAP_SSL /* compiled with ssl support */
228 int tls = * (const int *)invalue;
230 /* Netscape/Mozilla/Solaris SDK */
231 #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
232 #if APR_HAS_LDAPSSL_INSTALL_ROUTINES
233 if (tls == APR_LDAP_SSL) {
234 result->rc = ldapssl_install_routines(ldap);
236 /* apparently Netscape and Mozilla need this too, Solaris doesn't */
237 if (result->rc == LDAP_SUCCESS) {
238 result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
241 if (result->rc != LDAP_SUCCESS) {
242 result->msg = ldap_err2string(result->rc);
243 result->reason = "LDAP: Could not switch SSL on for this "
247 else if (tls == APR_LDAP_STARTTLS) {
248 result->reason = "LDAP: STARTTLS is not supported by the "
249 "Netscape/Mozilla/Solaris SDK";
252 else if (tls == APR_LDAP_STOPTLS) {
253 result->reason = "LDAP: STOPTLS is not supported by the "
254 "Netscape/Mozilla/Solaris SDK";
258 if (tls != APR_LDAP_NONE) {
259 result->reason = "LDAP: SSL/TLS is not supported by this version "
260 "of the Netscape/Mozilla/Solaris SDK";
267 #if APR_HAS_NOVELL_LDAPSDK
268 /* ldapssl_install_routines(ldap)
269 * Behavior is unpredictable when other LDAP functions are called
270 * between the ldap_init function and the ldapssl_install_routines
273 * STARTTLS is supported by the ldap_start_tls_s() method
275 if (tls == APR_LDAP_SSL) {
276 result->rc = ldapssl_install_routines(ldap);
277 if (result->rc != LDAP_SUCCESS) {
278 result->msg = ldap_err2string(result->rc);
279 result->reason = "LDAP: Could not switch SSL on for this "
283 if (tls == APR_LDAP_STARTTLS) {
284 result->rc = ldapssl_start_tls(ldap);
285 if (result->rc != LDAP_SUCCESS) {
286 result->msg = ldap_err2string(result->rc);
287 result->reason = "LDAP: Could not start TLS on this connection";
290 else if (tls == APR_LDAP_STOPTLS) {
291 result->rc = ldapssl_stop_tls(ldap);
292 if (result->rc != LDAP_SUCCESS) {
293 result->msg = ldap_err2string(result->rc);
294 result->reason = "LDAP: Could not stop TLS on this connection";
300 #if APR_HAS_OPENLDAP_LDAPSDK
301 #ifdef LDAP_OPT_X_TLS
302 if (tls == APR_LDAP_SSL) {
303 int SSLmode = LDAP_OPT_X_TLS_HARD;
304 result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS, &SSLmode);
305 if (result->rc != LDAP_SUCCESS) {
306 result->reason = "LDAP: ldap_set_option failed. "
307 "Could not set LDAP_OPT_X_TLS to "
308 "LDAP_OPT_X_TLS_HARD";
309 result->msg = ldap_err2string(result->rc);
312 else if (tls == APR_LDAP_STARTTLS) {
313 result->rc = ldap_start_tls_s(ldap, NULL, NULL);
314 if (result->rc != LDAP_SUCCESS) {
315 result->reason = "LDAP: ldap_start_tls_s() failed";
316 result->msg = ldap_err2string(result->rc);
319 else if (tls == APR_LDAP_STOPTLS) {
320 result->reason = "LDAP: STOPTLS is not supported by the "
325 if (tls != APR_LDAP_NONE) {
326 result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
327 "version of the OpenLDAP toolkit";
334 #if APR_HAS_MICROSOFT_LDAPSDK
335 if (tls == APR_LDAP_NONE) {
336 ULONG ul = (ULONG) LDAP_OPT_OFF;
337 result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, &ul);
338 if (result->rc != LDAP_SUCCESS) {
339 result->reason = "LDAP: an attempt to set LDAP_OPT_SSL off "
341 result->msg = ldap_err2string(result->rc);
344 else if (tls == APR_LDAP_SSL) {
345 ULONG ul = (ULONG) LDAP_OPT_ON;
346 result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, &ul);
347 if (result->rc != LDAP_SUCCESS) {
348 result->reason = "LDAP: an attempt to set LDAP_OPT_SSL on "
350 result->msg = ldap_err2string(result->rc);
353 #if APR_HAS_LDAP_START_TLS_S
354 else if (tls == APR_LDAP_STARTTLS) {
355 result->rc = ldap_start_tls_s(ldap, NULL, NULL, NULL, NULL);
356 if (result->rc != LDAP_SUCCESS) {
357 result->reason = "LDAP: ldap_start_tls_s() failed";
358 result->msg = ldap_err2string(result->rc);
361 else if (tls == APR_LDAP_STOPTLS) {
362 result->rc = ldap_stop_tls_s(ldap);
363 if (result->rc != LDAP_SUCCESS) {
364 result->reason = "LDAP: ldap_stop_tls_s() failed";
365 result->msg = ldap_err2string(result->rc);
371 #if APR_HAS_OTHER_LDAPSDK
372 if (tls != APR_LDAP_NONE) {
373 result->reason = "LDAP: SSL/TLS is currently not supported by "
374 "APR on this LDAP SDK";
379 #endif /* APR_HAS_LDAP_SSL */
384 * Handle APR_LDAP_OPT_TLS_CACERTFILE
386 * This function sets the CA certificate for further SSL/TLS connections.
