httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38146] New: - LDAP StartTLS ExOp runs too early
Date Thu, 05 Jan 2006 21:48:20 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38146>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38146

           Summary: LDAP StartTLS ExOp runs too early
           Product: Apache httpd-2
           Version: 2.2.0
          Platform: All
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: richton@nbcs.rutgers.edu


mod_ldap does not perform Start TLS properly. Per RFC2830, Start TLS is an
LDAPv3 Extended Operation. As such, LDAPv3 must be selected as the protocol
version PRIOR to performing the Start TLS operation. util_ldap.c does not do
this, resulting in LDAP "Not Available" errors (interpreted, "extended
operations are not available in LDAPv2 per RFC") when it is attempted to be used.

The solution is trivial: change to LDAPv3 before attempting to use Extended
Operations. Please consider the attached code move. It should apply clean to
2.2.0 and snapshot 20060105173307.

--- util_ldap.c.orig    2006-01-05 15:23:46.237518000 -0500
+++ util_ldap.c 2006-01-05 15:24:16.355137000 -0500
@@ -263,6 +263,9 @@
             return(result->rc);
         }

+        /* always default to LDAP V3 */
+        ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
+
         /* set client certificates */
         if (!apr_is_empty_array(ldc->client_certs)) {
             apr_ldap_set_option(ldc->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
@@ -292,9 +295,6 @@
         /* Set the alias dereferencing option */
         ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));

-        /* always default to LDAP V3 */
-        ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
-
 /*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
 #ifdef APR_LDAP_OPT_VERIFY_CERT
         apr_ldap_set_option(ldc->pool, ldc->ldap,

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message