From: Bradley Nicholes Date: Wed, 11 May 2005 22:34:18 +0000 (+0000) Subject: Add the LDAPVerifyServerCert directive to util_ldap to force X-Git-Tag: 2.1.5~121 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1439ca9d5c7a703499c8b76c6af6422129ca5980;p=thirdparty%2Fapache%2Fhttpd.git Add the LDAPVerifyServerCert directive to util_ldap to force verification of a server certificate when establishing an SSL connection to the LDAP server git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@169705 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/include/util_ldap.h b/include/util_ldap.h index 5647fad30ad..ad8013adcd9 100644 --- a/include/util_ldap.h +++ b/include/util_ldap.h @@ -131,6 +131,7 @@ typedef struct util_ldap_state_t { void *util_ldap_cache; char *lock_file; /* filename for shm lock mutex */ long connectionTimeout; + int verify_svr_cert; } util_ldap_state_t; diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index 75eb02f568f..8a1d5ff64f7 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -330,6 +330,9 @@ static int uldap_connection_open(request_rec *r, /* always default to LDAP V3 */ ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version); + apr_ldap_set_option(ldc->pool, ldc->ldap, + APR_LDAP_OPT_VERIFY_CERT, &(st->verify_svr_cert), &(result)); + #ifdef LDAP_OPT_NETWORK_TIMEOUT if (st->connectionTimeout > 0) { timeOut.tv_sec = st->connectionTimeout; @@ -1556,7 +1559,6 @@ static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd, cert->path == NULL ? file : cert->path); return "Invalid global certificate file path"; } - } return(NULL); @@ -1684,6 +1686,24 @@ static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy, return(NULL); } +static const char *util_ldap_set_verify_srv_cert(cmd_parms *cmd, + void *dummy, + int mode) +{ + util_ldap_state_t *st = + (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, + &ldap_module); + + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, + "LDAP: SSL verify server certificate - %s", + mode?"TRUE":"FALSE"); + + st->verify_svr_cert = mode; + + return(NULL); +} + + static const char *util_ldap_set_connection_timeout(cmd_parms *cmd, void *dummy, const char *ttl) @@ -1732,6 +1752,7 @@ static void *util_ldap_create_config(apr_pool_t *p, server_rec *s) st->secure = APR_LDAP_NONE; st->secure_set = 0; st->connectionTimeout = 10; + st->verify_svr_cert = 1; return st; } @@ -2014,6 +2035,11 @@ command_rec util_ldap_cmds[] = { "Specify the type of security that should be applied to " "an LDAP connection. One of; NONE, SSL or STARTTLS."), + AP_INIT_FLAG("LDAPVerifyServerCert", util_ldap_set_verify_srv_cert, + NULL, RSRC_CONF, + "Set to 'ON' requires that the server certificate be verified " + "before a secure LDAP connection can be establish. Default 'ON'"), + AP_INIT_TAKE1("LDAPConnectionTimeout", util_ldap_set_connection_timeout, NULL, RSRC_CONF, "Specify the LDAP socket connection timeout in seconds "