1
/* Copyright 2000-2005 The Apache Software Foundation or its licensors, as
4
* Licensed under the Apache License, Version 2.0 (the "License");
5
* you may not use this file except in compliance with the License.
6
* You may obtain a copy of the License at
8
* http://www.apache.org/licenses/LICENSE-2.0
10
* Unless required by applicable law or agreed to in writing, software
11
* distributed under the License is distributed on an "AS IS" BASIS,
12
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
* See the License for the specific language governing permissions and
14
* limitations under the License.
18
* @file apr_ldap_option.h
19
* @brief APR-UTIL LDAP ldap_*_option() functions
21
#ifndef APR_LDAP_OPTION_H
22
#define APR_LDAP_OPTION_H
25
* @defgroup APR_Util_LDAP LDAP
36
#endif /* __cplusplus */
39
* The following defines handle the different TLS certificate
40
* options available. If these options are missing, APR will try and
41
* emulate support for this using the deprecated ldap_start_tls_s()
45
* Set SSL mode to one of APR_LDAP_NONE, APR_LDAP_SSL, APR_LDAP_STARTTLS
46
* or APR_LDAP_STOPTLS.
48
#define APR_LDAP_OPT_TLS 0x6fff
50
* Set zero or more CA certificates, client certificates or private
51
* keys globally, or per connection (where supported).
53
#define APR_LDAP_OPT_TLS_CERT 0x6ffe
55
* Set the LDAP library to no verify the server certificate. This means
56
* all servers are considered trusted.
58
#define APR_LDAP_OPT_VERIFY_CERT 0x6ffd
61
* Structures for the apr_set_option() cases
65
* APR_LDAP_OPT_TLS_CERT
67
* This structure includes possible options to set certificates on
68
* system initialisation. Different SDKs have different certificate
69
* requirements, and to achieve this multiple certificates must be
70
* specified at once passed as an (apr_array_header_t *).
73
* Needs the CA cert database (cert7.db), the client cert database (key3.db)
74
* and the security module file (secmod.db) set at the system initialisation
75
* time. Three types are supported: APR_LDAP_CERT7_DB, APR_LDAP_KEY3_DB and
78
* To specify a client cert connection, a certificate nickname needs to be
79
* provided with a type of APR_LDAP_CERT.
80
* int ldapssl_enable_clientauth( LDAP *ld, char *keynickname,
81
* char *keypasswd, char *certnickname );
82
* keynickname is currently not used, and should be set to ""
85
* Needs CA certificates and client certificates set at system initialisation
86
* time. Three types are supported: APR_LDAP_CA*, APR_LDAP_CERT* and
89
* Certificates cannot be specified per connection.
91
* The functions used are:
92
* ldapssl_add_trusted_cert(serverTrustedRoot, serverTrustedRootEncoding);
93
* Clients certs and keys are set at system initialisation time with
94
* int ldapssl_set_client_cert (
98
* type can be LDAPSSL_CERT_FILETYPE_B64 or LDAPSSL_CERT_FILETYPE_DER
99
* ldapssl_set_client_private_key(clientPrivateKey,
100
* clientPrivateKeyEncoding,
101
* clientPrivateKeyPassword);
104
* Needs one or more CA certificates to be set at system initialisation time
105
* with a type of APR_LDAP_CA*.
107
* May have one or more client certificates set per connection with a type of
108
* APR_LDAP_CERT*, and keys with APR_LDAP_KEY*.
