ldap/servers/slapd/ssl.c | 5 +++++
1 file changed, 5 insertions(+)
New commits:
commit 53c974f363d633aedfea40690a6aa4bfbeb00de0
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Aug 20 12:20:21 2012 -0600
Ticket #430 - server to server ssl client auth broken with latest openldap
https://fedorahosted.org/389/ticket/430
Resolves: Ticket #430
Bug Description: server to server ssl client auth broken with latest openldap
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Pass in the openldap certfile as "tokenname:certnickname"
for the internal token as well as for external tokens. openldap 2.4.32 and
later are patched to accept this, and will force the use of the token named
tokenname as the slot/token to use. If the internal one has already been
unlocked (i.e. by the server doing SSL server init) then the cert can be used
without having to unlock the key/cert db again.
Platforms tested: RHEL6 x86_64, Fedora 17
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f656df9..0aab53d 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1348,7 +1348,12 @@ slapd_SSL_client_auth (LDAP* ld)
* the personality for internal tokens.
*/
token = slapi_ch_strdup(internalTokenName);
+#if defined(USE_OPENLDAP)
+ /* openldap needs tokenname:certnick */
+ PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
+#else
PL_strncpyz(cert_name, personality, sizeof(cert_name));
+#endif
slapi_ch_free((void **) &ssltoken);
} else {
/* external PKCS #11 token - attach token name */