From 9f959f071c38f7f9181b279846f4f94947805d64 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Aug 20 2012 18:54:52 +0000
Subject: Ticket #430 - server to server ssl client auth broken with latest openldap


https://fedorahosted.org/389/ticket/430
Resolves: Ticket #430
Bug Description: server to server ssl client auth broken with latest openldap
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.2.11
Fix Description: Pass in the openldap certfile as "tokenname:certnickname"
for the internal token as well as for external tokens.  openldap 2.4.32 and
later are patched to accept this, and will force the use of the token named
tokenname as the slot/token to use.  If the internal one has already been
unlocked (i.e. by the server doing SSL server init) then the cert can be used
without having to unlock the key/cert db again.
Platforms tested: RHEL6 x86_64, Fedora 17
Flag Day: no
Doc impact: no

---

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f656df9..0aab53d 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1348,7 +1348,12 @@ slapd_SSL_client_auth (LDAP* ld)
 			 			 * the personality for internal tokens.
 			 			 */
 						token = slapi_ch_strdup(internalTokenName);
+#if defined(USE_OPENLDAP)
+						/* openldap needs tokenname:certnick */
+						PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
+#else
 						PL_strncpyz(cert_name, personality, sizeof(cert_name));
+#endif
 						slapi_ch_free((void **) &ssltoken);
 			  } else {
 						/* external PKCS #11 token - attach token name */