[Pkg-openldap-devel] Bug#525605: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly
Ryan Tandy
ryan at nardis.ca
Wed Apr 16 05:09:02 UTC 2014
Hi John and Arthur,
I've verified this under wheezy. Setting the connection's reqcert option
is possible any time before starting TLS, but the global option only
works correctly when it's set before calling ldap_initialize().
On 26/12/09 08:50 AM, John Morrissey wrote:
> According to the latest (albeit expired) LDAP C API draft:
>
> --
> 11.2. LDAP Session Handle Options
> [...]
> ld The session handle. If this is NULL, a set of global defaults is
> accessed. New LDAP session handles created with ldap_init() or
> ldap_open() inherit their characteristics from these global
> defaults.
> --
>
> global defaults are inherited by new LDAP handles when they're initialized.
> As a result, global defaults set after initializing an LDAP handle do not
> apply to that handle. IOW, they're global *defaults*, not global *settings.*
> AFAICT with OpenLDAP 2.4.20, it implements this part of the draft correctly.
The ldap_set_option(3) manpage now says:
> Global options are set/retrieved by passing a NULL LDAP handle. LDAP
> handles inherit their default settings from the global options in
> effect at the time the handle is created.
The second sentence was added in 2.4.31 in response to ITS #7240:
http://www.openldap.org/its/index.cgi/Documentation?id=7240
which describes a similar problem, and first appeared in 2.4.31. See
also the linked sudo bug.
Based on that clarified documentation as well as John's citation, I
think this is working as intended. Arthur, do you agree?
thanks,
Ryan
More information about the Pkg-openldap-devel
mailing list