255 lines
8.4 KiB
C
255 lines
8.4 KiB
C
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/**
|
|
* @file apr_ldap_option.h
|
|
* @brief APR-UTIL LDAP ldap_*_option() functions
|
|
*/
|
|
#ifndef APR_LDAP_OPTION_H
|
|
#define APR_LDAP_OPTION_H
|
|
|
|
/**
|
|
* @addtogroup APR_Util_LDAP
|
|
* @{
|
|
*/
|
|
|
|
#include "apr_ldap.h"
|
|
|
|
#if APR_HAS_LDAP
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif /* __cplusplus */
|
|
|
|
/*
|
|
* The following defines handle the different TLS certificate
|
|
* options available. If these options are missing, APR will try and
|
|
* emulate support for this using the deprecated ldap_start_tls_s()
|
|
* function.
|
|
*/
|
|
/**
|
|
* Set SSL mode to one of APR_LDAP_NONE, APR_LDAP_SSL, APR_LDAP_STARTTLS
|
|
* or APR_LDAP_STOPTLS.
|
|
*/
|
|
#define APR_LDAP_OPT_TLS 0x6fff
|
|
/**
|
|
* Set zero or more CA certificates, client certificates or private
|
|
* keys globally, or per connection (where supported).
|
|
*/
|
|
#define APR_LDAP_OPT_TLS_CERT 0x6ffe
|
|
/**
|
|
* Set the LDAP library to no verify the server certificate. This means
|
|
* all servers are considered trusted.
|
|
*/
|
|
#define APR_LDAP_OPT_VERIFY_CERT 0x6ffd
|
|
/**
|
|
* Set the LDAP library to indicate if referrals should be chased during
|
|
* LDAP searches.
|
|
*/
|
|
#define APR_LDAP_OPT_REFERRALS 0x6ffc
|
|
/**
|
|
* Set the LDAP library to indicate a maximum number of referral hops to
|
|
* chase before giving up on the search.
|
|
*/
|
|
#define APR_LDAP_OPT_REFHOPLIMIT 0x6ffb
|
|
|
|
/**
|
|
* Structures for the apr_set_option() cases
|
|
*/
|
|
|
|
/**
|
|
* APR_LDAP_OPT_TLS_CERT
|
|
*
|
|
* This structure includes possible options to set certificates on
|
|
* system initialisation. Different SDKs have different certificate
|
|
* requirements, and to achieve this multiple certificates must be
|
|
* specified at once passed as an (apr_array_header_t *).
|
|
*
|
|
* Netscape:
|
|
* Needs the CA cert database (cert7.db), the client cert database (key3.db)
|
|
* and the security module file (secmod.db) set at the system initialisation
|
|
* time. Three types are supported: APR_LDAP_CERT7_DB, APR_LDAP_KEY3_DB and
|
|
* APR_LDAP_SECMOD.
|
|
*
|
|
* To specify a client cert connection, a certificate nickname needs to be
|
|
* provided with a type of APR_LDAP_CERT.
|
|
* int ldapssl_enable_clientauth( LDAP *ld, char *keynickname,
|
|
* char *keypasswd, char *certnickname );
|
|
* keynickname is currently not used, and should be set to ""
|
|
*
|
|
* Novell:
|
|
* Needs CA certificates and client certificates set at system initialisation
|
|
* time. Three types are supported: APR_LDAP_CA*, APR_LDAP_CERT* and
|
|
* APR_LDAP_KEY*.
|
|
*
|
|
* Certificates cannot be specified per connection.
|
|
*
|
|
* The functions used are:
|
|
* ldapssl_add_trusted_cert(serverTrustedRoot, serverTrustedRootEncoding);
|
|
* Clients certs and keys are set at system initialisation time with
|
|
* int ldapssl_set_client_cert (
|
|
* void *cert,
|
|
* int type
|
|
* void *password);
|
|
* type can be LDAPSSL_CERT_FILETYPE_B64 or LDAPSSL_CERT_FILETYPE_DER
|
|
* ldapssl_set_client_private_key(clientPrivateKey,
|
|
* clientPrivateKeyEncoding,
|
|
* clientPrivateKeyPassword);
|
|
*
|
|
* OpenSSL:
|
|
* Needs one or more CA certificates to be set at system initialisation time
|
|
* with a type of APR_LDAP_CA*.
|
|
*
|
|
* May have one or more client certificates set per connection with a type of
|
|
* APR_LDAP_CERT*, and keys with APR_LDAP_KEY*.
