You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "ERIC K. CHEU" <ek...@uncg.edu> on 2003/12/12 18:26:59 UTC
ldap ssl authentication httpd 2, solaris 8
Anyone get this to work? Trying to compile apache on a solaris 8
machine with the cldap novell libraries that novell puts out for free
with these configuration options:
./configure --with-prefix=/var/test
--with-ssl=/afs/uncg.edu/@sys/opt/openssl
--with-ldap-include=/usr/slocal/novell/include
--with-ldap-lib=/usr/slocal/novell/lib --with-ldap --enable-ssl
--enable-ldap --enable-auth-ldap
Problem is of course, that this binary coredumps (did a gdb backtrace
of it and it gets hung on an ldap parse statement. Even when removing
the lines containing the cert file and the ldap stuff, it still core
dumps).
I compiled it with openssl libraries, but the problem if you compile
with openldap libraries is that according to the code util_ldap.c,
only BASE64_FILE is an acceptable type (not DER_FILE). I tried
converting the DER file sent to me to pem format with openssl and
apache didn't accept that file at startup. I know the DER file is
fine since I use it in another application and can authenticate to the
ldaps port fine with it. I can authenticate against ldap without
using the secure port, but was wonder if anybody has been able to
authenticate against the secure port using solaris8 version of apache
2.
Re: ldap ssl authentication httpd 2, solaris 8
Posted by "ERIC K. CHEU" <ek...@uncg.edu>.
Okay... finally got ldap ssl to work with the novell libraries on both
solaris 7 and 8. It does take some hacking of the source code and you
have to compile httpd with different libraries. Here are the steps that I
did:
1. Make sure your paths is set correctly so that you are either using
the appropriate ld or as program accordingly (if you are using
gcc, then you will want to use gnu ld or as, if you use,
sunworkshop's cc, then you will want to use solaris as and ld).
2. setenv LD_LIBRARY_PATH /usr/slocal/novell/lib
(I installed the novell ldap libaries in /usr/slocal/novell, and
am using tcsh shell)
3. as root
touch /tmp/mod_ldap_cache
(found this on google somewhere that initializing the cache
can cause problems for some reason on solaris).
3. I configured with these options (and set the appropriate
environmental variables for CPPFLAGS and LDFLAGS):
configured by ./configure, generated by GNU Autoconf 2.54,
with options \"'--with-prefix=/var/test'
'--with-ssl=/afs/uncg.edu/@sys/opt/openssl'
'--with-ldap-include=/usr/slocal/novell/include'
'--with-ldap-lib=/usr/slocal/novell/lib' '--with-ldap'
'--enable-ssl' '--enable-ldap'
'--enable-auth-ldap' 'CPPFLAGS=-I/usr/slocal/novell/include'
'LDFLAGS=-L/usr/slocal/novell/lib'\"
4. Modifies 4 files after configure finished:
supernova# diff modules/ssl/ssl_engine_init.c
/tmp/httpd-2.0.48/modules/ssl/ssl_engine_init.c
116a117
> OpenSSL_add_all_algorithms();
118c119
< SSL_library_init();
---
> // SSL_library_init();
139,140c140,141
< MODSSL_TMP_KEYS_FREE(mc, RSA);
< MODSSL_TMP_KEYS_FREE(mc, DH);
---
> // MODSSL_TMP_KEYS_FREE(mc, RSA);
> // MODSSL_TMP_KEYS_FREE(mc, DH);
supernova# diff modules/experimental/mod_auth_ldap.c
/tmp/httpd-2.0.48/modules/experimental/mod_auth_ldap.c
741c741,749
< result = apr_ldap_url_parse(url, &(urld));
---
> result= ldap_url_parse_ext( url, &(urld));
> if(urld->lud_scope == -1) {
> urld->lud_scope = LDAP_SCOPE_BASE;
> }
> if(urld->lud_host !=NULL && urld->lud_host == '\0'){
> LDAP_FREE(urld->lud_host);
> urld->lud_host = NULL;
> }
> // result = apr_ldap_url_parse(url, &(urld));
supernova# diff modules/experimental/util_ldap.c
/tmp/httpd-2.0.48/modules/experimental/util_ldap.c
62a63,66
> #define LDAP_OPT_X_TLS 0x6000
> #define LDAP_OPT_X_TLS_CACERTFILE 0x6002
> #define LDAP_OPT_X_TLS_HARD 1
supernova# diff ~ekcheu/apr_ldap.h srclib/apr-util/include/apr_ldap.h
83c83
< #define APR_HAS_NOVELL_LDAPSDK 0
---
> #define APR_HAS_NOVELL_LDAPSDK 1
114c114,115
< #define APR_HAS_OPENLDAP_LDAPSDK 1
---
> //#define APR_HAS_OPENLDAP_LDAPSDK 1
> #define APR_HAS_NOVELL_LDAPSDK 1
5. Typed 'make'
At the end, make will fail to compile httpd, so I just do it
manually at the top of the httpd tree. For solaris 8, I used
sun workshop cc:
/tmp/novel/httpd-2.0.48/srclib/apr/libtool --silent --mode=link
/usr/local/bin/cc -g -DSOLARIS2=8 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT
-I/usr/slocal/novell/include -I/usr/slocal/novell/include
-I/tmp/novel/httpd-2.0.48/srclib/apr/include
-I/tmp/novel/httpd-2.0.48/srclib/apr-util/include -I/usr/local/include
-I/tmp/novel/httpd-2.0.48/srclib/apr-util/xml/expat/lib -I.
