httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 48505] Apache 2.2 not working with LDAP Fail Over Auth
Date Fri, 22 Jan 2010 22:49:23 GMT

charlie <> changed:

           What    |Removed                     |Added
             Status|NEEDINFO                    |NEW

--- Comment #11 from charlie <> 2010-01-22 14:49:11 UTC ---
OK, I'm going to document this exhaustively.  Please bear with me.


I am using the mod_authnz_ldap that ships with Red Hat Enterprise Linux v5.4,
as part of their httpd-2.2.3-31.el5_4.2 package.  The problem I am seeing is
consistent with the hundreds of similar problems easily found with Google from
various releases and builds of Apache 2.2 with the ASF LDAP auth modules.

My underlying libraries are OpenLDAP and I have turned debugging up to the
point of crippling the server, which allows me to see exactly what Apache is
doing and why so many people are whining and complaining.


The problem appears to be in the AuthLDAPURL directive, which is not compliant
with RFC2255 (the current relevant RFCs are 4516 and 4510) as documented,
because the RFCs do not specify host failover syntax as far as I can determine.
 I have searched extensively, and while there is a "de facto standard" for
failover specification used by nearly all LDAP capable software (except Apache)
I could not find any RFC that explicitly addressed failover host specification
syntax.  Embedding multiple host names the way Apache does in the midst of an
otherwise RFC compliant string breaks compliancy.

If Apache uses the de facto standard as used by IBM, HP, OpenLDAP, and PADL,
there will be no more problems - the underlying libraries will be able to do
whatever they are capable of doing instead of being restricted by Apache's
ability to parse, and all the things people are trying to do will work.

If Apache continues to use the current syntax, users must make a choice of
either efficiency or security - they cannot have both in a failover


>From the apache module itself (viewed via mod_info.c) the spec is described as: 


the module doc additionally states:

"Host is the name of the LDAP server. Use a space separated list of hosts to
specify redundant servers"

A second parameter of "LDAP connection mode" is allowed with permitted values


LDAP lookups frequently contain passwords, and ldap services frequently use
dissimilar schema.

In real world LDAP deployments, system architects usually want to encrypt ldap
lookups across networks for security, but do not wish to incur encryption
overhead on ldap lookups using local secure channels (such as the loopback
interface or named pipes or a separate network, depending on OS capabilities
and site setup).

Less commonly, sites that have dual LDAP backends (typically OpenLDAP and
Active Directory) may present a single replicated data set using different
attributes and thus may require different filter or port specifications for
different hosts specified as failovers.

AuthLDAPURL's syntax prevents this by forcing a single set of parameters across
hosts, which is not required by the underlying libraries.


This is a commonly used LDAP failover configuration in PADL's pam_ldap and
nss_ldap configurations (on Red Hat, both are in /etc/ldap.conf):

uri ldap:// ldaps://

Note how the local loopback has no encryption, but the failover host is forced
into an SSL tunnel.

Here's another, with a named pipe:

uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

Here's one for a machine that runs scalix, note the weird port:

uri ldapi://%2fvar%2frun%2fldapi_sock/ ldap://

These are (host obscured) real-world examples from running machines using
PADL's pam_ldap to access OpenLDAP's client libraries.  NONE of these
configurations can be achieved with the Apache module's AuthLDAPURL syntax
using the same libraries.  The limitation is not in the libraries, it's in the
AuthLDAPURL syntax.


In order to avoid breaking current applications that are using any of the
"hacks" found on the net, implement a new parameter  AuthLDAPURI (note uri
rather than url, this is consistent with LDAP v3 nomenclature as per RFC) which
behaves exactly like OpenLDAP & PADL syntax.  This syntax allows all the
various combinations that users want and is completely compliant with both 
RFC2255 (historical) and RFC4516 (current) as well as LDAPS and STARTTLS.

AuthLDAPURI ldap[s]://host[:port]/basedn[?attrib[?scope[?filter]]]

"Use a space separated list of URIs to specify redundant servers"


I hope this clears up the confusion about the problems users are encountering
in the wild.  Google currently shows 23,100 hits when searching "ldap failover
in apache 2.2", and they all seem to be complaints. There are clearly hundreds
of sites struggling to find a solution to their misunderstanding of the Apache
2.2 LDAP limitations.  These limitations are not present in the underlying

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message