388 * The file provided are in different formats depending on the toolkit used:
390 * Netscape: cert7.db file
392 * OpenLDAP: PEM (others supported?)
396 static void option_set_cert(apr_pool_t *pool, LDAP *ldap,
397 const void *invalue, apr_ldap_err_t *result)
400 #if APR_HAS_LDAPSSL_CLIENT_INIT || APR_HAS_OPENLDAP_LDAPSDK
401 apr_array_header_t *certs = (apr_array_header_t *)invalue;
402 struct apr_ldap_opt_tls_cert_t *ents = (struct apr_ldap_opt_tls_cert_t *)certs->elts;
406 /* Netscape/Mozilla/Solaris SDK */
407 #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSDK
408 #if APR_HAS_LDAPSSL_CLIENT_INIT
409 const char *nickname = NULL;
410 const char *secmod = NULL;
411 const char *key3db = NULL;
412 const char *cert7db = NULL;
413 const char *password = NULL;
415 /* set up cert7.db, key3.db and secmod parameters */
416 for (i = 0; i < certs->nelts; i++) {
417 switch (ents[i].type) {
418 case APR_LDAP_CA_TYPE_CERT7_DB:
419 cert7db = ents[i].path;
421 case APR_LDAP_CA_TYPE_SECMOD:
422 secmod = ents[i].path;
424 case APR_LDAP_CERT_TYPE_KEY3_DB:
425 key3db = ents[i].path;
427 case APR_LDAP_CERT_TYPE_NICKNAME:
428 nickname = ents[i].path;
429 password = ents[i].password;
433 result->reason = "LDAP: The Netscape/Mozilla LDAP SDK only "
434 "understands the CERT7, KEY3 and SECMOD "
438 if (result->rc != LDAP_SUCCESS) {
443 /* actually set the certificate parameters */
444 if (result->rc == LDAP_SUCCESS) {
446 result->rc = ldapssl_enable_clientauth(ldap, "",
449 if (result->rc != LDAP_SUCCESS) {
450 result->reason = "LDAP: could not set client certificate: "
451 "ldapssl_enable_clientauth() failed.";
452 result->msg = ldap_err2string(result->rc);
456 result->rc = ldapssl_advclientauth_init(cert7db, NULL,
457 key3db ? 1 : 0, key3db, NULL,
458 1, secmod, LDAPSSL_AUTH_CNCHECK);
459 if (result->rc != LDAP_SUCCESS) {
460 result->reason = "LDAP: ldapssl_advclientauth_init() failed.";
461 result->msg = ldap_err2string(result->rc);
465 result->rc = ldapssl_clientauth_init(cert7db, NULL,
467 if (result->rc != LDAP_SUCCESS) {
468 result->reason = "LDAP: ldapssl_clientauth_init() failed.";
469 result->msg = ldap_err2string(result->rc);
473 result->rc = ldapssl_client_init(cert7db, NULL);
474 if (result->rc != LDAP_SUCCESS) {
475 result->reason = "LDAP: ldapssl_client_init() failed.";
476 result->msg = ldap_err2string(result->rc);
481 result->reason = "LDAP: SSL/TLS ldapssl_client_init() function not "
482 "supported by this Netscape/Mozilla/Solaris SDK. "
483 "Certificate authority file not set";
489 #if APR_HAS_NOVELL_LDAPSDK
490 #if APR_HAS_LDAPSSL_CLIENT_INIT && APR_HAS_LDAPSSL_ADD_TRUSTED_CERT && APR_HAS_LDAPSSL_CLIENT_DEINIT
491 /* The Novell library cannot support per connection certificates. Error
492 * out if the ldap handle is provided.
