You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/08/30 12:58:38 UTC
DO NOT REPLY [Bug 43249] New: - ldap_simple_bind_s failed when using SUN LDAP Libs w/o SSL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43249>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43249
Summary: ldap_simple_bind_s failed when using SUN LDAP Libs w/o
SSL
Product: Apache httpd-2
Version: 2.2.4
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: major
Priority: P2
Component: mod_auth_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: kevin.richter@uni-hildesheim.de
Error:
auth_ldap authenticate: user myself authentication failed; URI /test/ [LDAP:
ldap_simple_bind_s() failed][Can't connect to the LDAP server]
My config:
AuthLDAPUrl "ldap://1.2.3.4:389/ou=group,dc=xyz,dc=de?uid?one" NONE
Reason:
File srclib/apr-util/ldap/apr_ldap_init.c
Row 149, Function apr_ldap_init
[snip]
#if APR_HAS_LDAPSSL_INIT
*ldap = ldapssl_init(hostname, portno, 0);
#elif APR_HAS_LDAP_SSLINIT
*ldap = ldap_sslinit((char *)hostname, portno, 0);
#else
*ldap = ldap_init((char *)hostname, portno);
#endif
[/snip]
It uses ldapssl_init to open an SSL-less connection. What the hell? ;-)
My change is:
[snip]
#if APR_HAS_LDAPSSL_INIT
// *ldap = ldapssl_init(hostname, portno, 0);
*ldap = ldap_init((char *)hostname, portno);
#elif APR_HAS_LDAP_SSLINIT
*ldap = ldap_sslinit((char *)hostname, portno, 0);
#else
*ldap = ldap_init((char *)hostname, portno);
#endif
[/snip]
Everything works :)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43249] - ldap_simple_bind_s failed when using SUN LDAP Libs w/o SSL
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43249>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43249
------- Additional Comments From bnicholes@apache.org 2007-08-30 08:12 -------
There is something else going on in your environment. ldapssl_init() doesn't
actually create a connection or talk over SSL to an ldap server. It just
prepares the client connection handle to allow an SSL connections if
necessary. The resulting handle could be used to make a non-ssl connection or
an ssl connection. In fact ldapssl_init(..., 0) is functionally equivalent to
ldap_init(...). If Solaris requires some additional special handling, then
that would need to be identified and handled separately. SSL is one of the
areas that is very different between SDKs.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43249] - ldap_simple_bind_s failed when using SUN LDAP Libs w/o SSL
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43249>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43249
------- Additional Comments From bnicholes@apache.org 2007-08-30 13:25 -------
The LDAP functionality has been tested with OpenLDAP, Novell LDAP and Netscape
LDAP SDKs. To my knowledge, no real testing or integration has been done
against the SUN LDAP SDK. As I mentioned before, SSL is one of those tricky
parts that usually functions differently between SDKs. I would expect that
somebody who knows a lot more about the SUN LDAP SDK than I do, needs to work
up and submit some patches so that it works correctly and doesn't break the
other platforms.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43249] - ldap_simple_bind_s failed when using SUN LDAP Libs w/o SSL
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43249>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43249
covener@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |covener@gmail.com
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43249] - ldap_simple_bind_s failed when using SUN LDAP Libs w/o SSL
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43249>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43249
------- Additional Comments From kevin.richter@uni-hildesheim.de 2007-08-30 12:26 -------
I dont think, that my environment is weird.
Its a fresh Solaris 10 install with all latest patch clusters.
My configure command is:
./configure --prefix=/opt/local/app/apache-2.2.4 --enable-mods-shared=most
--enable-so --with-mpm=worker --enable-nonportable-atomics --disable-userdir
--disable-authn-dbd --disable-authn-dbm --disable-authz-dbm
--disable-authnz-ldap --disable-status --disable-dbd --disable-dav
--disable-dav-fs --disable-dav-lock --disable-cgi --enable-cgid
--enable-unique-id --enable-suexec --with-suexec-caller=webservd
--with-suexec-docroot=/data/web --with-suexec-uidmin=100
--with-suexec-gidmin=100 --with-suexec-logfile=/data/logs/suexec_log
--enable-ssl --enable-authnz-ldap --enable-ldap --with-ldap-lib=/usr/lib
--with-ldap-include=/usr/include --with-ldap=yes --with-ssl=/opt/local
--enable-proxy --enable-proxy-http
The SUN LDAP packages
SUNWhea
SUNWlldap
are installed.
No OpenLDAP and no SFW LDAP (like SFWoldap).
$ ls -l /usr/include/*ldap*
-rw-r--r-- 1 root bin 56030 Jan 21 2005 /usr/include/ldap.h
$ ls -l /usr/lib/*ldap*
lrwxrwxrwx 1 root root 12 Feb 13 2007 /usr/lib/libldap.so ->
libldap.so.5
-rwxr-xr-x 1 root bin 214076 Jan 23 2005 /usr/lib/libldap.so.4
-rwxr-xr-x 1 root bin 367208 Jan 24 2007 /usr/lib/libldap.so.5
lrwxrwxrwx 1 root root 13 Feb 13 2007 /usr/lib/libsldap.so ->
libsldap.so.1
-rwxr-xr-x 1 root bin 233416 Jan 24 2007 /usr/lib/libsldap.so.1
-rw-r--r-- 1 root bin 18479 Jan 22 2005 /usr/lib/llib-lldap
-rw-r--r-- 1 root bin 78630 May 29 06:03 /usr/lib/llib-lldap.ln
-rw-r--r-- 1 root bin 3490 Jan 22 2005 /usr/lib/llib-lsldap
-rw-r--r-- 1 root bin 86080 May 29 06:04 /usr/lib/llib-lsldap.ln
-rwxr-xr-x 1 root bin 116764 May 29 20:49 /usr/lib/nss_ldap.so.1
/usr/lib/ldap:
total 388
-r-xr-xr-x 1 root bin 131282 Nov 7 2006 idsconfig
-r-xr-xr-x 1 root bin 50532 Jan 23 2005 ldap_cachemgr
How I said, there is nothing weird.
I would laugh if any other user can use the .htaccess authorization against LDAP
without SSL with these SUN LDAP libs without a patch.
And in fact I dont know if the ldapssl_init(..., 0) and ldap_init(...) are
really equivalent in the SUN LDAP implementation. But I dont think so, otherwise
both versions should work.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org