httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Standarizing mod_auth_ldap across LDAP SDKs...
Date Thu, 13 Feb 2003 22:19:58 GMT
  Over the last couple of weeks one of our Novell LDAP SDK engineers
took a look at mod_auth_ldap to  try to standardize it across various
SDKs especially with regards to SSL.  I believe that these  changes will
simplify configuring SSL for mod_auth_ldap and also isolate the SSL
functionality to  mod_ldap rather than speading it across both modules. 
As a result we are proposing the following  changes to mod_auth_ldap and

- Added LDAP SSL support for the Novell LDAP SDK 
- Fixed memory leaks in mod_ldap
- Added a support framework (using #defines) for multiple vendor LDAP
SDKs.  The framework currently  supports the SDKs from Novell, NetScape,
OpenLDAP, and Microsoft.  (Spent significant time testing  compiling and
running with the various SDKs on Win32.  However, ran into problems with
Microsoft's  SDK.  It GPFs when doing an ldap_set_option.)
- Removed all SSL & vendor LDAP SDK dependencies from mod_auth_ldap. 
The vendor SDK dependencies are  all grouped in mod_ldap.
- Removed the AuthLDAPStartTLS directive from mod_auth_ldap.  The
AuthLDAPUrl directive is used to  specify clear (ldap://) or SSL
(ldaps://) connections.  
- Removed LDAPCertDBPath directive from mod_ldap. Replaced by the
- Added new generic SSL directives to mod_ldap:
        LDAPTrustedCA - specifies the Trusted Certificate Authority
used for SSL server cert  verification.  
        LDAPTrustedCAType - specifies the certificate authority type
(DER_FILE, BASE64_FILE,  CERT7_DB_PATH).  The SDKs require different
  These two directives are used together to support the different SDKs.
- Since mod_ldap is the LDAP connection mgr it always loads with or
without SSL connection support.   It logs the status of SSL support in
the log file.  The modules which use mod_ldap (ie:  mod_auth_ldap)
decide what type of connections to request (clear / SSL) and what to do
if SSL  connections are not available.  Mod_auth_LDAP currently fails
the authentication request if the url  specifies ldaps:// and SSL
connections are not supported by mod_ldap.

Through our testing we have run across two outstanding issues.  One of
which I have already  mentioned:
- Microsoft's LDAP SDK GPFs when doing an ldap_set_option.
- If caching is disabled in mod_ldap (cache values all set to -1), the
code faults.  The current  design appears to have problems when run with
all caching turned off.

I would like to commit these changes to the 2.1 tree as soon as
possible and also back port them to  the 2.0 if acceptable.


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions 

View raw message