2
0

apr_ldap_option.c 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598
  1. /* Copyright 2000-2005 The Apache Software Foundation or its licensors, as
  2. * applicable.
  3. *
  4. * Licensed under the Apache License, Version 2.0 (the "License");
  5. * you may not use this file except in compliance with the License.
  6. * You may obtain a copy of the License at
  7. *
  8. * http://www.apache.org/licenses/LICENSE-2.0
  9. *
  10. * Unless required by applicable law or agreed to in writing, software
  11. * distributed under the License is distributed on an "AS IS" BASIS,
  12. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. * See the License for the specific language governing permissions and
  14. * limitations under the License.
  15. */
  16. /* apr_ldap_option.c -- LDAP options
  17. *
  18. * The LDAP SDK allows the getting and setting of options on an LDAP
  19. * connection.
  20. *
  21. */
  22. #include "apr.h"
  23. #include "apu.h"
  24. #include "apr_ldap.h"
  25. #include "apr_errno.h"
  26. #include "apr_pools.h"
  27. #include "apr_strings.h"
  28. #include "apr_tables.h"
  29. #if APR_HAS_LDAP
  30. static void option_set_cert(apr_pool_t *pool, LDAP *ldap, const void *invalue,
  31. apr_ldap_err_t *result);
  32. static void option_set_tls(apr_pool_t *pool, LDAP *ldap, const void *invalue,
  33. apr_ldap_err_t *result);
  34. /**
  35. * APR LDAP get option function
  36. *
  37. * This function gets option values from a given LDAP session if
  38. * one was specified.
  39. */
  40. APU_DECLARE(int) apr_ldap_get_option(apr_pool_t *pool,
  41. LDAP *ldap,
  42. int option,
  43. void *outvalue,
  44. apr_ldap_err_t **result_err)
  45. {
  46. apr_ldap_err_t *result;
  47. result = apr_pcalloc(pool, sizeof(apr_ldap_err_t));
  48. *result_err = result;
  49. if (!result) {
  50. return APR_ENOMEM;
  51. }
  52. /* get the option specified using the native LDAP function */
  53. result->rc = ldap_get_option(ldap, option, outvalue);
  54. /* handle the error case */
  55. if (result->rc != LDAP_SUCCESS) {
  56. result->msg = ldap_err2string(result-> rc);
  57. result->reason = apr_pstrdup(pool, "LDAP: Could not get an option");
  58. return APR_EGENERAL;
  59. }
  60. return APR_SUCCESS;
  61. }
  62. /**
  63. * APR LDAP set option function
  64. *
  65. * This function sets option values to a given LDAP session if
  66. * one was specified.
  67. *
  68. * Where an option is not supported by an LDAP toolkit, this function
  69. * will try and apply legacy functions to achieve the same effect,
  70. * depending on the platform.
