You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/01/05 22:48:20 UTC
DO NOT REPLY [Bug 38146] New: - LDAP StartTLS ExOp runs too early
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38146>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38146
Summary: LDAP StartTLS ExOp runs too early
Product: Apache httpd-2
Version: 2.2.0
Platform: All
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: mod_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: richton@nbcs.rutgers.edu
mod_ldap does not perform Start TLS properly. Per RFC2830, Start TLS is an
LDAPv3 Extended Operation. As such, LDAPv3 must be selected as the protocol
version PRIOR to performing the Start TLS operation. util_ldap.c does not do
this, resulting in LDAP "Not Available" errors (interpreted, "extended
operations are not available in LDAPv2 per RFC") when it is attempted to be used.
The solution is trivial: change to LDAPv3 before attempting to use Extended
Operations. Please consider the attached code move. It should apply clean to
2.2.0 and snapshot 20060105173307.
--- util_ldap.c.orig 2006-01-05 15:23:46.237518000 -0500
+++ util_ldap.c 2006-01-05 15:24:16.355137000 -0500
@@ -263,6 +263,9 @@
return(result->rc);
}
+ /* always default to LDAP V3 */
+ ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
+
/* set client certificates */
if (!apr_is_empty_array(ldc->client_certs)) {
apr_ldap_set_option(ldc->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
@@ -292,9 +295,6 @@
/* Set the alias dereferencing option */
ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));
- /* always default to LDAP V3 */
- ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
-
/*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
#ifdef APR_LDAP_OPT_VERIFY_CERT
apr_ldap_set_option(ldc->pool, ldc->ldap,
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38146] - LDAP StartTLS ExOp runs too early
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38146>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38146
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Keywords| |PatchAvailable
Resolution| |FIXED
------- Additional Comments From rpluem@apache.org 2006-01-21 12:53 -------
Trunk commit: r370856 (http://svn.apache.org/viewcvs.cgi?rev=370856&view=rev)
Backport proposal: r370857
(http://svn.apache.org/viewcvs.cgi?rev=370857&view=rev)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38146] - LDAP StartTLS ExOp runs too early
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38146>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38146
------- Additional Comments From bnicholes@apache.org 2006-01-20 18:01 -------
Patch applied to trunk and proposed for backport
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org