diff options
author | Eric Covener <covener@apache.org> | 2010-02-24 05:02:06 +0100 |
---|---|---|
committer | Eric Covener <covener@apache.org> | 2010-02-24 05:02:06 +0100 |
commit | 5b5c5facb0fc32e69216b76a182306e472d6906f (patch) | |
tree | 65b5732094d9e1af25c853356c86ba783663beab | |
parent | mod_negotiation: Preserve query string over multiviews negotiation. (diff) | |
download | apache2-5b5c5facb0fc32e69216b76a182306e472d6906f.tar.xz apache2-5b5c5facb0fc32e69216b76a182306e472d6906f.zip |
make some sense of the difference between "Client" and "Global" certs in mod_ldap.
PR46541
Submitted By: Paul Reder, Eric Covener
Reviewed By: Eric Covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@915660 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | docs/manual/mod/mod_ldap.xml | 14 | ||||
-rw-r--r-- | include/ap_mmn.h | 5 | ||||
-rw-r--r-- | modules/ldap/util_ldap.c | 32 |
4 files changed, 34 insertions, 24 deletions
@@ -2,6 +2,13 @@ Changes with Apache 2.3.7 + *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory + setting only, matching most of the documentation and examples. + PR 46541 [Paul Reder, Eric Covener] + + *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument + types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener] + *) mod_negotiation: Preserve query string over multiviews negotiation. This buglet was fixed for type maps in 2.2.6, but the same issue affected multiviews and was overlooked. diff --git a/docs/manual/mod/mod_ldap.xml b/docs/manual/mod/mod_ldap.xml index 2b12936455..e64bce3a70 100644 --- a/docs/manual/mod/mod_ldap.xml +++ b/docs/manual/mod/mod_ldap.xml @@ -349,8 +349,10 @@ by other LDAP modules</description> SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files.</p> - <p>Client certificates are specified per connection using the - LDAPTrustedClientCert directive.</p> + <p>Both CA and client certificates may be specified globally + (LDAPTrustedGlobalCert) or per-connection (LDAPTrustedClientCert). + When any settings are specified per-connection, the global + settings are superceded.</p> <p>The documentation for the SDK claims to support both SSL and STARTTLS, however STARTTLS does not seem to work on all versions @@ -372,6 +374,9 @@ by other LDAP modules</description> Allow from yourdomain.example.com<br /> LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br /> LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem<br /> + # CA certs respecified due to per-directory client certs<br /> + LDAPTrustedClientCert CA_DER /certs/cacert1.der<br /> + LDAPTrustedClientCert CA_BASE64 /certs/cacert2.pem<br /> Satisfy any<br /> AuthType Basic<br /> AuthName "LDAP Protected"<br /> @@ -575,8 +580,7 @@ Certificate Authority or global client certificates</description> connection client certificate. Not all LDAP toolkits support per connection client certificates.</description> <syntax>LDAPTrustedClientCert <var>type</var> <var>directory-path/filename/nickname</var> <var>[password]</var></syntax> -<contextlist><context>server config</context><context>virtual host</context> -<context>directory</context><context>.htaccess</context></contextlist> +<contextlist><context>directory</context><context>.htaccess</context></contextlist> <usage> <p>It specifies the directory path, file name or nickname of a @@ -591,6 +595,8 @@ connection client certificates.</description> The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are:</p> <ul> + <li>CA_DER - binary DER encoded CA certificate</li> + <li>CA_BASE64 - PEM encoded CA certificate</li> <li>CERT_DER - binary DER encoded client certificate</li> <li>CERT_BASE64 - PEM encoded client certificate</li> <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li> diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 8c33f1c16e..e12140bc37 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -217,15 +217,16 @@ * 20100208.0 (2.3.6-dev) ap_socache_provider_t API changes to store and iterate * 20100208.1 (2.3.6-dev) Added forward member to proxy_conn_rec * 20100208.2 (2.3.7-dev) Added ap_log_command_line(). + * 20100223.1 (2.3.7-dev) LDAP client_certs per-server moved to per-dir * */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ #ifndef MODULE_MAGIC_NUMBER_MAJOR -#define MODULE_MAGIC_NUMBER_MAJOR 20100208 +#define MODULE_MAGIC_NUMBER_MAJOR 20100223 #endif -#define