  71. */
  72. APU_DECLARE(int) apr_ldap_set_option(apr_pool_t *pool,
  73. LDAP *ldap,
  74. int option,
  75. const void *invalue,
  76. apr_ldap_err_t **result_err)
  77. {
  78. apr_ldap_err_t *result;
  79. result = apr_pcalloc(pool, sizeof(apr_ldap_err_t));
  80. *result_err = result;
  81. if (!result) {
  82. return APR_ENOMEM;
  83. }
  84. switch (option) {
  85. case APR_LDAP_OPT_TLS_CERT:
  86. option_set_cert(pool, ldap, invalue, result);
  87. break;
  88. case APR_LDAP_OPT_TLS:
  89. option_set_tls(pool, ldap, invalue, result);
  90. break;
  91. case APR_LDAP_OPT_VERIFY_CERT:
  92. #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
  93. result->reason = "LDAP: Verify certificate not yet supported by APR on the "
  94. "Netscape, Solaris or Mozilla LDAP SDKs";
  95. result->rc = -1;
  96. return APR_EGENERAL;
  97. #endif
  98. #if APR_HAS_NOVELL_LDAPSDK
  99. if (*((int*)invalue)) {
  100. result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER);
  101. }
  102. else {
  103. result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE);
  104. }
  105. #endif
  106. #if APR_HAS_OPENLDAP_LDAPSDK
  107. #ifdef LDAP_OPT_X_TLS
  108. /* This is not a per-connection setting so just pass NULL for the
  109. Ldap connection handle */
  110. if (*((int*)invalue)) {
  111. int i = LDAP_OPT_X_TLS_DEMAND;
  112. result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
  113. }
  114. else {
  115. int i = LDAP_OPT_X_TLS_NEVER;
  116. result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
  117. }
  118. #else
  119. result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
  120. "version of the OpenLDAP toolkit";
  121. result->rc = -1;
  122. return APR_EGENERAL;
  123. #endif
  124. #endif
  125. /* handle the error case */
  126. if (result->rc != LDAP_SUCCESS) {
  127. result->msg = ldap_err2string(result->rc);
  128. result->reason = "LDAP: Could not set verify mode";
  129. }
  130. break;
  131. default:
  132. /* set the option specified using the native LDAP function */
  133. result->rc = ldap_set_option(ldap, option, (void *)invalue);
  134. /* handle the error case */
  135. if (result->rc != LDAP_SUCCESS) {
  136. result->msg = ldap_err2string(result->rc);
  137. result->reason = "LDAP: Could not set an option";
  138. }
  139. break;
  140. }
  141. /* handle the error case */
  142. if (result->rc != LDAP_SUCCESS) {
  143. return APR_EGENERAL;
  144. }
  145. return APR_SUCCESS;
  146. }
  147. /**
  148. * Handle APR_LDAP_OPT_TLS
  149. *
  150. * This function sets the type of TLS to be applied to this connection.
  151. * The options are:
  152. * APR_LDAP_NONE: no encryption
  153. * APR_LDAP_SSL: SSL encryption (ldaps://)
  154. * APR_LDAP_STARTTLS: STARTTLS encryption
  155. * APR_LDAP_STOPTLS: Stop existing TLS connecttion
  156. */
  157. static void option_set_tls(apr_pool_t *pool, LDAP *ldap, const void *invalue,
  158. apr_ldap_err_t *result)
  159. {
  160. int tls = * (const int *)invalue;
  161. #if APR_HAS_LDAP_SSL /* compiled with ssl support */
  162. /* Netscape/Mozilla/Solaris SDK */
  163. #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
  164. #if APR_HAS_LDAPSSL_INSTALL_ROUTINES
  165. if (tls == APR_LDAP_SSL) {
  166. result->rc = ldapssl_install_routines(ldap);
  167. #ifdef LDAP_OPT_SSL
  168. /* apparently Netscape and Mozilla need this too, Solaris doesn't */
  169. if (result->rc == LDAP_SUCCESS) {
  170. result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
  171. }
  172. #endif
  173. if (result->rc != LDAP_SUCCESS) {
  174. result->msg = ldap_err2string(result->rc);
  175. result->reason = "LDAP: Could not switch SSL on for this "
  176. "connection.";
  177. }
  178. }
  179. else if (tls == APR_LDAP_STARTTLS) {
  180. result->reason = "LDAP: STARTTLS is not supported by the "
  181. "Netscape/Mozilla/Solaris SDK";
  182. result->rc = -1;
  183. }
  184. else if (tls == APR_LDAP_STOPTLS) {
  185. result->reason = "LDAP: STOPTLS is not supported by the "
  186. "Netscape/Mozilla/Solaris SDK";
  187. result->rc = -1;
  188. }
  189. #else
  190. if (tls != APR_LDAP_NONE) {
  191. result->reason = "LDAP: SSL/TLS is not supported by this version "
  192. "of the Netscape/Mozilla/Solaris SDK";
  193. result->rc = -1;
  194. }
  195. #endif
  196. #endif
  197. /* Novell SDK */
  198. #if APR_HAS_NOVELL_LDAPSDK
  199. /* ldapssl_install_routines(ldap)
  200. * Behavior is unpredictable when other LDAP functions are called
  201. * between the ldap_init function and the ldapssl_install_routines
  202. * function.
