1251876Speter/* Licensed to the Apache Software Foundation (ASF) under one or more 2251876Speter * contributor license agreements. See the NOTICE file distributed with 3251876Speter * this work for additional information regarding copyright ownership. 4251876Speter * The ASF licenses this file to You under the Apache License, Version 2.0 5251876Speter * (the "License"); you may not use this file except in compliance with 6251876Speter * the License. You may obtain a copy of the License at 7251876Speter * 8251876Speter * http://www.apache.org/licenses/LICENSE-2.0 9251876Speter * 10251876Speter * Unless required by applicable law or agreed to in writing, software 11251876Speter * distributed under the License is distributed on an "AS IS" BASIS, 12251876Speter * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13251876Speter * See the License for the specific language governing permissions and 14251876Speter * limitations under the License. 15251876Speter */ 16251876Speter 17251876Speter/* 18251876Speter * apr_ldap_init.c: LDAP v2/v3 common initialise 19251876Speter * 20251876Speter * Original code from auth_ldap module for Apache v1.3: 21251876Speter * Copyright 1998, 1999 Enbridge Pipelines Inc. 22251876Speter * Copyright 1999-2001 Dave Carrigan 23251876Speter */ 24251876Speter 25251876Speter#include "apr.h" 26251876Speter#include "apu.h" 27251876Speter#include "apu_config.h" 28251876Speter 29251876Speter#if APU_DSO_BUILD 30251876Speter#define APU_DSO_LDAP_BUILD 31251876Speter#endif 32251876Speter 33251876Speter#include "apr_ldap.h" 34251876Speter#include "apu_internal.h" 35251876Speter#include "apr_errno.h" 36251876Speter#include "apr_pools.h" 37251876Speter#include "apr_strings.h" 38251876Speter 39251876Speter#if APR_HAS_LDAP 40251876Speter 41251876Speter/** 42251876Speter * APR LDAP SSL Initialise function 43251876Speter * 44251876Speter * This function initialises SSL on the underlying LDAP toolkit 45251876Speter * if this is necessary. 46251876Speter * 47251876Speter * If a CA certificate is provided, this is set, however the setting 48251876Speter * of certificates via this method has been deprecated and will be removed in 49251876Speter * APR v2.0. 50251876Speter * 51251876Speter * The apr_ldap_set_option() function with the APR_LDAP_OPT_TLS_CERT option 52251876Speter * should be used instead to set certificates. 53251876Speter * 54251876Speter * If SSL support is not available on this platform, or a problem 55251876Speter * was encountered while trying to set the certificate, the function 56251876Speter * will return APR_EGENERAL. Further LDAP specific error information 57251876Speter * can be found in result_err. 58251876Speter */ 59251876SpeterAPU_DECLARE_LDAP(int) apr_ldap_ssl_init(apr_pool_t *pool, 60251876Speter const char *cert_auth_file, 61251876Speter int cert_file_type, 62251876Speter apr_ldap_err_t **result_err) 63251876Speter{ 64251876Speter 65251876Speter apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t)); 66251876Speter *result_err = result; 67251876Speter 68251876Speter#if APR_HAS_LDAP_SSL /* compiled with ssl support */ 69251876Speter 70251876Speter /* Novell */ 71251876Speter#if APR_HAS_NOVELL_LDAPSDK 72251876Speter ldapssl_client_init(NULL, NULL); 73251876Speter#endif 74251876Speter 75251876Speter /* if a certificate was specified, set it */ 76251876Speter if (cert_auth_file) { 77251876Speter apr_ldap_opt_tls_cert_t *cert = (apr_ldap_opt_tls_cert_t *)apr_pcalloc(pool, sizeof(apr_ldap_opt_tls_cert_t)); 78251876Speter cert->type = cert_file_type; 79251876Speter cert->path = cert_auth_file; 80251876Speter return apr_ldap_set_option(pool, NULL, APR_LDAP_OPT_TLS_CERT, (void *)cert, result_err); 81251876Speter } 82251876Speter 83251876Speter#else /* not compiled with SSL Support */ 84251876Speter if (cert_auth_file) { 85251876Speter result->reason = "LDAP: Attempt to set certificate store failed. " 86251876Speter "Not built with SSL support"; 87251876Speter result->rc = -1; 88251876Speter } 89251876Speter#endif /* APR_HAS_LDAP_SSL */ 90251876Speter 91251876Speter if (result->rc != -1) { 92251876Speter result->msg = ldap_err2string(result->rc); 93251876Speter } 94251876Speter 95251876Speter if (LDAP_SUCCESS != result->rc) { 96251876Speter return APR_EGENERAL; 97251876Speter } 98251876Speter 99251876Speter return APR_SUCCESS; 100251876Speter 101251876Speter} 102251876Speter 103251876Speter 104251876Speter/** 105251876Speter * APR LDAP SSL De-Initialise function 106251876Speter * 107251876Speter * This function tears down any SSL certificate setup previously 108251876Speter * set using apr_ldap_ssl_init(). It should be called to clean 109251876Speter * up if a graceful restart of a service is attempted. 110251876Speter * 111251876Speter * This function only does anything on Netware. 