[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
From: Qiang Xu <qixu@lexmark.com>
Date: Wed, 29 Feb 2012 16:14:51 -0500
Authentication-results: mr.google.com; spf=pass (google.com: domain of qixu@lexmark.com designates 10.152.146.163 as permitted sender) smtp.mail=qixu@lexmark.com
Cc: openldap-technical@openldap.org
In-reply-to: <18e5535664892ae312cb238e939ecd04@ulrik.uio.no>
References: <CAACU1m6fL_OEtxG_E9cQHrDeC-KODyFx5fzYK5xgMwKOksg+DQ@mail.gmail.com> <685850f8742b2ba966929d7cfd748ffc@ulrik.uio.no> <CAACU1m4CRHKUgcTDqRMASbSkR+oEeUevnZ-ZBUa2-n4UtZ0YFQ@mail.gmail.com> <18e5535664892ae312cb238e939ecd04@ulrik.uio.no>

Guess what? Just picked up a pearl in the sea of internet: http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57688.html

Basically, it seems to be a feature introduced since the beginning of openldap 2.4 version. We need to set LDAP_OPT_X_TLS_REQUIRE_CERT on an ldap handle (already initialized), and set LDAP_OPT_X_TLS_NEWCTX (with a value 0) thereafter:

        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &require_cert);
        assert(rc == LDAP_OPT_SUCCESS);

        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server); // am_server is 1, only if the code is compiled for server
        assert(rc == LDAP_OPT_SUCCESS);

Now the option works as per connection, rather than as per process.

Cheers,
Qiang

References:
- LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
  - From: Qiang Xu <qixu@lexmark.com>
- Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
  - From: Qiang Xu <qixu@lexmark.com>
- Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: ssh group membership access
Index(es):
- Chronological
- Thread