  203. *
  204. * STARTTLS is supported by the ldap_start_tls_s() method
  205. */
  206. if (tls == APR_LDAP_SSL) {
  207. result->rc = ldapssl_install_routines(ldap);
  208. if (result->rc != LDAP_SUCCESS) {
  209. result->msg = ldap_err2string(result->rc);
  210. result->reason = "LDAP: Could not switch SSL on for this "
  211. "connection.";
  212. }
  213. }
  214. if (tls == APR_LDAP_STARTTLS) {
  215. result->rc = ldapssl_start_tls(ldap);
  216. if (result->rc != LDAP_SUCCESS) {
  217. result->msg = ldap_err2string(result->rc);
  218. result->reason = "LDAP: Could not start TLS on this connection";
  219. }
  220. }
  221. else if (tls == APR_LDAP_STOPTLS) {
  222. result->rc = ldapssl_stop_tls(ldap);
  223. if (result->rc != LDAP_SUCCESS) {
  224. result->msg = ldap_err2string(result->rc);
  225. result->reason = "LDAP: Could not stop TLS on this connection";
  226. }
  227. }
  228. #endif
  229. /* OpenLDAP SDK */
  230. #if APR_HAS_OPENLDAP_LDAPSDK
  231. #ifdef LDAP_OPT_X_TLS
  232. if (tls == APR_LDAP_SSL) {
  233. int SSLmode = LDAP_OPT_X_TLS_HARD;
  234. result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS, &SSLmode);
  235. if (result->rc != LDAP_SUCCESS) {
  236. result->reason = "LDAP: ldap_set_option failed. "
  237. "Could not set LDAP_OPT_X_TLS to "
  238. "LDAP_OPT_X_TLS_HARD";
  239. result->msg = ldap_err2string(result->rc);
  240. }
  241. }
  242. else if (tls == APR_LDAP_STARTTLS) {
  243. result->rc = ldap_start_tls_s(ldap, NULL, NULL);
  244. if (result->rc != LDAP_SUCCESS) {
  245. result->reason = "LDAP: ldap_start_tls_s() failed";
  246. result->msg = ldap_err2string(result->rc);
  247. }
  248. }
  249. else if (tls == APR_LDAP_STOPTLS) {
  250. result->reason = "LDAP: STOPTLS is not supported by the "
  251. "OpenLDAP SDK";
  252. result->rc = -1;
  253. }
  254. #else
  255. if (tls != APR_LDAP_NONE) {
  256. result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
  257. "version of the OpenLDAP toolkit";
  258. result->rc = -1;
  259. }
  260. #endif
  261. #endif
  262. /* Microsoft SDK */
  263. #if APR_HAS_MICROSOFT_LDAPSDK
  264. if (tls == APR_LDAP_NONE) {
  265. result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_OFF);
  266. if (result->rc != LDAP_SUCCESS) {
  267. result->reason = "LDAP: an attempt to set LDAP_OPT_SSL off "
  268. "failed.";
  269. result->msg = ldap_err2string(result->rc);
  270. }
  271. }
  272. else if (tls == APR_LDAP_SSL) {
  273. result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
  274. if (result->rc != LDAP_SUCCESS) {
  275. result->reason = "LDAP: an attempt to set LDAP_OPT_SSL on "
  276. "failed.";
  277. result->msg = ldap_err2string(result->rc);
  278. }
  279. }
  280. #if APR_HAS_LDAP_START_TLS_S
  281. else if (tls == APR_LDAP_STARTTLS) {
  282. result->rc = ldap_start_tls_s(ldap, NULL, NULL, NULL, NULL);
  283. if (result->rc != LDAP_SUCCESS) {
  284. result->reason = "LDAP: ldap_start_tls_s() failed";
  285. result->msg = ldap_err2string(result->rc);
  286. }
  287. }
  288. else if (tls == APR_LDAP_STOPTLS) {
  289. result->rc = ldap_stop_tls_s(ldap);
  290. if (result->rc != LDAP_SUCCESS) {
  291. result->reason = "LDAP: ldap_stop_tls_s() failed";
  292. result->msg = ldap_err2string(result->rc);
  293. }
  294. }
  295. #endif
  296. #endif
  297. #if APR_HAS_OTHER_LDAPSDK
  298. if (tls != APR_LDAP_NONE) {
  299. result->reason = "LDAP: SSL/TLS is currently not supported by "
  300. "APR on this LDAP SDK";
  301. result->rc = -1;
  302. }
  303. #endif
  304. #endif /* APR_HAS_LDAP_SSL */
  305. }
  306. /**
  307. * Handle APR_LDAP_OPT_TLS_CACERTFILE
  308. *
  309. * This function sets the CA certificate for further SSL/TLS connections.