496 result->reason = "LDAP: The Novell LDAP SDK cannot support the setting "
497 "of certificates or keys on a per connection basis.";
499 /* Novell's library needs to be initialised first */
501 result->rc = ldapssl_client_init(NULL, NULL);
502 if (result->rc != LDAP_SUCCESS) {
503 result->msg = ldap_err2string(result-> rc);
504 result->reason = apr_pstrdup(pool, "LDAP: Could not "
508 /* set one or more certificates */
509 for (i = 0; LDAP_SUCCESS == result->rc && i < certs->nelts; i++) {
510 /* Novell SDK supports DER or BASE64 files. */
511 switch (ents[i].type) {
512 case APR_LDAP_CA_TYPE_DER:
513 result->rc = ldapssl_add_trusted_cert((void *)ents[i].path,
514 LDAPSSL_CERT_FILETYPE_DER);
515 result->msg = ldap_err2string(result->rc);
517 case APR_LDAP_CA_TYPE_BASE64:
518 result->rc = ldapssl_add_trusted_cert((void *)ents[i].path,
519 LDAPSSL_CERT_FILETYPE_B64);
520 result->msg = ldap_err2string(result->rc);
522 case APR_LDAP_CERT_TYPE_DER:
523 result->rc = ldapssl_set_client_cert((void *)ents[i].path,
524 LDAPSSL_CERT_FILETYPE_DER,
525 (void*)ents[i].password);
526 result->msg = ldap_err2string(result->rc);
528 case APR_LDAP_CERT_TYPE_BASE64:
529 result->rc = ldapssl_set_client_cert((void *)ents[i].path,
530 LDAPSSL_CERT_FILETYPE_B64,
531 (void*)ents[i].password);
532 result->msg = ldap_err2string(result->rc);
534 case APR_LDAP_CERT_TYPE_PFX:
535 result->rc = ldapssl_set_client_cert((void *)ents[i].path,
536 LDAPSSL_FILETYPE_P12,
537 (void*)ents[i].password);
538 result->msg = ldap_err2string(result->rc);
540 case APR_LDAP_KEY_TYPE_DER:
541 result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
542 LDAPSSL_CERT_FILETYPE_DER,
543 (void*)ents[i].password);
544 result->msg = ldap_err2string(result->rc);
546 case APR_LDAP_KEY_TYPE_BASE64:
547 result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
548 LDAPSSL_CERT_FILETYPE_B64,
549 (void*)ents[i].password);
550 result->msg = ldap_err2string(result->rc);
552 case APR_LDAP_KEY_TYPE_PFX:
553 result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
554 LDAPSSL_FILETYPE_P12,
555 (void*)ents[i].password);
556 result->msg = ldap_err2string(result->rc);
560 result->reason = "LDAP: The Novell LDAP SDK only understands the "
561 "DER and PEM (BASE64) file types.";
564 if (result->rc != LDAP_SUCCESS) {
569 result->reason = "LDAP: ldapssl_client_init(), "
570 "ldapssl_add_trusted_cert() or "
571 "ldapssl_client_deinit() functions not supported "
572 "by this Novell SDK. Certificate authority file "
579 #if APR_HAS_OPENLDAP_LDAPSDK
580 #ifdef LDAP_OPT_X_TLS_CACERTFILE
581 /* set one or more certificates */
582 /* FIXME: make it support setting directories as well as files */
583 for (i = 0; i < certs->nelts; i++) {
584 /* OpenLDAP SDK supports BASE64 files. */
585 switch (ents[i].type) {
586 case APR_LDAP_CA_TYPE_BASE64:
587 result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE,
588 (void *)ents[i].path);
589 result->msg = ldap_err2string(result->rc);
591 case APR_LDAP_CERT_TYPE_BASE64:
592 result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CERTFILE,
593 (void *)ents[i].path);
594 result->msg = ldap_err2string(result->rc);
596 case APR_LDAP_KEY_TYPE_BASE64:
597 result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_KEYFILE,
598 (void *)ents[i].path);
599 result->msg = ldap_err2string(result->rc);
601 #ifdef LDAP_OPT_X_TLS_CACERTDIR
602 case APR_LDAP_CA_TYPE_CACERTDIR_BASE64:
603 result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTDIR,
604 (void *)ents[i].path);
605 result->msg = ldap_err2string(result->rc);
610 result->reason = "LDAP: The OpenLDAP SDK only understands the "
611 "PEM (BASE64) file type.";
614 if (result->rc != LDAP_SUCCESS) {
619 result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
620 "defined by this OpenLDAP SDK. Certificate "
621 "authority file not set";
627 #if APR_HAS_MICROSOFT_LDAPSDK
628 /* Microsoft SDK use the registry certificate store - error out
629 * here with a message explaining this. */
630 result->reason = "LDAP: CA certificates cannot be set using this method, "
631 "as they are stored in the registry instead.";
635 /* SDK not recognised */
636 #if APR_HAS_OTHER_LDAPSDK
637 result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
638 "defined by this LDAP SDK. Certificate "
639 "authority file not set";
643 #else /* not compiled with SSL Support */
644 result->reason = "LDAP: Attempt to set certificate(s) failed. "
645 "Not built with SSL support";
647 #endif /* APR_HAS_LDAP_SSL */
651 #endif /* APR_HAS_LDAP */
projects / FreeBSD / releng / 10.2.git / blob