/**
* APR LDAP initialise function
*
* This function is responsible for initialising an LDAP
* connection in a toolkit independant way. It does the
* job of ldap_init() from the C api.
*
* It handles both the SSL and non-SSL case, and attempts
* to hide the complexity setup from the user. This function
* assumes that any certificate setup necessary has already
* been done.
*
* If SSL or STARTTLS needs to be enabled, and the underlying
* toolkit supports it, the following values are accepted for
* secure:
*
* APR_LDAP_NONE: No encryption
* APR_LDAP_SSL: SSL encryption (ldaps://)
* APR_LDAP_STARTTLS: Force STARTTLS on ldap://
*/
APU_DECLARE_LDAP(int) apr_ldap_init(apr_pool_t *pool,
LDAP **ldap,
const char *hostname,
int portno,
int secure,
apr_ldap_err_t **result_err)
{
apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
*result_err = result;
#if APR_HAS_LDAPSSL_INIT
*ldap = ldapssl_init(hostname, portno, 0);
#elif APR_HAS_LDAP_SSLINIT
*ldap = ldap_sslinit((char *)hostname, portno, 0);
#else
*ldap = ldap_init((char *)hostname, portno);
#endif
if (*ldap != NULL) {
return apr_ldap_set_option(pool, *ldap, APR_LDAP_OPT_TLS, &secure, result_err);
}
else {
/* handle the error case */
apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
*result_err = result;
result->reason = "APR LDAP: Unable to initialize the LDAP connection";
result->rc = -1;
return APR_EGENERAL;
}
}
static int add_ldap_certs(abts_case *tc)
{
apr_status_t status;
apr_dir_t *thedir;
apr_finfo_t dirent;
apr_ldap_err_t *result = NULL;
if ((status = apr_dir_open(&thedir, DIRNAME, p)) == APR_SUCCESS) {
apr_ldap_opt_tls_cert_t *cert = (apr_ldap_opt_tls_cert_t *)apr_pcalloc(p, sizeof(apr_ldap_opt_tls_cert_t));
do {
status = apr_dir_read(&dirent, APR_FINFO_MIN | APR_FINFO_NAME, thedir);
if (APR_STATUS_IS_INCOMPLETE(status)) {
continue; /* ignore un-stat()able files */
}
else if (status != APR_SUCCESS) {
break;
}
if (strstr(dirent.name, ".der")) {
cert->type = APR_LDAP_CA_TYPE_DER;
cert->path = apr_pstrcat (p, DIRNAME, "/", dirent.name, NULL);
apr_ldap_set_option(p, NULL, APR_LDAP_OPT_TLS_CERT, (void *)cert, &result);
ABTS_TRUE(tc, result->rc == LDAP_SUCCESS);
}
if (strstr(dirent.name, ".b64")) {
cert->type = APR_LDAP_CA_TYPE_BASE64;
cert->path = apr_pstrcat (p, DIRNAME, "/", dirent.name, NULL);
apr_ldap_set_option(p, NULL, APR_LDAP_OPT_TLS_CERT, (void *)cert, &result);
ABTS_TRUE(tc, result->rc == LDAP_SUCCESS);
}
} while (1);
apr_dir_close(thedir);
}
return 0;
}
/**
* APR LDAP initialise function
*
* This function is responsible for initialising an LDAP
* connection in a toolkit independant way. It does the
* job of ldap_init() from the C api.
*
* It handles both the SSL and non-SSL case, and attempts
* to hide the complexity setup from the user. This function
* assumes that any certificate setup necessary has already
* been done.
*
* If SSL or STARTTLS needs to be enabled, and the underlying
* toolkit supports it, the following values are accepted for
* secure:
*
* APR_LDAP_NONE: No encryption
* APR_LDAP_SSL: SSL encryption (ldaps://)
* APR_LDAP_STARTTLS: Force STARTTLS on ldap://
*/
APU_DECLARE_LDAP(int) apr_ldap_init(apr_pool_t *pool,
LDAP **ldap,
const char *hostname,
int portno,
int secure,
apr_ldap_err_t **result_err)
{
apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
*result_err = result;
#if APR_HAS_LDAPSSL_INIT
#if APR_HAS_SOLARIS_LDAPSDK
/*
* Using the secure argument should aways be possible. But as LDAP SDKs
* tend to have different quirks and bugs, this needs to be tested for
* for each of them, first. For Solaris LDAP it works, and the method
* with ldap_set_option doesn't.