|
|
*/
|
|
/** CA certificate type unknown */
|
|
#define APR_LDAP_CA_TYPE_UNKNOWN 0
|
|
/** binary DER encoded CA certificate */
|
|
#define APR_LDAP_CA_TYPE_DER 1
|
|
/** PEM encoded CA certificate */
|
|
#define APR_LDAP_CA_TYPE_BASE64 2
|
|
/** Netscape/Mozilla cert7.db CA certificate database */
|
|
#define APR_LDAP_CA_TYPE_CERT7_DB 3
|
|
/** Netscape/Mozilla secmod file */
|
|
#define APR_LDAP_CA_TYPE_SECMOD 4
|
|
/** Client certificate type unknown */
|
|
#define APR_LDAP_CERT_TYPE_UNKNOWN 5
|
|
/** binary DER encoded client certificate */
|
|
#define APR_LDAP_CERT_TYPE_DER 6
|
|
/** PEM encoded client certificate */
|
|
#define APR_LDAP_CERT_TYPE_BASE64 7
|
|
/** Netscape/Mozilla key3.db client certificate database */
|
|
#define APR_LDAP_CERT_TYPE_KEY3_DB 8
|
|
/** Netscape/Mozilla client certificate nickname */
|
|
#define APR_LDAP_CERT_TYPE_NICKNAME 9
|
|
/** Private key type unknown */
|
|
#define APR_LDAP_KEY_TYPE_UNKNOWN 10
|
|
/** binary DER encoded private key */
|
|
#define APR_LDAP_KEY_TYPE_DER 11
|
|
/** PEM encoded private key */
|
|
#define APR_LDAP_KEY_TYPE_BASE64 12
|
|
/** PKCS#12 encoded client certificate */
|
|
#define APR_LDAP_CERT_TYPE_PFX 13
|
|
/** PKCS#12 encoded private key */
|
|
#define APR_LDAP_KEY_TYPE_PFX 14
|
|
/** Openldap directory full of base64-encoded cert
|
|
* authorities with hashes in corresponding .0 directory
|
|
*/
|
|
#define APR_LDAP_CA_TYPE_CACERTDIR_BASE64 15
|
|
|
|
|
|
/**
|
|
* Certificate structure.
|
|
*
|
|
* This structure is used to store certificate details. An array of
|
|
* these structures is passed to apr_ldap_set_option() to set CA
|
|
* and client certificates.
|
|
* @param type Type of certificate APR_LDAP_*_TYPE_*
|
|
* @param path Path, file or nickname of the certificate
|
|
* @param password Optional password, can be NULL
|
|
*/
|
|
typedef struct apr_ldap_opt_tls_cert_t apr_ldap_opt_tls_cert_t;
|
|
struct apr_ldap_opt_tls_cert_t {
|
|
int type;
|
|
const char *path;
|
|
const char *password;
|
|
};
|
|
|
|
/**
|
|
* APR_LDAP_OPT_TLS
|
|
*
|
|
* This sets the SSL level on the LDAP handle.
|
|
*
|
|
* Netscape/Mozilla:
|
|
* Supports SSL, but not STARTTLS
|
|
* SSL is enabled by calling ldapssl_install_routines().
|
|
*
|
|
* Novell:
|
|
* Supports SSL and STARTTLS.
|
|
* SSL is enabled by calling ldapssl_install_routines(). Note that calling
|
|
* other ldap functions before ldapssl_install_routines() may cause this
|
|
* function to fail.
|
|
* STARTTLS is enabled by calling ldapssl_start_tls_s() after calling
|
|
* ldapssl_install_routines() (check this).
|
|
*
|
|
* OpenLDAP:
|
|
* Supports SSL and supports STARTTLS, but none of this is documented:
|
|
* http://www.openldap.org/lists/openldap-software/200409/msg00618.html
|
|
* Documentation for both SSL support and STARTTLS has been deleted from
|
|
* the OpenLDAP documentation and website.
|
|
*/
|
|
|
|
/** No encryption */
|
|
#define APR_LDAP_NONE 0
|
|
/** SSL encryption (ldaps://) */
|
|
#define APR_LDAP_SSL 1
|
|
/** TLS encryption (STARTTLS) */
|
|
#define APR_LDAP_STARTTLS 2
|
|
/** end TLS encryption (STOPTLS) */
|
|
#define APR_LDAP_STOPTLS 3
|
|
|
|
/**
|
|
* APR LDAP get option function
|
|
*
|
|
* This function gets option values from a given LDAP session if
|
|
* one was specified. It maps to the native ldap_get_option() function.
|
|
* @param pool The pool to use
|
|
* @param ldap The LDAP handle
|
|
* @param option The LDAP_OPT_* option to return
|
|
* @param outvalue The value returned (if any)
|
|
* @param result_err The apr_ldap_err_t structure contained detailed results
|
|
* of the operation.
|
|
*/
|
|
APU_DECLARE_LDAP(int) apr_ldap_get_option(apr_pool_t *pool,
|
|
LDAP *ldap,
|
|
int option,
|
|
void *outvalue,
|
|
apr_ldap_err_t **result_err);
|
|
|
|
/**
|
|
* APR LDAP set option function
|
|
*
|
|
* This function sets option values to a given LDAP session if
|
|
* one was specified. It maps to the native ldap_set_option() function.
|
|
*
|
|
* Where an option is not supported by an LDAP toolkit, this function
|
|
* will try and apply legacy functions to achieve the same effect,
|
|
* depending on the platform.
|
|
* @param pool The pool to use
|
|
* @param ldap The LDAP handle
|
|
* @param option The LDAP_OPT_* option to set
|
|
* @param invalue The value to set
|
|
* @param result_err The apr_ldap_err_t structure contained detailed results
|
|
* of the operation.
|
|
*/
|
|
APU_DECLARE_LDAP(int) apr_ldap_set_option(apr_pool_t *pool,
|
|
LDAP *ldap,
|
|
int option,
|
|
const void *invalue,
|
|
apr_ldap_err_t **result_err);
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* APR_HAS_LDAP */
|
|
|
|
/** @} */
|
|
|
|
#endif /* APR_LDAP_OPTION_H */
|
|
|