Add per replication agreement certificate settings #6021
Conversation
Allow TLS certificates to be configured individually on replication agreements. Add nsDS5ReplicaTransportUri, nsDS5ReplicaTransportCAUri, nsDS5ReplicaBootstrapTransportUri and nsDS5ReplicaBootstrapTransportCAUri to allow the URIs of certificates, keys and ca certificates to be specified for each agreement. Based on OpenSSL provider support added to openldap here: https://bugs.openldap.org/show_bug.cgi?id=10149 openldap/openldap#11
| if (0 == slapi_entry_attr_find(e, | ||
| bootstrap ? type_nsds5ReplicaBootstrapTransportCAUri : type_nsds5ReplicaTransportCAUri, &attr)) { | ||
|
|
||
| int i; |
There was a problem hiding this comment.
size_t, declare in the for loop
There was a problem hiding this comment.
It has been made so.
There was a problem hiding this comment.
It's still an "int" Please change to "size_t" inside the "for" loop:
for (size_t i = slapi_attr_first_value .......)
There was a problem hiding this comment.
size_t creates a nasty bug - size_t is unsigned, but slapi_attr_next_value() indicates no-more-values by returning -1.
This created an infinite loop that ate all the ram.
slapi_attr_first_value() / slapi_attr_next_value() return signed results, so at the very least it must be ssize_t for all loops, not just this one.
There was a problem hiding this comment.
Ahhh, I see. Ok, please ignore my comment :-)
| /* We've got an ld. Now bind to the server. */ | ||
|
|
||
| /* if we have TLS uris, set them now */ | ||
| #ifdef LDAP_OPT_X_TLS_URIS |
There was a problem hiding this comment.
I'm looking at the openldap source and I can't find a reference to this. Can you cite the docs about this flag?
There was a problem hiding this comment.
The flag is based on OpenSSL provider support added to openldap here:
https://bugs.openldap.org/show_bug.cgi?id=10149
openldap/openldap#11
| #endif | ||
|
|
||
| /* if we have TLS CA uris, set them now */ | ||
| #ifdef LDAP_OPT_X_TLS_CACERTURIS |
ldap/servers/slapd/ldaputil.c
Outdated
| } | ||
| /* if set, cacerturis takes precedence */ | ||
| #ifdef LDAP_OPT_X_TLS_CACERTURIS | ||
| ldap_get_option(ld, LDAP_OPT_X_TLS_CACERTURIS, &cauris); |
There was a problem hiding this comment.
At this point, is it possible that LDAP_OPT_X_TLS_CACERTURIS is set ?
IIUC setup_ol_tls_conn is called before LDAP_OPT_X_TLS_CACERTURIS is set (in conn_connect_with_bootstrap)
There was a problem hiding this comment.
This was working by accident I think, it was't set on the first pass - thanks for catching this.
Fixed below.
Allow TLS certificates to be configured individually on replication agreements.
Add nsDS5ReplicaTransportUri, nsDS5ReplicaTransportCAUri, nsDS5ReplicaBootstrapTransportUri and nsDS5ReplicaBootstrapTransportCAUri to allow the URIs of certificates, keys and ca certificates to be specified for each agreement.
Based on OpenSSL provider support added to openldap here:
https://bugs.openldap.org/show_bug.cgi?id=10149
openldap/openldap#11