1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* apr_ldap_option.c -- LDAP options
19 * The LDAP SDK allows the getting and setting of options on an LDAP
27 #include "apr_errno.h"
28 #include "apr_pools.h"
29 #include "apr_strings.h"
30 #include "apr_tables.h"
34 static void option_set_cert(apr_pool_t
*pool
, LDAP
*ldap
, const void *invalue
,
35 apr_ldap_err_t
*result
);
36 static void option_set_tls(apr_pool_t
*pool
, LDAP
*ldap
, const void *invalue
,
37 apr_ldap_err_t
*result
);
40 * APR LDAP get option function
42 * This function gets option values from a given LDAP session if
45 APU_DECLARE(int) apr_ldap_get_option(apr_pool_t
*pool
,
49 apr_ldap_err_t
**result_err
)
51 apr_ldap_err_t
*result
;
53 result
= apr_pcalloc(pool
, sizeof(apr_ldap_err_t
));
59 /* get the option specified using the native LDAP function */
60 result
->rc
= ldap_get_option(ldap
, option
, outvalue
);
62 /* handle the error case */
63 if (result
->rc
!= LDAP_SUCCESS
) {
64 result
->msg
= ldap_err2string(result
-> rc
);
65 result
->reason
= apr_pstrdup(pool
, "LDAP: Could not get an option");
74 * APR LDAP set option function
76 * This function sets option values to a given LDAP session if
79 * Where an option is not supported by an LDAP toolkit, this function
80 * will try and apply legacy functions to achieve the same effect,
81 * depending on the platform.
83 APU_DECLARE(int) apr_ldap_set_option(apr_pool_t
*pool
,
87 apr_ldap_err_t
**result_err
)
89 apr_ldap_err_t
*result
;
91 result
= apr_pcalloc(pool
, sizeof(apr_ldap_err_t
));
98 case APR_LDAP_OPT_TLS_CERT
:
99 option_set_cert(pool
, ldap
, invalue
, result
);
102 case APR_LDAP_OPT_TLS
:
103 option_set_tls(pool
, ldap
, invalue
, result
);
106 case APR_LDAP_OPT_VERIFY_CERT
:
107 #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
108 result
->reason
= "LDAP: Verify certificate not yet supported by APR on the "
109 "Netscape, Solaris or Mozilla LDAP SDKs";
113 #if APR_HAS_NOVELL_LDAPSDK
114 if (*((int*)invalue
)) {
115 result
->rc
= ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER
);
118 result
->rc
= ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE
);
121 #if APR_HAS_OPENLDAP_LDAPSDK
122 #ifdef LDAP_OPT_X_TLS
123 /* This is not a per-connection setting so just pass NULL for the
124 Ldap connection handle */
125 if (*((int*)invalue
)) {
126 int i
= LDAP_OPT_X_TLS_DEMAND
;
127 result
->rc
= ldap_set_option(NULL
, LDAP_OPT_X_TLS_REQUIRE_CERT
, &i
);
130 int i
= LDAP_OPT_X_TLS_NEVER
;
131 result
->rc
= ldap_set_option(NULL
, LDAP_OPT_X_TLS_REQUIRE_CERT
, &i
);
134 result
->reason
= "LDAP: SSL/TLS not yet supported by APR on this "
135 "version of the OpenLDAP toolkit";
141 /* handle the error case */
142 if (result
->rc
!= LDAP_SUCCESS
) {
143 result
->msg
= ldap_err2string(result
->rc
);
144 result
->reason
= "LDAP: Could not set verify mode";
148 case APR_LDAP_OPT_REFERRALS
:
149 /* Setting this option is supported on at least TIVOLI_SDK and OpenLDAP. Folks
150 * who know the NOVELL, NETSCAPE, MOZILLA, and SOLARIS SDKs should note here if
151 * the SDK at least tolerates this option being set, or add an elif to handle
152 * special cases (i.e. different LDAP_OPT_X value).
154 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_REFERRALS
, (void *)invalue
);
156 if (result
->rc
!= LDAP_SUCCESS
) {
157 result
->reason
= "Unable to set LDAP_OPT_REFERRALS.";
162 case APR_LDAP_OPT_REFHOPLIMIT
:
163 #if !defined(LDAP_OPT_REFHOPLIMIT) || defined(APR_HAS_NOVELL_LDAPSDK)
164 /* If the LDAP_OPT_REFHOPLIMIT symbol is missing, assume that the
165 * particular LDAP library has a reasonable default. So far certain
166 * versions of the OpenLDAP SDK miss this symbol (but default to 5),
167 * and the Microsoft SDK misses the symbol (the default is not known).