110
/** CA certificate type unknown */
111
#define APR_LDAP_CA_TYPE_UNKNOWN 0
112
/** binary DER encoded CA certificate */
113
#define APR_LDAP_CA_TYPE_DER 1
114
/** PEM encoded CA certificate */
115
#define APR_LDAP_CA_TYPE_BASE64 2
116
/** Netscape/Mozilla cert7.db CA certificate database */
117
#define APR_LDAP_CA_TYPE_CERT7_DB 3
118
/** Netscape/Mozilla secmod file */
119
#define APR_LDAP_CA_TYPE_SECMOD 4
120
/** Client certificate type unknown */
121
#define APR_LDAP_CERT_TYPE_UNKNOWN 5
122
/** binary DER encoded client certificate */
123
#define APR_LDAP_CERT_TYPE_DER 6
124
/** PEM encoded client certificate */
125
#define APR_LDAP_CERT_TYPE_BASE64 7
126
/** Netscape/Mozilla key3.db client certificate database */
127
#define APR_LDAP_CERT_TYPE_KEY3_DB 8
128
/** Netscape/Mozilla client certificate nickname */
129
#define APR_LDAP_CERT_TYPE_NICKNAME 9
130
/** Private key type unknown */
131
#define APR_LDAP_KEY_TYPE_UNKNOWN 10
132
/** binary DER encoded private key */
133
#define APR_LDAP_KEY_TYPE_DER 11
134
/** PEM encoded private key */
135
#define APR_LDAP_KEY_TYPE_BASE64 12
136
/** PKCS#12 encoded client certificate */
137
#define APR_LDAP_CERT_TYPE_PFX 13
138
/** PKCS#12 encoded private key */
139
#define APR_LDAP_KEY_TYPE_PFX 14
142
* Certificate structure.
144
* This structure is used to store certificate details. An array of
145
* these structures is passed to apr_ldap_set_option() to set CA
146
* and client certificates.
147
* @param type Type of certificate APR_LDAP_*_TYPE_*
148
* @param path Path, file or nickname of the certificate
149
* @param password Optional password, can be NULL
151
typedef struct apr_ldap_opt_tls_cert_t apr_ldap_opt_tls_cert_t;
152
struct apr_ldap_opt_tls_cert_t {
155
const char *password;
161
* This sets the SSL level on the LDAP handle.
164
* Supports SSL, but not STARTTLS
165
* SSL is enabled by calling ldapssl_install_routines().
168
* Supports SSL and STARTTLS.
169
* SSL is enabled by calling ldapssl_install_routines(). Note that calling
170
* other ldap functions before ldapssl_install_routines() may cause this
172
* STARTTLS is enabled by calling ldapssl_start_tls_s() after calling
173
* ldapssl_install_routines() (check this).
176
* Supports SSL and supports STARTTLS, but none of this is documented:
177
* http://www.openldap.org/lists/openldap-software/200409/msg00618.html
178
* Documentation for both SSL support and STARTTLS has been deleted from
179
* the OpenLDAP documentation and website.
183
#define APR_LDAP_NONE 0
184
/** SSL encryption (ldaps://) */
185
#define APR_LDAP_SSL 1
186
/** TLS encryption (STARTTLS) */
187
#define APR_LDAP_STARTTLS 2
188
/** end TLS encryption (STOPTLS) */
189
#define APR_LDAP_STOPTLS 3
192
* APR LDAP get option function
194
* This function gets option values from a given LDAP session if
195
* one was specified. It maps to the native ldap_get_option() function.
196
* @param pool The pool to use
197
* @param ldap The LDAP handle
198
* @param option The LDAP_OPT_* option to return
199
* @param outvalue The value returned (if any)
200
* @param result_err The apr_ldap_err_t structure contained detailed results
203
APU_DECLARE(int) apr_ldap_get_option(apr_pool_t *pool,
207
apr_ldap_err_t **result_err);
210
* APR LDAP set option function
212
* This function sets option values to a given LDAP session if
213
* one was specified. It maps to the native ldap_set_option() function.
215
* Where an option is not supported by an LDAP toolkit, this function
216
* will try and apply legacy functions to achieve the same effect,
217
* depending on the platform.
218
* @param pool The pool to use
219
* @param ldap The LDAP handle
220
* @param option The LDAP_OPT_* option to set
221
* @param invalue The value to set
222
* @param result_err The apr_ldap_err_t structure contained detailed results
225
APU_DECLARE(int) apr_ldap_set_option(apr_pool_t *pool,
229
apr_ldap_err_t **result_err);
235
#endif /* APR_HAS_LDAP */
239
#endif /* APR_LDAP_OPTION_H */