*/
*ldap = ldapssl_init(hostname, portno, secure == APR_LDAP_SSL);
#else
*ldap = ldapssl_init(hostname, portno, 0);
#endif
#elif APR_HAS_LDAP_SSLINIT
*ldap = ldap_sslinit((char *)hostname, portno, 0);
#else
*ldap = ldap_init((char *)hostname, portno);
#endif
if (*ldap != NULL) {
#if APR_HAS_SOLARIS_LDAPSDK
if (secure == APR_LDAP_SSL)
return APR_SUCCESS;
else
#endif
return apr_ldap_set_option(pool, *ldap, APR_LDAP_OPT_TLS, &secure, result_err);
}
else {
/* handle the error case */
apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
*result_err = result;
result->reason = "APR LDAP: Unable to initialize the LDAP connection";
result->rc = -1;
return APR_EGENERAL;
}
}
/**
* APR LDAP SSL Initialise function
*
* This function initialises SSL on the underlying LDAP toolkit
* if this is necessary.
*
* If a CA certificate is provided, this is set, however the setting
* of certificates via this method has been deprecated and will be removed in
* APR v2.0.
*
* The apr_ldap_set_option() function with the APR_LDAP_OPT_TLS_CERT option
* should be used instead to set certificates.
*
* If SSL support is not available on this platform, or a problem
* was encountered while trying to set the certificate, the function
* will return APR_EGENERAL. Further LDAP specific error information
* can be found in result_err.
*/
APU_DECLARE_LDAP(int) apr_ldap_ssl_init(apr_pool_t *pool,
const char *cert_auth_file,
int cert_file_type,
apr_ldap_err_t **result_err)
{
apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
*result_err = result;
#if APR_HAS_LDAP_SSL /* compiled with ssl support */
/* Novell */
#if APR_HAS_NOVELL_LDAPSDK
ldapssl_client_init(NULL, NULL);
#endif
/* if a certificate was specified, set it */
if (cert_auth_file) {
apr_ldap_opt_tls_cert_t *cert = (apr_ldap_opt_tls_cert_t *)apr_pcalloc(pool, sizeof(apr_ldap_opt_tls_cert_t));
cert->type = cert_file_type;
cert->path = cert_auth_file;
return apr_ldap_set_option(pool, NULL, APR_LDAP_OPT_TLS_CERT, (void *)cert, result_err);
}
#else /* not compiled with SSL Support */
if (cert_auth_file) {
result->reason = "LDAP: Attempt to set certificate store failed. "
"Not built with SSL support";
result->rc = -1;
}
#endif /* APR_HAS_LDAP_SSL */
if (result->rc != -1) {
result->msg = ldap_err2string(result->rc);
}
if (LDAP_SUCCESS != result->rc) {
return APR_EGENERAL;
}
return APR_SUCCESS;
}
static int lua_apr_ldap_option_set(lua_State *L)
{
lua_apr_ldap_object *object;
apr_ldap_err_t *error = NULL;
struct timeval time;
apr_status_t status;
int optidx, type, intval;
void *value;
object = check_ldap_connection(L, 1);
optidx = check_ldap_option(L, 2);
/* Convert the Lua value to an LDAP C API value. */
type = ldap_option_type(optidx);
if (type == LUA_APR_LDAP_TB) {
/* Boolean. */
value = lua_toboolean(L, 3) ? LDAP_OPT_ON : LDAP_OPT_OFF;
} else if (type == LUA_APR_LDAP_TI) {
/* Integer. */
intval = luaL_checkint(L, 3);
value = &intval;
} else if (type == LUA_APR_LDAP_TT) {
/* Time (fractional number of seconds). */
luaL_checktype(L, 3, LUA_TNUMBER);
value = number_to_time(L, 3, &time);
} else if (type == LUA_APR_LDAP_TS) {
/* String. */
value = (void*)luaL_optstring(L, 3, NULL);
} else assert(0);
/* Set the option value. */
status = apr_ldap_set_option(object->pool, object->ldap,
ldap_option_value(optidx), value, &error);
if (status != APR_SUCCESS)
return push_ldap_error(L, status, error);
lua_pushboolean(L, 1);
return 1;
}
