You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/01/05 22:48:20 UTC

DO NOT REPLY [Bug 38146] New: - LDAP StartTLS ExOp runs too early

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38146>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38146

           Summary: LDAP StartTLS ExOp runs too early
           Product: Apache httpd-2
           Version: 2.2.0
          Platform: All
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: richton@nbcs.rutgers.edu


mod_ldap does not perform Start TLS properly. Per RFC2830, Start TLS is an
LDAPv3 Extended Operation. As such, LDAPv3 must be selected as the protocol
version PRIOR to performing the Start TLS operation. util_ldap.c does not do
this, resulting in LDAP "Not Available" errors (interpreted, "extended
operations are not available in LDAPv2 per RFC") when it is attempted to be used.

The solution is trivial: change to LDAPv3 before attempting to use Extended
Operations. Please consider the attached code move. It should apply clean to
2.2.0 and snapshot 20060105173307.

--- util_ldap.c.orig    2006-01-05 15:23:46.237518000 -0500
+++ util_ldap.c 2006-01-05 15:24:16.355137000 -0500
@@ -263,6 +263,9 @@
             return(result->rc);
         }

+        /* always default to LDAP V3 */
+        ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
+
         /* set client certificates */
         if (!apr_is_empty_array(ldc->client_certs)) {
             apr_ldap_set_option(ldc->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
@@ -292,9 +295,6 @@
         /* Set the alias dereferencing option */
         ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));

-        /* always default to LDAP V3 */
-        ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
-
 /*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
 #ifdef APR_LDAP_OPT_VERIFY_CERT
         apr_ldap_set_option(ldc->pool, ldc->ldap,

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 38146] - LDAP StartTLS ExOp runs too early

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38146>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38146


rpluem@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
           Keywords|                            |PatchAvailable
         Resolution|                            |FIXED




------- Additional Comments From rpluem@apache.org  2006-01-21 12:53 -------
Trunk commit: r370856 (http://svn.apache.org/viewcvs.cgi?rev=370856&view=rev) 
Backport proposal: r370857 
(http://svn.apache.org/viewcvs.cgi?rev=370857&view=rev) 

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 38146] - LDAP StartTLS ExOp runs too early

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38146>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38146





------- Additional Comments From bnicholes@apache.org  2006-01-20 18:01 -------
Patch applied to trunk and proposed for backport

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org