Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Bug using authnz_ldap_module with Microsoft LDAP SDK and lda |
|
| Author |
|
elygre
Joined: 26 Feb 2013
Posts: 5
|
 Posted: Tue 26 Feb '13 20:12 Post subject: Bug using authnz_ldap_module with Microsoft LDAP SDK and lda |
 |
|
(This is actually, and unfortunately, a cross post from users@httpd.apache.org, also readable at http://markmail.org/message/jqaw7ecddj2npcf3?q=ldaps+microsoft+ldap+sdk. But, the more eyes, the better.
We have been trying to set up Apache on Windows with ldaps (ssl) authentication, using apr-util compiled with the Microsoft ldap sdk. I believe I have identified a bug in the interaction between httpd (util_ldap.c) and apr-util which makes this combination impossible. This email is an attempt to explain the problem and get a second set of eyes on this. If people agree that this is / might be a bug, I'll file the proper issue and take it from there. (It fails on 2.4.4 and 2.2.something alike)
Does the below sound like a reasonable analysis? Am I missing something?
1) During initialization of util_ldap.c (http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c?view=markup), in util_ldap_post_config(): After calling apr_ldap_ssl_init(), on line 2031, the method apr_ldap_set_option (APR_LDAP_OPT_TLS_CERT) is always called, regardless of whether there are any global certs or not.
| Code: | 2020 /*
2021 * Initialize SSL support, and log the result for the benefit of the admin.
2022 *
2023 * If SSL is not supported it is not necessarily an error, as the
2024 * application may not want to use it.
2025 */
2026 rc = apr_ldap_ssl_init(p,
2027 NULL,
2028 0,
2029 &(result_err));
2030 if (APR_SUCCESS == rc) {
2031 rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,
2032 (void *)st->global_certs, &(result_err));
2033 }
2034
2035 if (APR_SUCCESS == rc) {
2036 st->ssl_supported = 1;
2037 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
2038 "LDAP: SSL support available" );
2039 }
2040 else {
2041 st->ssl_supported = 0;
2042 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
2043 "LDAP: SSL support unavailable%s%s",
2044 result_err ? ": " : "",
2045 result_err ? result_err->reason : "");
2046 } |
2) Now, in apr_ldap (http://svn.apache.org/viewvc/apr/apr-util/tags/1.4.1/ldap/apr_ldap_option.c?view=markup), the method apr_ldap_set_option() forwards to option_set_cert() (line 396), which ends up in the following code which *always* fails.
| Code: | 627 #if APR_HAS_MICROSOFT_LDAPSDK
628 /* Microsoft SDK use the registry certificate store - error out
629 * here with a message explaining this. */
630 result->reason = "LDAP: CA certificates cannot be set using this method, "
631 "as they are stored in the registry instead.";
632 result->rc = -1;
633 #endif |
3) The error_log has the following entries:
[Mon Feb 25 22:21:18 2013] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK
[Mon Feb 25 22:21:18 2013] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.
4) The bug, then, is that using the microsoft ldap sdk *always* fails with SSL:
- util_ldap.c always calls apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...), even when there are no global certs
- apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...) always fails when called with APR_HAS_MICROSOFT_LDAPSDK, even when there are no certs
5) Extracs of our config:
| Code: | LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
<Location />
AuthLDAPURL ldaps://127.0.0.1:1389/ou=People,dc=example,dc=com?uid
</Location> |
6) There are two reasonable (?) fixes:
- util_ldap_post_config() should not call apr_ldap_set_option if there are not global certs (similar test can be found in same file, line 264)
- option_set_cert() should not fail if there are no certificates being set (probably less correct, but also more tolerant)
Does this sound like / look like a reasonable analysis? Am I missing something? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Tue 26 Feb '13 20:21 Post subject: |
|
|
Maybe you can post it also in Bugzilla, to get more/better attention.
Steffen
Last edited by Steffen on Tue 26 Feb '13 20:23; edited 1 time in total |
|
| Back to top |
|
elygre
Joined: 26 Feb 2013
Posts: 5
|
| Posted: Tue 26 Feb '13 20:22 Post subject: |
|
|
| Steffen wrote: | Maybe you can post it also in Bugzilla, to get more/better attention.
Steffen |
Will do, just wanted to see if anybody had any thoughts on the issue first  |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 692
|
| Posted: Tue 26 Feb '13 20:25 Post subject: |
|
|
Where did you downloaded Apache or did you build it your self ?
And VC9, VC10 or VC11 ? |
|
| Back to top |
|
elygre
Joined: 26 Feb 2013
Posts: 5
|
| Posted: Tue 26 Feb '13 20:31 Post subject: |
|
|
| admin wrote: | Where did you downloaded Apache or did you build it your self ?
And VC9, VC10 or VC11 ? |
Got it straight from apachelounge httpd-2.4.4-win32.zip  .
The analysis is strictly based on observed behaviour and source code, with the source code taken from the httpd subversion repository (there are a couple of links in the original message). |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7372
Location: Germany, Next to Hamburg
|
| Posted: Fri 01 Mar '13 0:08 Post subject: Re: Bug using authnz_ldap_module with Microsoft LDAP SDK and |
|
|
| elygre wrote: |
6) There are two reasonable (?) fixes:
- util_ldap_post_config() should not call apr_ldap_set_option if there are not global certs (similar test can be found in same file, line 264)
- option_set_cert() should not fail if there are no certificates being set (probably less correct, but also more tolerant)
Does this sound like / look like a reasonable analysis? Am I missing something? |
IMHO the first solution is the right way. It makes no sence to perform a check, if there is no certificate. |
|
| Back to top |
|
elygre
Joined: 26 Feb 2013
Posts: 5
|
| Posted: Mon 04 Mar '13 21:27 Post subject: Bug with Microsoft LDAP SDK and ldaps (ssl) |
|
|
After a quick discussion on the dev@httpd mailing list, I created a bug in mozilla (https://issues.apache.org/bugzilla/show_bug.cgi?id=54626), including a possible fix.
I am, unfortunately, unable to build and test a patched version myself. Is there anybody out there who would be willing to build a version containing the proposed fix, so that I can help verify that this actually works?
The following fix in ldap_util.c (http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c?view=markup) is believed to fix the problem (line 2026):
| Code: |
rc = apr_ldap_ssl_init(p,
NULL,
0,
&(result_err));
- if (APR_SUCCESS == rc) {
+ if (APR_SUCCESS == rc && !apr_is_empty_array(st->global_certs)) {
rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,
(void *)st->global_certs, &(result_err));
}
|
Eirik |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
elygre
Joined: 26 Feb 2013
Posts: 5
|
| Posted: Mon 04 Mar '13 23:21 Post subject: |
|
|
Only in my dreams
I'll test it tomorrow.
Eirik |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
|
|
|
|
|
