From 3a2047093b453b4f4d8f6b728c55a30bcae72fc3 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Mon, 20 Aug 2012 12:20:21 -0600 Subject: [PATCH] Ticket #430 - server to server ssl client auth broken with latest openldap https://fedorahosted.org/389/ticket/430 Resolves: Ticket #430 Bug Description: server to server ssl client auth broken with latest openldap Reviewed by: ??? Branch: master Fix Description: Pass in the openldap certfile as "tokenname:certnickname" for the internal token as well as for external tokens. openldap 2.4.32 and later are patched to accept this, and will force the use of the token named tokenname as the slot/token to use. If the internal one has already been unlocked (i.e. by the server doing SSL server init) then the cert can be used without having to unlock the key/cert db again. Platforms tested: RHEL6 x86_64, Fedora 17 Flag Day: no Doc impact: no --- ldap/servers/slapd/ssl.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index f656df9..0aab53d 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -1348,7 +1348,12 @@ slapd_SSL_client_auth (LDAP* ld) * the personality for internal tokens. */ token = slapi_ch_strdup(internalTokenName); +#if defined(USE_OPENLDAP) + /* openldap needs tokenname:certnick */ + PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality); +#else PL_strncpyz(cert_name, personality, sizeof(cert_name)); +#endif slapi_ch_free((void **) &ssltoken); } else { /* external PKCS #11 token - attach token name */ -- 1.7.1