  310. *
  311. * The file provided are in different formats depending on the toolkit used:
  312. *
  313. * Netscape: cert7.db file
  314. * Novell: PEM or DER
  315. * OpenLDAP: PEM (others supported?)
  316. * Microsoft: unknown
  317. * Solaris: unknown
  318. */
  319. static void option_set_cert(apr_pool_t *pool, LDAP *ldap,
  320. const void *invalue, apr_ldap_err_t *result)
  321. {
  322. apr_array_header_t *certs = (apr_array_header_t *)invalue;
  323. struct apr_ldap_opt_tls_cert_t *ents = (struct apr_ldap_opt_tls_cert_t *)certs->elts;
  324. int i = 0;
  325. #if APR_HAS_LDAP_SSL
  326. /* Netscape/Mozilla/Solaris SDK */
  327. #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSDK
  328. #if APR_HAS_LDAPSSL_CLIENT_INIT
  329. const char *nickname = NULL;
  330. const char *secmod = NULL;
  331. const char *key3db = NULL;
  332. const char *cert7db = NULL;
  333. const char *password = NULL;
  334. /* set up cert7.db, key3.db and secmod parameters */
  335. for (i = 0; i < certs->nelts; i++) {
  336. switch (ents[i].type) {
  337. case APR_LDAP_CA_TYPE_CERT7_DB:
  338. cert7db = ents[i].path;
  339. break;
  340. case APR_LDAP_CA_TYPE_SECMOD:
  341. secmod = ents[i].path;
  342. break;
  343. case APR_LDAP_CERT_TYPE_KEY3_DB:
  344. key3db = ents[i].path;
  345. break;
  346. case APR_LDAP_CERT_TYPE_NICKNAME:
  347. nickname = ents[i].path;
  348. password = ents[i].password;
  349. break;
  350. default:
  351. result->rc = -1;
  352. result->reason = "LDAP: The Netscape/Mozilla LDAP SDK only "
  353. "understands the CERT7, KEY3 and SECMOD "
  354. "file types.";
  355. break;
  356. }
  357. if (result->rc != LDAP_SUCCESS) {
  358. break;
  359. }
  360. }
  361. /* actually set the certificate parameters */
  362. if (result->rc == LDAP_SUCCESS) {
  363. if (nickname) {
  364. result->rc = ldapssl_enable_clientauth(ldap, "",
  365. (char *)password,
  366. (char *)nickname);
  367. if (result->rc != LDAP_SUCCESS) {
  368. result->reason = "LDAP: could not set client certificate: "
  369. "ldapssl_enable_clientauth() failed.";
  370. result->msg = ldap_err2string(result->rc);
  371. }
  372. }
  373. else if (secmod) {
  374. result->rc = ldapssl_advclientauth_init(cert7db, NULL,
  375. key3db ? 1 : 0, key3db, NULL,
  376. 1, secmod, LDAPSSL_AUTH_CNCHECK);
  377. if (result->rc != LDAP_SUCCESS) {
  378. result->reason = "LDAP: ldapssl_advclientauth_init() failed.";
  379. result->msg = ldap_err2string(result->rc);
  380. }
  381. }
  382. else if (key3db) {
  383. result->rc = ldapssl_clientauth_init(cert7db, NULL,
  384. 1, key3db, NULL);
  385. if (result->rc != LDAP_SUCCESS) {
  386. result->reason = "LDAP: ldapssl_clientauth_init() failed.";
  387. result->msg = ldap_err2string(result->rc);
  388. }
  389. }
  390. else {
  391. result->rc = ldapssl_client_init(cert7db, NULL);
  392. if (result->rc != LDAP_SUCCESS) {
  393. result->reason = "LDAP: ldapssl_client_init() failed.";
