+#endif /* LDAP_OPT_X_TLS */
+
+#ifdef LDAP_OPT_X_TLS_CACERTFILE
+ if (eldap_ca_cert_file)
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTDIR
+ if (eldap_ca_cert_dir)
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+#endif
+#ifdef LDAP_OPT_X_TLS_CERTFILE
+ if (eldap_cert_file)
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+#endif
+#ifdef LDAP_OPT_X_TLS_KEYFILE
+ if (eldap_cert_key)
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+#endif
+#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+ if (eldap_cipher_suite)
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+#endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+ if (eldap_require_cert)
+ {
+ int cert_option =
+ Ustrcmp(eldap_require_cert, "hard") == 0 ? LDAP_OPT_X_TLS_HARD
+ : Ustrcmp(eldap_require_cert, "demand") == 0 ? LDAP_OPT_X_TLS_DEMAND
+ : Ustrcmp(eldap_require_cert, "allow") == 0 ? LDAP_OPT_X_TLS_ALLOW
+ : Ustrcmp(eldap_require_cert, "try") == 0 ? LDAP_OPT_X_TLS_TRY
+ : LDAP_OPT_X_TLS_NEVER;
+
+ /* This ldap handle is set at compile time based on client libs. Older
+ * versions want it to be global and newer versions can force a reload
+ * of the TLS context (to reload these settings we are changing from the
+ * default that loaded at instantiation). */
+ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+ if (rc)
+ DEBUG(D_lookup)
+ debug_printf_indent("Unable to set TLS require cert_option(%d) globally: %s\n",
+ cert_option, ldap_err2string(rc));
+ }
+#endif
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+ if ((rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server)))
+ DEBUG(D_lookup)
+ debug_printf_indent("Unable to reload TLS context %d: %s\n",
+ rc, ldap_err2string(rc));
+ #endif