169 result
->rc
= LDAP_SUCCESS
;
171 /* Setting this option is supported on at least TIVOLI_SDK. Folks who know
172 * the NOVELL, NETSCAPE, MOZILLA, and SOLARIS SDKs should note here if
173 * the SDK at least tolerates this option being set, or add an elif to handle
174 * special cases so an error isn't returned if there is a perfectly good
175 * default value that just can't be changed (like openLDAP).
177 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_REFHOPLIMIT
, (void *)invalue
);
180 if (result
->rc
!= LDAP_SUCCESS
) {
181 result
->reason
= "Unable to set LDAP_OPT_REFHOPLIMIT.";
187 /* set the option specified using the native LDAP function */
188 result
->rc
= ldap_set_option(ldap
, option
, (void *)invalue
);
190 /* handle the error case */
191 if (result
->rc
!= LDAP_SUCCESS
) {
192 result
->msg
= ldap_err2string(result
->rc
);
193 result
->reason
= "LDAP: Could not set an option";
198 /* handle the error case */
199 if (result
->rc
!= LDAP_SUCCESS
) {
208 * Handle APR_LDAP_OPT_TLS
210 * This function sets the type of TLS to be applied to this connection.
212 * APR_LDAP_NONE: no encryption
213 * APR_LDAP_SSL: SSL encryption (ldaps://)
214 * APR_LDAP_STARTTLS: STARTTLS encryption
215 * APR_LDAP_STOPTLS: Stop existing TLS connecttion
217 static void option_set_tls(apr_pool_t
*pool
, LDAP
*ldap
, const void *invalue
,
218 apr_ldap_err_t
*result
)
220 #if APR_HAS_LDAP_SSL /* compiled with ssl support */
222 int tls
= * (const int *)invalue
;
224 /* Netscape/Mozilla/Solaris SDK */
225 #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
226 #if APR_HAS_LDAPSSL_INSTALL_ROUTINES
227 if (tls
== APR_LDAP_SSL
) {
228 result
->rc
= ldapssl_install_routines(ldap
);
230 /* apparently Netscape and Mozilla need this too, Solaris doesn't */
231 if (result
->rc
== LDAP_SUCCESS
) {
232 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_SSL
, LDAP_OPT_ON
);
235 if (result
->rc
!= LDAP_SUCCESS
) {
236 result
->msg
= ldap_err2string(result
->rc
);
237 result
->reason
= "LDAP: Could not switch SSL on for this "
241 else if (tls
== APR_LDAP_STARTTLS
) {
242 result
->reason
= "LDAP: STARTTLS is not supported by the "
243 "Netscape/Mozilla/Solaris SDK";
246 else if (tls
== APR_LDAP_STOPTLS
) {
247 result
->reason
= "LDAP: STOPTLS is not supported by the "
248 "Netscape/Mozilla/Solaris SDK";
252 if (tls
!= APR_LDAP_NONE
) {
253 result
->reason
= "LDAP: SSL/TLS is not supported by this version "
254 "of the Netscape/Mozilla/Solaris SDK";
261 #if APR_HAS_NOVELL_LDAPSDK
262 /* ldapssl_install_routines(ldap)
263 * Behavior is unpredictable when other LDAP functions are called
264 * between the ldap_init function and the ldapssl_install_routines
267 * STARTTLS is supported by the ldap_start_tls_s() method
269 if (tls
== APR_LDAP_SSL
) {
270 result
->rc
= ldapssl_install_routines(ldap
);
271 if (result
->rc
!= LDAP_SUCCESS
) {
272 result
->msg
= ldap_err2string(result
->rc
);
273 result
->reason
= "LDAP: Could not switch SSL on for this "
277 if (tls