  394. result->msg = ldap_err2string(result->rc);
  395. }
  396. }
  397. }
  398. #else
  399. result->reason = "LDAP: SSL/TLS ldapssl_client_init() function not "
  400. "supported by this Netscape/Mozilla/Solaris SDK. "
  401. "Certificate authority file not set";
  402. result->rc = -1;
  403. #endif
  404. #endif
  405. /* Novell SDK */
  406. #if APR_HAS_NOVELL_LDAPSDK
  407. #if APR_HAS_LDAPSSL_CLIENT_INIT && APR_HAS_LDAPSSL_ADD_TRUSTED_CERT && APR_HAS_LDAPSSL_CLIENT_DEINIT
  408. /* The Novell library cannot support per connection certificates. Error
  409. * out if the ldap handle is provided.
  410. */
  411. if (ldap) {
  412. result->rc = -1;
  413. result->reason = "LDAP: The Novell LDAP SDK cannot support the setting "
  414. "of certificates or keys on a per connection basis.";
  415. }
  416. /* Novell's library needs to be initialised first */
  417. else {
  418. result->rc = ldapssl_client_init(NULL, NULL);
  419. if (result->rc != LDAP_SUCCESS) {
  420. result->msg = ldap_err2string(result-> rc);
  421. result->reason = apr_pstrdup(pool, "LDAP: Could not "
  422. "initialize SSL");
  423. }
  424. }
  425. /* set one or more certificates */
  426. for (i = 0; LDAP_SUCCESS == result->rc && i < certs->nelts; i++) {
  427. /* Novell SDK supports DER or BASE64 files. */
  428. switch (ents[i].type) {
  429. case APR_LDAP_CA_TYPE_DER:
  430. result->rc = ldapssl_add_trusted_cert((void *)ents[i].path,
  431. LDAPSSL_CERT_FILETYPE_DER);
  432. result->msg = ldap_err2string(result->rc);
  433. break;
  434. case APR_LDAP_CA_TYPE_BASE64:
  435. result->rc = ldapssl_add_trusted_cert((void *)ents[i].path,
  436. LDAPSSL_CERT_FILETYPE_B64);
  437. result->msg = ldap_err2string(result->rc);
  438. break;
  439. case APR_LDAP_CERT_TYPE_DER:
  440. result->rc = ldapssl_set_client_cert((void *)ents[i].path,
  441. LDAPSSL_CERT_FILETYPE_DER,
  442. (void*)ents[i].password);
  443. result->msg = ldap_err2string(result->rc);
  444. break;
  445. case APR_LDAP_CERT_TYPE_BASE64:
  446. result->rc = ldapssl_set_client_cert((void *)ents[i].path,
  447. LDAPSSL_CERT_FILETYPE_B64,
  448. (void*)ents[i].password);
  449. result->msg = ldap_err2string(result->rc);
  450. break;
  451. case APR_LDAP_CERT_TYPE_PFX:
  452. result->rc = ldapssl_set_client_cert((void *)ents[i].path,
  453. LDAPSSL_FILETYPE_P12,
  454. (void*)ents[i].password);
  455. result->msg = ldap_err2string(result->rc);
  456. break;
  457. case APR_LDAP_KEY_TYPE_DER:
  458. result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
  459. LDAPSSL_CERT_FILETYPE_DER,
  460. (void*)ents[i].password);
  461. result->msg = ldap_err2string(result->rc);
  462. break;
  463. case APR_LDAP_KEY_TYPE_BASE64:
  464. result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
  465. LDAPSSL_CERT_FILETYPE_B64,
  466. (void*)ents[i].password);
  467. result->msg = ldap_err2string(result->rc);
  468. break;
  469. case APR_LDAP_KEY_TYPE_PFX:
  470. result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
