Auth LDAP ssl/tls differences

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

It seems that our support for ssl/tls with mod_ldap is considerably
confusing and frustrating for users.  The recent interest in fixing
support for the Solaris/Netscape/Mozilla library reminded me of the
fact that we need to finish thinking this through.

Fast summary for those less familiar; there are two SSL schemas
for LDAP communications.

 . Solaris/Netscape/Mozilla support is based on explicit SSLv3
   connection to the ldaps:// port, 636.

 . OpenLDAP supports ldaps://, it also supports STARTTLS
   protocol over port 389.  STARTTLS should not be invoked by
   the scheme ldaps:// (it's a semantic error - ldaps:// should
   not refer to an upgraded SSL connection, and would imply
   port 636 which is not correct for this protocol.)

The correct scheme/port for STARTTLS LDAP connections is
ldap:// with port 389 implicit.  We need a mechanism to clarify
to mod_ldap that TLS security is desired.

Incident http://issues.apache.org/bugzilla/show_bug.cgi?id=31443
offers a solution which we should consider adopting.  As I was
asking for some offline feedback - Graham mentioned that some
implementations use the URL to specify that STARTTLS is desired.
But without some references the proposal seems to be a better
option - we shouldn't be redefining the ldap:// URI space.

Does anyone have any references to specifying STARTTLS as part
of the URI to the ldap server?  Any other comments on this patch
before I integrate into httpd-2.1?

Bill

Re: Auth LDAP ssl/tls differences

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

At 01:55 PM 1/4/2005, Jim Jagielski wrote:

>On Jan 4, 2005, at 2:40 PM, William A. Rowe, Jr. wrote:
>>
>>Incident http://issues.apache.org/bugzilla/show_bug.cgi?id=31443
>>offers a solution which we should consider adopting.  As I was
>>asking for some offline feedback - Graham mentioned that some
>>implementations use the URL to specify that STARTTLS is desired.
>>But without some references the proposal seems to be a better
>>option - we shouldn't be redefining the ldap:// URI space.
>>
>>Does anyone have any references to specifying STARTTLS as part
>>of the URI to the ldap server?  Any other comments on this patch
>>before I integrate into httpd-2.1?
>
>+1 for adding it in... Even better if it's made into
>a branch for development before folding back into HEAD
>(yeah svn!) but no matter what, let's fold it in an
>start cracking on it.

For httpd-2.1 - the patch is entangled across apr and httpd.
The httpd side shouldn't require a cheap branch, since it should
be forward progress which won't affect existing configurations.
The apr side might need to be twisted off into a temporary branch
but we can see how awkward the code changes come out.

Looking for any other comment or alternative or ldap URI syntax
before we commit the LDAPStartTLS (or AuthLDAPStartTLS which seems
to be where this directive should be, associated with an AuthLDAPURL?)

Bill
Bill 

Re: Auth LDAP ssl/tls differences

[Jim Jagielski <ji...@jaguNET.com>]

On Jan 4, 2005, at 2:40 PM, William A. Rowe, Jr. wrote:
>
> Incident http://issues.apache.org/bugzilla/show_bug.cgi?id=31443
> offers a solution which we should consider adopting.  As I was
> asking for some offline feedback - Graham mentioned that some
> implementations use the URL to specify that STARTTLS is desired.
> But without some references the proposal seems to be a better
> option - we shouldn't be redefining the ldap:// URI space.
>
> Does anyone have any references to specifying STARTTLS as part
> of the URI to the ldap server?  Any other comments on this patch
> before I integrate into httpd-2.1?

+1 for adding it in... Even better if it's made into
a branch for development before folding back into HEAD
(yeah svn!) but no matter what, let's fold it in an
start cracking on it.

Re: Auth LDAP ssl/tls differences

["Roy T. Fielding" <fi...@gbiv.com>]

> Does anyone have any references to specifying STARTTLS as part
> of the URI to the ldap server?  Any other comments on this patch
> before I integrate into httpd-2.1?

No, it should be specified by a configuration option, as suggested
in the PR.

....Roy

Re: Auth LDAP ssl/tls differences

[Graham Leggett <mi...@sharp.fm>]

William A. Rowe, Jr. said:

> Incident http://issues.apache.org/bugzilla/show_bug.cgi?id=31443
> offers a solution which we should consider adopting.  As I was
> asking for some offline feedback - Graham mentioned that some
> implementations use the URL to specify that STARTTLS is desired.
> But without some references the proposal seems to be a better
> option - we shouldn't be redefining the ldap:// URI space.

Doing some Googling, it seems that an out of url directive seems to be the
way everyone else is handling it.

Let me look at this patch - it will probably need some reworking to fit in
with the binary compatibility requirements of APR, but I need an LDAP
enabled release of APR in the next few days, so there is an urgency to
finish this off :)

Regards,
Graham
--

Re: Auth LDAP ssl/tls differences

[Graham Leggett <mi...@sharp.fm>]

William A. Rowe, Jr. said:

> The correct scheme/port for STARTTLS LDAP connections is
> ldap:// with port 389 implicit.  We need a mechanism to clarify
> to mod_ldap that TLS security is desired.

I have just taught's apr-utils' apr_ldap_init() function to handle
STARTTLS in addition to SSL (or no encryption).

apr_ldap_init() supports an integer "secure", which presently takes the
values "0" for no encryption, and "1" for SSL. This now also takes the
values "2" for STARTTLS, "3" for STARTTLS allowed if the server requested
it, and "4" for optionally try STARTTLS. (All of this comes from OpenLDAP
symantics, which some googling seems to be the new standard method for
replacing deprecated legacy functions like ldap_start_tls_s()). This way
apr_ldap_init() is extended to support STARTTLS while maintaining
backwards compatibility.

The next task is to modify httpd's util_ldap so it knows about the above
extended behaviour.

Regards,
Graham
--