-I/tmp/novel/httpd-2.0.48/os/unix
-I/tmp/novel/httpd-2.0.48/server/mpm/prefork
-I/tmp/novel/httpd-2.0.48/modules/http
-I/tmp/novel/httpd-2.0.48/modules/filters
-I/tmp/novel/httpd-2.0.48/modules/proxy -I/tmp/novel/httpd-2.0.48/include
-I/afs/uncg.edu/@sys/opt/openssl/include/openssl
-I/afs/uncg.edu/@sys/opt/openssl/include
-I/tmp/novel/httpd-2.0.48/modules/dav/main -export-dynamic
-L/usr/local/lib -L/tmp/novel/httpd-2.0.48/srclib/apr-util/xml/expat/lib
-L/afs/uncg.edu/@sys/opt/openssl/lib -R/afs/uncg.edu/@sys/opt/openssl/lib
-L/usr/slocal/novell/lib -o httpd modules.lo modules/aaa/mod_access.la
modules/aaa/mod_auth.la modules/experimental/mod_ldap.la
modules/experimental/mod_auth_ldap.la modules/filters/mod_include.la
modules/loggers/mod_log_config.la modules/metadata/mod_env.la
modules/metadata/mod_setenvif.la modules/ssl/mod_ssl.la
modules/http/mod_http.la modules/http/mod_mime.la
modules/generators/mod_status.la modules/generators/mod_autoindex.la
modules/generators/mod_asis.la modules/generators/mod_cgi.la
modules/mappers/mod_negotiation.la modules/mappers/mod_dir.la
modules/mappers/mod_imap.la modules/mappers/mod_actions.la
modules/mappers/mod_userdir.la modules/mappers/mod_alias.la
modules/mappers/mod_so.la server/mpm/prefork/libprefork.la
server/libmain.la os/unix/libos.la
/tmp/novel/httpd-2.0.48/srclib/pcre/libpcre.la
/tmp/novel/httpd-2.0.48/srclib/apr-util/libaprutil-0.la -ldl -lpthread
-ldb /tmp/novel/httpd-2.0.48/srclib/apr-util/xml/expat/lib/libexpat.la
/tmp/novel/httpd-2.0.48/srclib/apr/libapr-0.la -lsendfile -lrt -lm
-lsocket -lnsl -lresolv -ldl -L/usr/slocal/novell/lib -lldapsdk -lldapssl
-lssl -lcrypto
For solaris 7 I used gcc:
/tmp/httpd-2.0.48/srclib/apr/libtool --silent --mode=link gcc -g
-O2 -pthreads -DSOLARIS2=7 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT
-DAP_HAVE_DESIGNATED_INITIALIZER -I/usr/slocal/novell/include
-I/tmp/httpd-2.0.48/srclib/apr/include -I/tm
p/httpd-2.0.48/srclib/apr-util/include
-I/tmp/httpd-2.0.48/srclib/apr-util/xml/expat/lib -I.
-I/tmp/httpd-2.0.48/os/unix -I/tmp/httpd-2.0.48/server/mpm/prefork
-I/tmp/httpd-2.0.48/modules/http -I/tmp/httpd-2.0.48/modules/filters
-I/tmp/httpd-2.0.48/modules/proxy -I/tmp/httpd-2.0.48/include
-I/afs/uncg.edu/@sys/opt/openssl/include/openssl
-I/afs/uncg.edu/@sys/opt/openssl/include
-I/tmp/httpd-2.0.48/modules/dav/main -export-dynamic
-L/tmp/httpd-2.0.48/srclib/apr-util/xml/expat/lib
-L/afs/uncg.edu/@sys/opt/openssl/lib -R/afs/uncg.edu/@sys/opt/openssl/lib
-L/usr/slocal/novell/lib -o httpd modules.lo modules/aaa/mod_access.la
modules/aaa/mod_auth.la
modules/experimental/mod_ldap.la modules/experimental/mod_auth_ldap.la
modules/filters/mod_include.la modules/loggers/mod_log_config.la
modules/metadata/mod_env.la modules/metadata/mod_setenvif.la
modules/ssl/mod_ssl.la modules/http/mod_http.la modules/http/mod_mime.la
modules/generators/mod_status.la
modules/generators/mod_autoindex.la modules/generators/mod_asis.la
modules/generators/mod_cgi.la modules/mappers/mod_negotiation.la
modules/mappers/mod_dir.la modules/mappers/mod_imap.la
modules/mappers/mod_actions.la modules/mappers/mod_userdir.la
modules/mappers/mod_alias.la modules/mappers/mod_so.la
server/mpm/prefork/libprefork.la server/libmain.la os/unix/libos.la
/tmp/httpd-2.0.48/srclib/pcre/libpcre.la
/tmp/httpd-2.0.48/srclib/apr-util/libaprutil-0.la -ldl -lpthread -lgdbm
-ldb /tmp/httpd-2.0.48/srclib/apr-util/xml/expat/lib/libexpat.la
/tmp/httpd-2.0.48/srclib/apr/libapr-0.la -lrt -lm -lsocket -lnsl -lresolv
-ldl -L/usr/slocal/novell/lib -lldapsdk -lldapssl -lssl -lcrypto
Make sure that you don't compile any native ldap libraries (such as
the one included on solaris 8), otherwise certain functions, such as
ldapssl_init will fail.
6. make install
7. Edit httpd.conf of course, to make sure you load the right DER
or B64 certificate (and also point to the right ssl certificates
so that https will work. No point in using ldap ssl if you also
don't use https).
8. Make sure with your novell administrator, when testing, that you
first point to the full path of your DN (and not aliases), as
aliases may not always work (AuthLDAPURL line).