You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@apr.apache.org by bu...@apache.org on 2010/09/02 13:43:57 UTC
DO NOT REPLY [Bug 42682] Apache child terminates with signal 11 when
using Sun LDAP with SSL
https://issues.apache.org/bugzilla/show_bug.cgi?id=42682
--- Comment #6 from Stefan Fritsch <sf...@sfritsch.de> 2010-09-02 07:43:53 EDT ---
There are a couple of problems here.
- As noted by Nick, apr_ldap_init() should pass the "secure" parameter on to
the LDAP library. This alone is not enouogh, though.
- Solaris LDAP does not support activating SSL by using ldap_set_option. The
only way is to pass 1 as second parameter in ldapssl_init().
- Apache httpd's mod_ldap currently always passes secure == APR_LDAP_NONE to
apr_ldap_init() and then tries to enable SSL later with apr_ldap_set_option().
To make it possible to use Solaris LDAP with mod_ldap, mod_ldap would have to
enable SSL at apr_ldap_init-time and skip the apr_ldap_set_option(...,
APR_LDAP_OPT_TLS_CERT, ...) call. Of course, doing this unconditionally would
break various SSL features with other LDAP libraries.
One way to solve this would be to have some '#if APR_HAS_SOLARIS_LDAPSDK' in
mod_ldap. This breaks the apr-ldap abstraction, but AFAIK apr-ldap will be axed
anyway.
On the other hand, the documentation for apr_ldap_init() already recommends:
"set the SSL mode here if no per connection client certificates are present,
otherwise set secure APR_LDAP_NONE here, then set the per connection client
certificates, followed by setting the SSL mode via apr_ldap_set_option()". Is
this a way forward or is the risk too high that this would break mod_ssl with
some other LDAP library?
The attached patch tries implement the second solution. It works with Solaris
LDAP, but I haven't tested it with any other SDK. Does this look good?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org