rlm_ldap and TLS

Frank Cusack fcusack at fcusack.com
Wed Jan 3 05:50:12 CET 2007


Hi Kostas et al.

I'm writing support for openldap and start tls into my own application,
and have run into trouble and was wondering how rlm_ldap is accomplishing
some things.

>From rlm_ldap.c in CVS,

Line 2088, on what systems is ldap_int_tls_config() exposed?  This is
available in libldap (sloppy on OpenLDAP's part IMHO) but not in ldap.h.
I was just wondering if some systems might patch ldap.h to contain the
prototype for ldap_int_tls_config(), since it seems a mistake on OpenLDAP's
part to have it be an internal function.  Or is it the case that
building rlm_ldap against TLS requires source code for OpenLDAP to be
available somewhere?

Line 2099 and following, on what systems do the LDAP_OPT_X_TLS_* functions
(besides LDAP_OPT_X_TLS_REQUIRE_CERT, set via ldap_int_tls_config() above)
work using ldap_set_option()?  I can only get these to work with
ldap_int_tls_config() and from a brief OpenLDAP code inspection it seems
that is the only way they are available.  ie, these options appear to
only be available by way of /etc/openldap/ldap.conf (ie, LDAP_CONF_FILE)
when ldap_initialize() et al. are called.  yuk.

Lastly, the options being set are OpenLDAP-specific, and do not seem
to be present in the Sun/Netscape API, so I am just assuming that these
are dependent on OpenLDAP and not some other libldap.

This is against openldap-2.3.31.  It may be the case that
ldap_int_tls_config() was exposed in some earlier version, and that
some of the LDAP_OPT_X_TLS_* functions were available via ldap_set_option().

But I'm thinking that maybe there are no users of start tls functionality
in rlm_ldap.

thanks
-frank



More information about the Freeradius-Devel mailing list