Re: mod_ldap/util_ldap Issues...

[Matthieu Estrade <ap...@moresecurity.org>]

Hi,

About ldap cache + shm: I tested all these patch on linux and it was 
working well, seems it work well too on FreeBSD.
I heard problem on solaris (PR #18756) but i am not sure these bugs are 
from ldap cache, but more from the changes done with ldap lib and TLS.

Considering the module is still in the experimental directory, +1 for 
backport.

Matthieu

Brad Nicholes wrote:

>   There is a patch that was committed to CVS HEAD that is waiting for
>enough votes to be backported to the 2.0 branch.  The patch addresses PR
>#18756 that deals with shared memory issues and could very possibly fix
>the problems that you are seeing.  The patch has been sitting in the
>backport queue for sometime now.  I would like to go ahead and backport
>this patch now if nobody has any objections and since auth_ldap is an
>experimental module anyway.  
>   As far as your other question goes, NetWare uses auth_ldap
>extensively in our solutions and we have done a lot of testing using the
>caching directives.  The difference is that NetWare does not use shared
>memory for the cache.  Since the caching directives only appears to be a
>problem on shared memory platforms, this leads me to believe that the
>proposed patch should resolve this issue.
>
>Brad
>
>Brad Nicholes
>Senior Software Engineer
>Novell, Inc., the leading provider of Net business solutions
>http://www.novell.com 
>
>  
>
>>>>jessh@ptc.com Friday, January 30, 2004 12:38:21 PM >>>
>>>>        
>>>>
>I've been struggling with mod_ldap / util_ldap for some time now.  The
>
>module is basically working on Windows (and HP Apache has it working 
>with the worker MPM on HPUX), but I've been utterly failing on Solaris
>(8).
>
>There are a good number of open bugs on this module.  I updated to 
>2.0.48 + the latest sources from CVS in hopes that the most critical of
>
>these issues would be resolved.
>
>Unfortunately, I find that my Apache always crashes with core dump on 
>the very first attempt to authenticate against LDAP *if* I leave the 
>LDAP cache activated.  If I disable the LDAP cache, then LDAP 
>authentication appears to work fine (in quick, light testing -- no 
>stress testing yet).
>
>I don't have any reasonable debugger on the machine in question, so I 
>just threw in some quick debug output.  What is interesting to me is 
>that util_ldap_cache_module_kill is called during the Apache startup 
>process.  This strikes me as highly suspicious and a possible cause of
>
>the latter crashes when attempting to access the LDAP cache -- but I 
>could clearly be barking up the wrong tree.
>
>It is hard for me to believe that no one else in the Apache community 
>needs LDAP authentication on Solaris.  It is also hard for me to
>believe 
>that I'm the only one seeing the issue -- especially given the fact
>that 
>there are open bugs on this....
>
>Unfortunately, this is just the "showstopper" issue.  Other issues
>include:
>
>    * connections staying bound as wrong user preventing reliable
>      non-anonymous access to LDAP
>    * crashes when LDAP cache size is exceeded (i.e. when cache purge
>is
>      attempted)
>          o *may* be fixed in HEAD -- I last tested in 2.0.47
>    * crashes on Windows when LDAP cache shared memory block is full
>          o *may* be fixed in HEAD -- I last tested in 2.0.47
>
>Is the community giving up on the Apache groups' Apache 2 LDAP modules
>
>and using some other party's modules for this?
>
>I know there are some few individuals working hard on this area, but
>the 
>open bugs in this area and severity thereof attest to a lack of 
>cross-platform stability.  I also know this is an "experimental"
>module, 
>but it is one that some of us desparately need...
>
>--
>Jess Holle
>
>  
>

Re: mod_ldap/util_ldap Issues...

[Jess Holle <je...@ptc.com>]

Matthieu Estrade wrote:

> Hi,
>
> About ldap cache + shm: I tested all these patch on linux and it was 
> working well, seems it work well too on FreeBSD.
> I heard problem on solaris (PR #18756) but i am not sure these bugs 
> are from ldap cache, but more from the changes done with ldap lib and TLS.

The issues on Solaris *could* be due to LDAP lib, TLS, etc, *but*

The latest patches work absolutely fine on Solaris as long as I set the 
cache sizes to 0 (i.e. disable it).  Once I have real LDAP cache sizes 
the very first LDAP-authenticated request causes a core dump.

[I'm trying to find some time to cozzy up with a debugger on this...]

--
Jess Holle