Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
The way I read this, it seems to imply that if acl-bind is not set, the identity specified by idassert-bind will be used -- which is clearly not happening here. Am I misreading this, or do you think the wording should be changed here?
As far as I remember, the above is (or was) true in some cases (which I do not remember); in any case, the above statement is in contradiction with Howard's statement. Either the behavior stated above should be generalized (if desirable, in order to avoid the need to configure things twice when the same identity is going to be used), or the two should be decoupled everywhere in the code.
The current code in ldap_back_prepare_conn:
#ifdef HAVE_TLS if ( LDAP_BACK_CONN_ISPRIV( lc ) ) { sb = &li->li_acl;
} else if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { sb = &li->li_idassert.si_bc;
} else { sb = &li->li_tls; }
if ( sb->sb_tls_do_init ) { bindconf_tls_set( sb, ld ); } else if ( sb->sb_tls_ctx ) { ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx ); }
/* if required by the bindconf configuration, force TLS */ if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) && sb->sb_tls_ctx ) { flags |= LDAP_BACK_F_USE_TLS; } <<<<
It seems the initial if/else belongs outside the #ifdef, first of all. Not sure how to handle the fallback to li->li_tls.
-
hyc@symas.com