You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Matthieu Estrade <ap...@moresecurity.org> on 2004/02/11 10:07:13 UTC
Re: mod_ldap/util_ldap Issues...
Hi,
About ldap cache + shm: I tested all these patch on linux and it was
working well, seems it work well too on FreeBSD.
I heard problem on solaris (PR #18756) but i am not sure these bugs are
from ldap cache, but more from the changes done with ldap lib and TLS.
Considering the module is still in the experimental directory, +1 for
backport.
Matthieu
Brad Nicholes wrote:
> There is a patch that was committed to CVS HEAD that is waiting for
>enough votes to be backported to the 2.0 branch. The patch addresses PR
>#18756 that deals with shared memory issues and could very possibly fix
>the problems that you are seeing. The patch has been sitting in the
>backport queue for sometime now. I would like to go ahead and backport
>this patch now if nobody has any objections and since auth_ldap is an
>experimental module anyway.
> As far as your other question goes, NetWare uses auth_ldap
>extensively in our solutions and we have done a lot of testing using the
>caching directives. The difference is that NetWare does not use shared
>memory for the cache. Since the caching directives only appears to be a
>problem on shared memory platforms, this leads me to believe that the
>proposed patch should resolve this issue.
>
>Brad
>
>Brad Nicholes
>Senior Software Engineer
>Novell, Inc., the leading provider of Net business solutions
>http://www.novell.com
>
>
>
>>>>jessh@ptc.com Friday, January 30, 2004 12:38:21 PM >>>
>>>>
>>>>
>I've been struggling with mod_ldap / util_ldap for some time now. The
>
>module is basically working on Windows (and HP Apache has it working
>with the worker MPM on HPUX), but I've been utterly failing on Solaris
>(8).
>
>There are a good number of open bugs on this module. I updated to
>2.0.48 + the latest sources from CVS in hopes that the most critical of
>
>these issues would be resolved.
>
>Unfortunately, I find that my Apache always crashes with core dump on
>the very first attempt to authenticate against LDAP *if* I leave the
>LDAP cache activated. If I disable the LDAP cache, then LDAP
>authentication appears to work fine (in quick, light testing -- no
>stress testing yet).
>
>I don't have any reasonable debugger on the machine in question, so I
>just threw in some quick debug output. What is interesting to me is
>that util_ldap_cache_module_kill is called during the Apache startup
>process. This strikes me as highly suspicious and a possible cause of
>
>the latter crashes when attempting to access the LDAP cache -- but I
>could clearly be barking up the wrong tree.
>
>It is hard for me to believe that no one else in the Apache community
>needs LDAP authentication on Solaris. It is also hard for me to
>believe
>that I'm the only one seeing the issue -- especially given the fact
>that
>there are open bugs on this....
>
>Unfortunately, this is just the "showstopper" issue. Other issues
>include:
>
> * connections staying bound as wrong user preventing reliable
> non-anonymous access to LDAP
> * crashes when LDAP cache size is exceeded (i.e. when cache purge
>is
> attempted)
> o *may* be fixed in HEAD -- I last tested in 2.0.47
> * crashes on Windows when LDAP cache shared memory block is full
> o *may* be fixed in HEAD -- I last tested in 2.0.47
>
>Is the community giving up on the Apache groups' Apache 2 LDAP modules
>
>and using some other party's modules for this?
>
>I know there are some few individuals working hard on this area, but
>the
>open bugs in this area and severity thereof attest to a lack of
>cross-platform stability. I also know this is an "experimental"
>module,
>but it is one that some of us desparately need...
>
>--
>Jess Holle
>
>
>
Re: mod_ldap/util_ldap Issues...
Posted by Jess Holle <je...@ptc.com>.
Matthieu Estrade wrote:
> Hi,
>
> About ldap cache + shm: I tested all these patch on linux and it was
> working well, seems it work well too on FreeBSD.
> I heard problem on solaris (PR #18756) but i am not sure these bugs
> are from ldap cache, but more from the changes done with ldap lib and TLS.
The issues on Solaris *could* be due to LDAP lib, TLS, etc, *but*
The latest patches work absolutely fine on Solaris as long as I set the
cache sizes to 0 (i.e. disable it). Once I have real LDAP cache sizes
the very first LDAP-authenticated request causes a core dump.
[I'm trying to find some time to cozzy up with a debugger on this...]
--
Jess Holle