== APR_LDAP_STARTTLS
) {
278 result
->rc
= ldapssl_start_tls(ldap
);
279 if (result
->rc
!= LDAP_SUCCESS
) {
280 result
->msg
= ldap_err2string(result
->rc
);
281 result
->reason
= "LDAP: Could not start TLS on this connection";
284 else if (tls
== APR_LDAP_STOPTLS
) {
285 result
->rc
= ldapssl_stop_tls(ldap
);
286 if (result
->rc
!= LDAP_SUCCESS
) {
287 result
->msg
= ldap_err2string(result
->rc
);
288 result
->reason
= "LDAP: Could not stop TLS on this connection";
294 #if APR_HAS_OPENLDAP_LDAPSDK
295 #ifdef LDAP_OPT_X_TLS
296 if (tls
== APR_LDAP_SSL
) {
297 int SSLmode
= LDAP_OPT_X_TLS_HARD
;
298 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_X_TLS
, &SSLmode
);
299 if (result
->rc
!= LDAP_SUCCESS
) {
300 result
->reason
= "LDAP: ldap_set_option failed. "
301 "Could not set LDAP_OPT_X_TLS to "
302 "LDAP_OPT_X_TLS_HARD";
303 result
->msg
= ldap_err2string(result
->rc
);
306 else if (tls
== APR_LDAP_STARTTLS
) {
307 result
->rc
= ldap_start_tls_s(ldap
, NULL
, NULL
);
308 if (result
->rc
!= LDAP_SUCCESS
) {
309 result
->reason
= "LDAP: ldap_start_tls_s() failed";
310 result
->msg
= ldap_err2string(result
->rc
);
313 else if (tls
== APR_LDAP_STOPTLS
) {
314 result
->reason
= "LDAP: STOPTLS is not supported by the "
319 if (tls
!= APR_LDAP_NONE
) {
320 result
->reason
= "LDAP: SSL/TLS not yet supported by APR on this "
321 "version of the OpenLDAP toolkit";
328 #if APR_HAS_MICROSOFT_LDAPSDK
329 if (tls
== APR_LDAP_NONE
) {
330 ULONG ul
= (ULONG
) LDAP_OPT_OFF
;
331 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_SSL
, &ul
);
332 if (result
->rc
!= LDAP_SUCCESS
) {
333 result
->reason
= "LDAP: an attempt to set LDAP_OPT_SSL off "
335 result
->msg
= ldap_err2string(result
->rc
);
338 else if (tls
== APR_LDAP_SSL
) {
339 ULONG ul
= (ULONG
) LDAP_OPT_ON
;
340 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_SSL
, &ul
);
341 if (result
->rc
!= LDAP_SUCCESS
) {
342 result
->reason
= "LDAP: an attempt to set LDAP_OPT_SSL on "
344 result
->msg
= ldap_err2string(result
->rc
);
347 #if APR_HAS_LDAP_START_TLS_S
348 else if (tls
== APR_LDAP_STARTTLS
) {
349 result
->rc
= ldap_start_tls_s(ldap
, NULL
, NULL
, NULL
, NULL
);
350 if (result
->rc
!= LDAP_SUCCESS
) {
351 result
->reason
= "LDAP: ldap_start_tls_s() failed";
352 result
->msg
= ldap_err2string(result
->rc
);
355 else if (tls
== APR_LDAP_STOPTLS
) {
356 result
->rc
= ldap_stop_tls_s(ldap
);
357 if (result
->rc
!= LDAP_SUCCESS
) {
358 result
->reason
= "LDAP: ldap_stop_tls_s() failed";
359 result
->msg
= ldap_err2string(result
->rc
);
365 #if APR_HAS_OTHER_LDAPSDK
366 if (tls
!= APR_LDAP_NONE
) {
367 result
->reason
= "LDAP: SSL/TLS is currently not supported by "
368 "APR on this LDAP SDK";
373 #endif /* APR_HAS_LDAP_SSL */
378 * Handle APR_LDAP_OPT_TLS_CACERTFILE
380 * This function sets the CA certificate for further SSL/TLS connections.
382 * The file provided are in different formats depending on the toolkit used:
384 * Netscape: cert7.db file
386 * OpenLDAP: PEM (others supported?)