  471. LDAPSSL_FILETYPE_P12,
  472. (void*)ents[i].password);
  473. result->msg = ldap_err2string(result->rc);
  474. break;
  475. default:
  476. result->rc = -1;
  477. result->reason = "LDAP: The Novell LDAP SDK only understands the "
  478. "DER and PEM (BASE64) file types.";
  479. break;
  480. }
  481. if (result->rc != LDAP_SUCCESS) {
  482. break;
  483. }
  484. }
  485. #else
  486. result->reason = "LDAP: ldapssl_client_init(), "
  487. "ldapssl_add_trusted_cert() or "
  488. "ldapssl_client_deinit() functions not supported "
  489. "by this Novell SDK. Certificate authority file "
  490. "not set";
  491. result->rc = -1;
  492. #endif
  493. #endif
  494. /* OpenLDAP SDK */
  495. #if APR_HAS_OPENLDAP_LDAPSDK
  496. #ifdef LDAP_OPT_X_TLS_CACERTFILE
  497. /* set one or more certificates */
  498. /* FIXME: make it support setting directories as well as files */
  499. for (i = 0; i < certs->nelts; i++) {
  500. /* OpenLDAP SDK supports BASE64 files. */
  501. switch (ents[i].type) {
  502. case APR_LDAP_CA_TYPE_BASE64:
  503. result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE,
  504. (void *)ents[i].path);
  505. result->msg = ldap_err2string(result->rc);
  506. break;
  507. case APR_LDAP_CERT_TYPE_BASE64:
  508. result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CERTFILE,
  509. (void *)ents[i].path);
  510. result->msg = ldap_err2string(result->rc);
  511. break;
  512. case APR_LDAP_KEY_TYPE_BASE64:
  513. result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_KEYFILE,
  514. (void *)ents[i].path);
  515. result->msg = ldap_err2string(result->rc);
  516. break;
  517. default:
  518. result->rc = -1;
  519. result->reason = "LDAP: The OpenLDAP SDK only understands the "
  520. "PEM (BASE64) file type.";
  521. break;
  522. }
  523. if (result->rc != LDAP_SUCCESS) {
  524. break;
  525. }
  526. }
  527. #else
  528. result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
  529. "defined by this OpenLDAP SDK. Certificate "
  530. "authority file not set";
  531. result->rc = -1;
  532. #endif
  533. #endif
  534. /* Microsoft SDK */
  535. #if APR_HAS_MICROSOFT_LDAPSDK
  536. /* Microsoft SDK use the registry certificate store - error out
  537. * here with a message explaining this. */
  538. result->reason = "LDAP: CA certificates cannot be set using this method, "
  539. "as they are stored in the registry instead.";
  540. result->rc = -1;
  541. #endif
  542. /* SDK not recognised */
  543. #if APR_HAS_OTHER_LDAPSDK
  544. result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
  545. "defined by this LDAP SDK. Certificate "
  546. "authority file not set";
  547. result->rc = -1;
  548. #endif
  549. #else /* not compiled with SSL Support */
  550. result->reason = "LDAP: Attempt to set certificate(s) failed. "
  551. "Not built with SSL support";
  552. result->rc = -1;
  553. #endif /* APR_HAS_LDAP_SSL */
  554. }
  555. #endif /* APR_HAS_LDAP */