112251876Speter * 113251876Speter * @todo currently we do not check whether apr_ldap_ssl_init() 114251876Speter * has been called first - should we? 115251876Speter */ 116251876SpeterAPU_DECLARE_LDAP(int) apr_ldap_ssl_deinit(void) 117251876Speter{ 118251876Speter 119251876Speter#if APR_HAS_LDAP_SSL && APR_HAS_LDAPSSL_CLIENT_DEINIT 120251876Speter ldapssl_client_deinit(); 121251876Speter#endif 122251876Speter return APR_SUCCESS; 123251876Speter 124251876Speter} 125251876Speter 126251876Speter 127251876Speter/** 128251876Speter * APR LDAP initialise function 129251876Speter * 130251876Speter * This function is responsible for initialising an LDAP 131251876Speter * connection in a toolkit independant way. It does the 132251876Speter * job of ldap_init() from the C api. 133251876Speter * 134251876Speter * It handles both the SSL and non-SSL case, and attempts 135251876Speter * to hide the complexity setup from the user. This function 136251876Speter * assumes that any certificate setup necessary has already 137251876Speter * been done. 138251876Speter * 139251876Speter * If SSL or STARTTLS needs to be enabled, and the underlying 140251876Speter * toolkit supports it, the following values are accepted for 141251876Speter * secure: 142251876Speter * 143251876Speter * APR_LDAP_NONE: No encryption 144251876Speter * APR_LDAP_SSL: SSL encryption (ldaps://) 145251876Speter * APR_LDAP_STARTTLS: Force STARTTLS on ldap:// 146251876Speter */ 147251876SpeterAPU_DECLARE_LDAP(int) apr_ldap_init(apr_pool_t *pool, 148251876Speter LDAP **ldap, 149251876Speter const char *hostname, 150251876Speter int portno, 151251876Speter int secure, 152251876Speter apr_ldap_err_t **result_err) 153251876Speter{ 154251876Speter 155251876Speter apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t)); 156251876Speter *result_err = result; 157251876Speter 158251876Speter#if APR_HAS_LDAPSSL_INIT 159251876Speter#if APR_HAS_SOLARIS_LDAPSDK 160251876Speter /* 161251876Speter * Using the secure argument should aways be possible. But as LDAP SDKs 162251876Speter * tend to have different quirks and bugs, this needs to be tested for 163251876Speter * for each of them, first. For Solaris LDAP it works, and the method 164251876Speter * with ldap_set_option doesn't. 165251876Speter */ 166251876Speter *ldap = ldapssl_init(hostname, portno, secure == APR_LDAP_SSL); 167251876Speter#else 168251876Speter *ldap = ldapssl_init(hostname, portno, 0); 169251876Speter#endif 170251876Speter#elif APR_HAS_LDAP_SSLINIT 171251876Speter *ldap = ldap_sslinit((char *)hostname, portno, 0); 172251876Speter#else 173251876Speter *ldap = ldap_init((char *)hostname, portno); 174251876Speter#endif 175251876Speter 176251876Speter if (*ldap != NULL) { 177251876Speter#if APR_HAS_SOLARIS_LDAPSDK 178251876Speter if (secure == APR_LDAP_SSL) 179251876Speter return APR_SUCCESS; 180251876Speter else 181251876Speter#endif 182251876Speter return apr_ldap_set_option(pool, *ldap, APR_LDAP_OPT_TLS, &secure, result_err); 183251876Speter } 184251876Speter else { 185251876Speter /* handle the error case */ 186251876Speter apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t)); 187251876Speter *result_err = result; 188251876Speter 189251876Speter result->reason = "APR LDAP: Unable to initialize the LDAP connection"; 190251876Speter result->rc = -1; 191251876Speter return APR_EGENERAL; 192251876Speter } 193251876Speter 194251876Speter} 195251876Speter 196251876Speter 197251876Speter/** 198251876Speter * APR LDAP info function 199251876Speter * 200251876Speter * This function returns a string describing the LDAP toolkit 201251876Speter * currently in use. The string is placed inside result_err->reason. 202251876Speter */ 203251876SpeterAPU_DECLARE_LDAP(int) apr_ldap_info(apr_pool_t *pool, 204251876Speter apr_ldap_err_t **result_err) 205251876Speter{ 206251876Speter apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t)); 207251876Speter *result_err = result; 208251876Speter 209251876Speter result->reason = "APR LDAP: Built with " 210251876Speter LDAP_VENDOR_NAME 211251876Speter " LDAP SDK"; 212251876Speter return APR_SUCCESS; 213251876Speter 214251876Speter} 215251876Speter 216251876Speter#if APU_DSO_BUILD 217251876Speter 218251876Speter/* For DSO builds, export the table of entry points into the apr_ldap DSO 219251876Speter * See include/private/apu_internal.h for the corresponding declarations 220251876Speter */ 221251876SpeterAPU_MODULE_DECLARE_DATA struct apr__ldap_dso_fntable apr__ldap_fns = { 222251876Speter apr_ldap_info, 223251876Speter apr_ldap_init, 224251876Speter apr_ldap_ssl_init, 225251876Speter apr_ldap_ssl_deinit, 226251876Speter apr_ldap_get_option, 227251876Speter apr_ldap_set_option, 228251876Speter apr_ldap_rebind_init, 229251876Speter apr_ldap_rebind_add, 230251876Speter apr_ldap_rebind_remove 231251876Speter}; 232251876Speter 233251876Speter#endif /* APU_DSO_BUILD */ 234251876Speter 235251876Speter#endif /* APR_HAS_LDAP */ 236