390 static void option_set_cert(apr_pool_t
*pool
, LDAP
*ldap
,
391 const void *invalue
, apr_ldap_err_t
*result
)
394 apr_array_header_t
*certs
= (apr_array_header_t
*)invalue
;
395 struct apr_ldap_opt_tls_cert_t
*ents
= (struct apr_ldap_opt_tls_cert_t
*)certs
->elts
;
398 /* Netscape/Mozilla/Solaris SDK */
399 #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSDK
400 #if APR_HAS_LDAPSSL_CLIENT_INIT
401 const char *nickname
= NULL
;
402 const char *secmod
= NULL
;
403 const char *key3db
= NULL
;
404 const char *cert7db
= NULL
;
405 const char *password
= NULL
;
407 /* set up cert7.db, key3.db and secmod parameters */
408 for (i
= 0; i
< certs
->nelts
; i
++) {
409 switch (ents
[i
].type
) {
410 case APR_LDAP_CA_TYPE_CERT7_DB
:
411 cert7db
= ents
[i
].path
;
413 case APR_LDAP_CA_TYPE_SECMOD
:
414 secmod
= ents
[i
].path
;
416 case APR_LDAP_CERT_TYPE_KEY3_DB
:
417 key3db
= ents
[i
].path
;
419 case APR_LDAP_CERT_TYPE_NICKNAME
:
420 nickname
= ents
[i
].path
;
421 password
= ents
[i
].password
;
425 result
->reason
= "LDAP: The Netscape/Mozilla LDAP SDK only "
426 "understands the CERT7, KEY3 and SECMOD "
430 if (result
->rc
!= LDAP_SUCCESS
) {
435 /* actually set the certificate parameters */
436 if (result
->rc
== LDAP_SUCCESS
) {
438 result
->rc
= ldapssl_enable_clientauth(ldap
, "",
441 if (result
->rc
!= LDAP_SUCCESS
) {
442 result
->reason
= "LDAP: could not set client certificate: "
443 "ldapssl_enable_clientauth() failed.";
444 result
->msg
= ldap_err2string(result
->rc
);
448 result
->rc
= ldapssl_advclientauth_init(cert7db
, NULL
,
449 key3db
? 1 : 0, key3db
, NULL
,
450 1, secmod
, LDAPSSL_AUTH_CNCHECK
);
451 if (result
->rc
!= LDAP_SUCCESS
) {
452 result
->reason
= "LDAP: ldapssl_advclientauth_init() failed.";
453 result
->msg
= ldap_err2string(result
->rc
);
457 result
->rc
= ldapssl_clientauth_init(cert7db
, NULL
,
459 if (result
->rc
!= LDAP_SUCCESS
) {
460 result
->reason
= "LDAP: ldapssl_clientauth_init() failed.";
461 result
->msg
= ldap_err2string(result
->rc
);
465 result
->rc
= ldapssl_client_init(cert7db
, NULL
);
466 if (result
->rc
!= LDAP_SUCCESS
) {
467 result
->reason
= "LDAP: ldapssl_client_init() failed.";
468 result
->msg
= ldap_err2string(result
->rc
);
473 result
->reason
= "LDAP: SSL/TLS ldapssl_client_init() function not "
474 "supported by this Netscape/Mozilla/Solaris SDK. "
475 "Certificate authority file not set";
481 #if APR_HAS_NOVELL_LDAPSDK
482 #if APR_HAS_LDAPSSL_CLIENT_INIT && APR_HAS_LDAPSSL_ADD_TRUSTED_CERT && APR_HAS_LDAPSSL_CLIENT_DEINIT
483 /* The Novell library cannot support per connection certificates. Error
484 * out if the ldap handle is provided.
488 result
->reason
= "LDAP: The Novell LDAP SDK cannot support the setting "
489 "of certificates or keys on a per connection basis.";
491 /* Novell's library needs to be initialised first */
493 result
->rc
= ldapssl_client_init(NULL
, NULL
);
494 if (result
->rc
!= LDAP_SUCCESS
) {
495 result
->msg
= ldap_err2string(result
-> rc
);
496 result
->reason
= apr_pstrdup(pool
, "LDAP: Could not "
500 /* set one or more certificates */
501 for (i
= 0; LDAP_SUCCESS
== result
->rc
&& i
< certs
->nelts
; i
++) {
502 /* Novell SDK supports DER or BASE64 files. */
503 switch (ents
[i
].type
) {
504 case APR_LDAP_CA_TYPE_DER
:
505 result
->rc
= ldapssl_add_trusted_cert((void *)ents
[i
].path
,
506 LDAPSSL_CERT_FILETYPE_DER
);
507 result
->msg
= ldap_err2string(result
->rc
);
509 case APR_LDAP_CA_TYPE_BASE64
:
510 result
->rc
= ldapssl_add_trusted_cert((void *)ents
[i
].path
,
511 LDAPSSL_CERT_FILETYPE_B64
);
512 result
->msg
= ldap_err2string(result
->rc
);
514 case APR_LDAP_CERT_TYPE_DER
:
515 result
->rc
= ldapssl_set_client_cert((void *)ents
