You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/03/01 15:42:47 UTC
[Bug 54626] New: mod_authnz_ldap through util_ldap.c does not
support ldaps on the microsoft ldap sdk
https://issues.apache.org/bugzilla/show_bug.cgi?id=54626
Bug ID: 54626
Summary: mod_authnz_ldap through util_ldap.c does not support
ldaps on the microsoft ldap sdk
Product: Apache httpd-2
Version: 2.4.4
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_authnz_ldap
Assignee: bugs@httpd.apache.org
Reporter: eirik.lygre@gmail.com
Classification: Unclassified
We have been trying to set up Apache on Windows with ldaps (ssl)
authentication, using apr-util compiled with the Microsoft ldap sdk, with
little success. Looking at the log output, reading the source code and
discussions on email lists indicate that there is a bug in the interaction
between httpd (util_ldap.c) and apr-util which makes this combination
impossible.
In short, this is what happens (with more detail below):
- util_ldap.c always calls apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...),
even when there are no global certs
- apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...) always fails when called
with APR_HAS_MICROSOFT_LDAPSDK
- when this fails, ldaps is disabled
The probable fix would be in util_ldap.c, the function util_ldap_post_config.
Immediately after calling apr_ldap_ssl_init(), the function calls
apr_ldap_set_option() with global certs. The fix would be only make the call to
apr_ldap_set_option() when there are in fact any global certs defined. Coded
blindly, as I don't have a build environment:
rc = apr_ldap_ssl_init(p,
NULL,
0,
&(result_err));
- if (APR_SUCCESS == rc) {
+ if (APR_SUCCESS == rc && !apr_is_empty_array(st->global_certs)) {
rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,
(void *)st->global_certs, &(result_err));
}
++++++++++++++++++++++++++++++++
1) Extracs of httpd-config:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
<Location />
AuthLDAPURL ldaps://127.0.0.1:1389/ou=People,dc=example,dc=com?uid
</Location>
2) The error_log has the following entries:
[Mon Feb 25 22:21:18 2013] [info] APR LDAP: Built with Microsoft Corporation.
LDAP SDK
[Mon Feb 25 22:21:18 2013] [info] LDAP: SSL support unavailable: LDAP: CA
certificates cannot be set using this method, as they are stored in the
registry instead.
3) During initialization of util_ldap.c
(http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c?view=markup),
in util_ldap_post_config(): After calling apr_ldap_ssl_init(), on line 2031,
the method apr_ldap_set_option (APR_LDAP_OPT_TLS_CERT) is always called,
regardless of whether there are any global certs or not.
2020 /*
2021 * Initialize SSL support, and log the result for the benefit of the
admin.
2022 *
2023 * If SSL is not supported it is not necessarily an error, as the
2024 * application may not want to use it.
2025 */
2026 rc = apr_ldap_ssl_init(p,
2027 NULL,
2028 0,
2029 &(result_err));
2030 if (APR_SUCCESS == rc) {
2031 rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,
2032 (void *)st->global_certs, &(result_err));
2033 }
2034
2035 if (APR_SUCCESS == rc) {
2036 st->ssl_supported = 1;
2037 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
2038 "LDAP: SSL support available" );
2039 }
2040 else {
2041 st->ssl_supported = 0;
2042 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
2043 "LDAP: SSL support unavailable%s%s",
2044 result_err ? ": " : "",
2045 result_err ? result_err->reason : "");
2046 }
4) Now, in apr_ldap
(http://svn.apache.org/viewvc/apr/apr-util/tags/1.4.1/ldap/apr_ldap_option.c?view=markup),
the method apr_ldap_set_option() forwards to option_set_cert() (line 396),
which ends up in the following code which *always* fails.
627 #if APR_HAS_MICROSOFT_LDAPSDK
628 /* Microsoft SDK use the registry certificate store - error out
629 * here with a message explaining this. */
630 result->reason = "LDAP: CA certificates cannot be set using this
method, "
631 "as they are stored in the registry instead.";
632 result->rc = -1;
633 #endif
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54626] mod_authnz_ldap through util_ldap.c does not support
ldaps on the microsoft ldap sdk
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54626
--- Comment #4 from jfclere <jf...@gmail.com> ---
http://svn.apache.org/viewvc?view=revision&revision=r1526436
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54626] mod_authnz_ldap through util_ldap.c does not support
ldaps on the microsoft ldap sdk
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54626
Eirik Lygre <ei...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |eirik.lygre@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54626] mod_authnz_ldap through util_ldap.c does not support
ldaps on the microsoft ldap sdk
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54626
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |covener@gmail.com
OS| |All
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54626] mod_authnz_ldap through util_ldap.c does not support
ldaps on the microsoft ldap sdk
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54626
--- Comment #2 from jfclere <jf...@gmail.com> ---
I am working on a better patch.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54626] mod_authnz_ldap through util_ldap.c does not support
ldaps on the microsoft ldap sdk
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54626
--- Comment #3 from jfclere <jf...@gmail.com> ---
Created attachment 30881
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30881&action=edit
patch again the 2.2.25
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54626] mod_authnz_ldap through util_ldap.c does not support
ldaps on the microsoft ldap sdk
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54626
--- Comment #1 from Eric Covener <co...@gmail.com> ---
looks sensible, but i think we ought to also:
* block LDAPTrustedGlobalCert on MS SDK
* change the INFO messages that follow for the MS SDK.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org