MODULE_MAGIC_NUMBER_MINOR 2 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index b6f3a35b55..713523698a 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -686,7 +686,7 @@ static util_ldap_connection_t * && ((!l->bindpw && !bindpw) || (l->bindpw && bindpw && !strcmp(l->bindpw, bindpw))) && (l->deref == deref) && (l->secure == secureflag) - && !compare_client_certs(st->client_certs, l->client_certs)) + && !compare_client_certs(dc->client_certs, l->client_certs)) { break; } @@ -711,7 +711,7 @@ static util_ldap_connection_t * #endif if ((l->port == port) && (strcmp(l->host, host) == 0) && (l->deref == deref) && (l->secure == secureflag) && - !compare_client_certs(st->client_certs, l->client_certs)) + !compare_client_certs(dc->client_certs, l->client_certs)) { /* the bind credentials have changed */ l->bound = 0; @@ -779,7 +779,7 @@ static util_ldap_connection_t * l->secure = secureflag; /* save away a copy of the client cert list that is presently valid */ - l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs); + l->client_certs = apr_array_copy_hdr(l->pool, dc->client_certs); l->keep = 1; @@ -2300,9 +2300,7 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd, const char *file, const char *password) { - util_ldap_state_t *st = - (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, - &ldap_module); + util_ldap_config_t *dc = config; apr_finfo_t finfo; apr_status_t rv; int cert_type = 0; @@ -2314,21 +2312,21 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd, if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) { return apr_psprintf(cmd->pool, "The certificate type \"%s\" is " "not recognised. It should be one " - "of CERT_DER, CERT_BASE64, " - "CERT_NICKNAME, CERT_PFX," + "of CA_DER, CA_BASE64, " + "CERT_DER, CERT_BASE64, " + "CERT_NICKNAME, CERT_PFX, " "KEY_DER, KEY_BASE64, KEY_PFX", type); } - else if (APR_LDAP_CA_TYPE_DER == cert_type || - APR_LDAP_CA_TYPE_BASE64 == cert_type || - APR_LDAP_CA_TYPE_CERT7_DB == cert_type || + else if ( APR_LDAP_CA_TYPE_CERT7_DB == cert_type || APR_LDAP_CA_TYPE_SECMOD == cert_type || APR_LDAP_CERT_TYPE_PFX == cert_type || APR_LDAP_CERT_TYPE_KEY3_DB == cert_type) { return apr_psprintf(cmd->pool, "The certificate type \"%s\" is " "only valid within a " "LDAPTrustedGlobalCert directive. " - "Only CERT_DER, CERT_BASE64, " + "Only CA_DER, CA_BASE64, " + "CERT_DER, CERT_BASE64, " "CERT_NICKNAME, KEY_DER, and " "KEY_BASE64 may be used.", type); } @@ -2341,8 +2339,8 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd, "LDAP: SSL trusted client cert - %s (type %s)", file, type); - /* add the certificate to the global array */ - cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs); + /* add the certificate to the client array */ + cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(dc->client_certs); cert->type = cert_type; cert->path = file; cert->password = password; @@ -2520,6 +2518,7 @@ static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) { (util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t)); /* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */ + dc->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t)); dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON; dc->ReferralHopLimit = AP_LDAP_HOPLIMIT_UNSET; @@ -2598,7 +2597,6 @@ static void *util_ldap_create_config(apr_pool_t *p, server_rec *s) st->connections = NULL; st->ssl_supported = 0; st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t)); - st->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t)); st->secure = APR_LDAP_NONE; st->secure_set = 0; st->connectionTimeout = 10; @@ -2635,8 +2633,6 @@ static void *util_ldap_merge_config(apr_pool_t *p, void *basev, st->ssl_supported = 0; st->global_certs = apr_array_append(p, base->global_certs, overrides->global_certs); - st->client_certs = apr_array_append(p, base->client_certs, - overrides->client_certs); st->secure = (overrides->secure_set == 0) ? base->secure : overrides->secure; @@ -2891,7 +2887,7 @@ static const command_rec util_ldap_cmds[] = { "passphrase if applicable."), AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert, - NULL, RSRC_CONF, + NULL, OR_AUTHCFG, "Takes three arguments: the first argument is the certificate " "type of the second argument, one of CA_DER, CA_BASE64, " "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, " |