You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@apr.apache.org by bu...@apache.org on 2009/07/09 13:19:19 UTC

DO NOT REPLY [Bug 47501] New: [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501

           Summary: [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with
                    OpenLDAP
           Product: APR
           Version: HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Keywords: PatchAvailable
          Severity: major
          Priority: P2
         Component: APR-util
        AssignedTo: bugs@apr.apache.org
        ReportedBy: alexey.v.varlamov@gmail.com


Created an attachment (id=23948)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23948)
Suggested fix to the problem.

apr_ldap_set_option() incorrectly handles setting LDAP_OPT_REFHOPLIMIT with
OpenLDAP, see the patch attached. The reason is that OpenLDAP does define the
LDAP_OPT_REFHOPLIMIT (under comment /* private and experimental options */
/* OpenLDAP specific options */) but apparently does support setting it.
(Tried with latest v2.4.16 of OpenLDAP).

This appears to be broken since revision 640388 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=640388 ), as a result LDAP
authentication in trunk HTTPD does not work with OpenLDAP, the following error
is logged:
[Thu Jul 09 11:05:18 2009] [debug] util_ldap.c(381): Setting referral hop limit
to 5.
[Thu Jul 09 11:05:18 2009] [debug] util_ldap.c(389): Unable to set
LDAP_OPT_REFHOPLIMIT option to 5: -1.
[Thu Jul 09 11:05:18 2009] [warn] [client 127.0.0.1] [8816] auth_ldap
authenticate: user user1 authentication failed; URI /private [Unable to set
LDAP_OPT_REFHOPLIMIT.][Can't contact LDAP server], referer:
http://localhost:8000/

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

DO NOT REPLY [Bug 47501] [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501


Lars Eilebrecht <la...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |lars@apache.org


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

DO NOT REPLY [Bug 47501] [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501

Ruediger Pluem <rp...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #2 from Ruediger Pluem <rp...@apache.org> 2009-10-06 21:06:42 CEST ---
What about older OpenLDAP versions (e.g. 2.3.x)? Do they still run fine with
the patch?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

DO NOT REPLY [Bug 47501] [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501

--- Comment #7 from Alexey Varlamov <al...@gmail.com> 2009-11-09 03:05:45 UTC ---
Well, the only (speculative) concern I have is that the suggested change in APR
behavior can affect other programs (beside httpd) depending on APR. 
OTOH major release change may be enough warrant.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

DO NOT REPLY [Bug 47501] [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501

--- Comment #5 from Ruediger Pluem <rp...@apache.org> 2009-10-07 21:02:47 CEST ---
Now the patch makes perfect sense :-).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

DO NOT REPLY [Bug 47501] [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501

--- Comment #1 from Stefan Fritsch <sf...@sfritsch.de> 2009-10-06 10:52:27 PDT ---
I can confirm that this is broken with openldap 2.4.17 and that Alexey's patch
fixes the problem.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

DO NOT REPLY [Bug 47501] [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501

--- Comment #6 from Eric Covener <co...@gmail.com> 2009-10-31 07:08:51 UTC ---
(In reply to comment #5)
> Now the patch makes perfect sense :-).

While it's already the behavior for Novell, I really don't like the behavior of
this block of code.  The comment talks about reasonable defaults, but this
method should only be called if you're looking to change them anyway and you've
passed in an explicit number of hops.

Meanwhile, LDAP_OPT_REHOPLIMIT isn't even ldap_get_option()'able in openldap. 
I am fixing HTTPD to not make this APR call if the user hasn't explicitly asked
for a change from the SDK defaults.  

Interested in comments from others, but I do not think it's wise to no-op this
call if we can't honor the specific value passed in.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

DO NOT REPLY [Bug 47501] [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501

Alexey Varlamov <al...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #4 from Alexey Varlamov <al...@gmail.com> 2009-10-07 02:41:55 PDT ---
Right, that's my typo - OpenLDAP does *NOT* support setting the option.
Also note, that ldap support is moving to main APR - so the initial patch may
be not complete for the latest trunk, both APR and APR-utils should be fixed.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

DO NOT REPLY [Bug 47501] [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47501

--- Comment #3 from Ruediger Pluem <rp...@apache.org> 2009-10-06 21:09:36 CEST ---
(In reply to comment #2)
> What about older OpenLDAP versions (e.g. 2.3.x)? Do they still run fine with
> the patch?

Ok. So I guess I confused myself. I guess the correct statement from Alexey
should be:

The reason is that OpenLDAP does define the
LDAP_OPT_REFHOPLIMIT (under comment /* private and experimental options */
/* OpenLDAP specific options */) but apparently does *NOT* support setting it.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org