You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brad Nicholes <BN...@novell.com> on 2003/02/13 23:19:58 UTC
Standarizing mod_auth_ldap across LDAP SDKs...
Over the last couple of weeks one of our Novell LDAP SDK engineers
took a look at mod_auth_ldap to try to standardize it across various
SDKs especially with regards to SSL. I believe that these changes will
simplify configuring SSL for mod_auth_ldap and also isolate the SSL
functionality to mod_ldap rather than speading it across both modules.
As a result we are proposing the following changes to mod_auth_ldap and
mod_ldap.
- Added LDAP SSL support for the Novell LDAP SDK
- Fixed memory leaks in mod_ldap
- Added a support framework (using #defines) for multiple vendor LDAP
SDKs. The framework currently supports the SDKs from Novell, NetScape,
OpenLDAP, and Microsoft. (Spent significant time testing compiling and
running with the various SDKs on Win32. However, ran into problems with
Microsoft's SDK. It GPFs when doing an ldap_set_option.)
- Removed all SSL & vendor LDAP SDK dependencies from mod_auth_ldap.
The vendor SDK dependencies are all grouped in mod_ldap.
- Removed the AuthLDAPStartTLS directive from mod_auth_ldap. The
AuthLDAPUrl directive is used to specify clear (ldap://) or SSL
(ldaps://) connections.
- Removed LDAPCertDBPath directive from mod_ldap. Replaced by the
following:
- Added new generic SSL directives to mod_ldap:
LDAPTrustedCA - specifies the Trusted Certificate Authority
used for SSL server cert verification.
LDAPTrustedCAType - specifies the certificate authority type
(DER_FILE, BASE64_FILE, CERT7_DB_PATH). The SDKs require different
types.
These two directives are used together to support the different SDKs.
- Since mod_ldap is the LDAP connection mgr it always loads with or
without SSL connection support. It logs the status of SSL support in
the log file. The modules which use mod_ldap (ie: mod_auth_ldap)
decide what type of connections to request (clear / SSL) and what to do
if SSL connections are not available. Mod_auth_LDAP currently fails
the authentication request if the url specifies ldaps:// and SSL
connections are not supported by mod_ldap.
Through our testing we have run across two outstanding issues. One of
which I have already mentioned:
- Microsoft's LDAP SDK GPFs when doing an ldap_set_option.
- If caching is disabled in mod_ldap (cache values all set to -1), the
code faults. The current design appears to have problems when run with
all caching turned off.
I would like to commit these changes to the 2.1 tree as soon as
possible and also back port them to the 2.0 if acceptable.
Brad
Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com
Re: Standarizing mod_auth_ldap across LDAP SDKs...
Posted by Bill Stoddard <bi...@wstoddard.com>.
Jeff Trawick wrote:
> Graham Leggett wrote:
>
>> Brad Nicholes wrote:
>>
>> > - Added a support framework (using #defines) for multiple vendor LDAP
>> > SDKs. The framework currently supports the SDKs from Novell,
>> NetScape,
>> > OpenLDAP, and Microsoft. (Spent significant time testing compiling
>> and
>> > running with the various SDKs on Win32. However, ran into problems
>> with
>> > Microsoft's SDK. It GPFs when doing an ldap_set_option.)
>>
>>
>> The purpose of LDAP support being in apr-util is so that machine
>> specific and SDK specific issues can be addressed there. The #defines
>> you mention should not be in mod_ldap, they should rather be in apr-util.
>
>
>
> yes, I was hoping somebody would bring this up... everybody seems to be
> happy about the code, but doesn't this issue need to be resolved before
> committing?
>
Yes, I agree. Platform/library specific cruft should be moved into apr-util.
Bill
Re: Standarizing mod_auth_ldap across LDAP SDKs...
Posted by Jeff Trawick <tr...@attglobal.net>.
Graham Leggett wrote:
> Brad Nicholes wrote:
>
> > - Added a support framework (using #defines) for multiple vendor LDAP
> > SDKs. The framework currently supports the SDKs from Novell, NetScape,
> > OpenLDAP, and Microsoft. (Spent significant time testing compiling and
> > running with the various SDKs on Win32. However, ran into problems with
> > Microsoft's SDK. It GPFs when doing an ldap_set_option.)
>
>
> The purpose of LDAP support being in apr-util is so that machine
> specific and SDK specific issues can be addressed there. The #defines
> you mention should not be in mod_ldap, they should rather be in apr-util.
yes, I was hoping somebody would bring this up... everybody seems to be
happy about the code, but doesn't this issue need to be resolved before
committing?
Re: Standarizing mod_auth_ldap across LDAP SDKs...
Posted by Graham Leggett <mi...@sharp.fm>.
Brad Nicholes wrote:
> Over the last couple of weeks one of our Novell LDAP SDK engineers
> took a look at mod_auth_ldap to try to standardize it across various
> SDKs especially with regards to SSL.
Cool!
> - Added a support framework (using #defines) for multiple vendor LDAP
> SDKs. The framework currently supports the SDKs from Novell, NetScape,
> OpenLDAP, and Microsoft. (Spent significant time testing compiling and
> running with the various SDKs on Win32. However, ran into problems with
> Microsoft's SDK. It GPFs when doing an ldap_set_option.)
The purpose of LDAP support being in apr-util is so that machine
specific and SDK specific issues can be addressed there. The #defines
you mention should not be in mod_ldap, they should rather be in apr-util.
> - Removed the AuthLDAPStartTLS directive from mod_auth_ldap. The
> AuthLDAPUrl directive is used to specify clear (ldap://) or SSL
> (ldaps://) connections.
I'm not clear on this one - is there not a difference between SSL (make
secure connection and speak LDAP) and TLS (make an insecure connection
and then say starttls to upgrade the connection to a secure one)?
> I would like to commit these changes to the 2.1 tree as soon as
> possible and also back port them to the 2.0 if acceptable.
+1 on committing to v2.1 as soon as possible :)
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
RE: Standarizing mod_auth_ldap across LDAP SDKs...
Posted by "John K. Sterling" <jo...@sterls.com>.
Hi Brad -
the only suggestion I would have is to try to support SOME backward compatibility
(e.g. if StartTLS directive is used switch the url to ldaps or something
like that).
Looks like great progress for the software, though - I too would like to
see it committed.
sterling
Re: Standarizing mod_auth_ldap across LDAP SDKs...
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
On Thu, 13 Feb 2003, Brad Nicholes wrote:
> - Added a support framework (using #defines) for multiple vendor LDAP
> SDKs. The framework currently supports the SDKs from Novell, NetScape,
> OpenLDAP, and Microsoft. (Spent significant time testing compiling and
> running with the various SDKs on Win32. However, ran into problems with
> Microsoft's SDK. It GPFs when doing an ldap_set_option.)
Very, very nice. Quite clean for such an extensive #ifdef construct.
This does of course 'block' the use of multiple ldap backends of different
vendors. But not sure that that is a a great loss.
Dw