[i
].path
,
516 LDAPSSL_CERT_FILETYPE_DER
,
517 (void*)ents
[i
].password
);
518 result
->msg
= ldap_err2string(result
->rc
);
520 case APR_LDAP_CERT_TYPE_BASE64
:
521 result
->rc
= ldapssl_set_client_cert((void *)ents
[i
].path
,
522 LDAPSSL_CERT_FILETYPE_B64
,
523 (void*)ents
[i
].password
);
524 result
->msg
= ldap_err2string(result
->rc
);
526 case APR_LDAP_CERT_TYPE_PFX
:
527 result
->rc
= ldapssl_set_client_cert((void *)ents
[i
].path
,
528 LDAPSSL_FILETYPE_P12
,
529 (void*)ents
[i
].password
);
530 result
->msg
= ldap_err2string(result
->rc
);
532 case APR_LDAP_KEY_TYPE_DER
:
533 result
->rc
= ldapssl_set_client_private_key((void *)ents
[i
].path
,
534 LDAPSSL_CERT_FILETYPE_DER
,
535 (void*)ents
[i
].password
);
536 result
->msg
= ldap_err2string(result
->rc
);
538 case APR_LDAP_KEY_TYPE_BASE64
:
539 result
->rc
= ldapssl_set_client_private_key((void *)ents
[i
].path
,
540 LDAPSSL_CERT_FILETYPE_B64
,
541 (void*)ents
[i
].password
);
542 result
->msg
= ldap_err2string(result
->rc
);
544 case APR_LDAP_KEY_TYPE_PFX
:
545 result
->rc
= ldapssl_set_client_private_key((void *)ents
[i
].path
,
546 LDAPSSL_FILETYPE_P12
,
547 (void*)ents
[i
].password
);
548 result
->msg
= ldap_err2string(result
->rc
);
552 result
->reason
= "LDAP: The Novell LDAP SDK only understands the "
553 "DER and PEM (BASE64) file types.";
556 if (result
->rc
!= LDAP_SUCCESS
) {
561 result
->reason
= "LDAP: ldapssl_client_init(), "
562 "ldapssl_add_trusted_cert() or "
563 "ldapssl_client_deinit() functions not supported "
564 "by this Novell SDK. Certificate authority file "
571 #if APR_HAS_OPENLDAP_LDAPSDK
572 #ifdef LDAP_OPT_X_TLS_CACERTFILE
573 /* set one or more certificates */
574 /* FIXME: make it support setting directories as well as files */
575 for (i
= 0; i
< certs
->nelts
; i
++) {
576 /* OpenLDAP SDK supports BASE64 files. */
577 switch (ents
[i
].type
) {
578 case APR_LDAP_CA_TYPE_BASE64
:
579 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_X_TLS_CACERTFILE
,
580 (void *)ents
[i
].path
);
581 result
->msg
= ldap_err2string(result
->rc
);
583 case APR_LDAP_CERT_TYPE_BASE64
:
584 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_X_TLS_CERTFILE
,
585 (void *)ents
[i
].path
);
586 result
->msg
= ldap_err2string(result
->rc
);
588 case APR_LDAP_KEY_TYPE_BASE64
:
589 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_X_TLS_KEYFILE
,
590 (void *)ents
[i
].path
);
591 result
->msg
= ldap_err2string(result
->rc
);
593 #ifdef LDAP_OPT_X_TLS_CACERTDIR
594 case APR_LDAP_CA_TYPE_CACERTDIR_BASE64
:
595 result
->rc
= ldap_set_option(ldap
, LDAP_OPT_X_TLS_CACERTDIR
,
596 (void *)ents
[i
].path
);
597 result
->msg
= ldap_err2string(result
->rc
);
602 result
->reason
= "LDAP: The OpenLDAP SDK only understands the "
603 "PEM (BASE64) file type.";
606 if (result
->rc
!= LDAP_SUCCESS
) {
611 result
->reason
= "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
612 "defined by this OpenLDAP SDK. Certificate "
613 "authority file not set";
619 #if APR_HAS_MICROSOFT_LDAPSDK
620 /* Microsoft SDK use the registry certificate store - error out
621 * here with a message explaining this. */
622 result
->reason
= "LDAP: CA certificates cannot be set using this method, "
623 "as they are stored in the registry instead.";
627 /* SDK not recognised */
628 #if APR_HAS_OTHER_LDAPSDK
629 result
->reason
= "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
630 "defined by this LDAP SDK. Certificate "
631 "authority file not set";
635 #else /* not compiled with SSL Support */
636 result
->reason
= "LDAP: Attempt to set certificate(s) failed. "
637 "Not built with SSL support";
639 #endif /* APR_HAS_LDAP_SSL */
643 #endif /* APR_HAS_LDAP */