httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Re: Standarizing mod_auth_ldap across LDAP SDKs...
Date Fri, 14 Feb 2003 15:45:33 GMT
    I believe that the starttls concept is exactly as you say.  Using
starttls you should be able to take an existing connection and upgrade
it to an SSL connection.  But as far as I can see, the starttls concept
was never designed into mod_auth_ldap nor does the user interface
support it.  If AuthLDAPStartTLS was specified, it just meant that the
LDAP cache should return an SSL connection to mod_auth_ldap.  If an SSL
connection did not exist, then mod_ldap should create one and add it to
the cache.  This model was already supported in mod_auth_ldap through
the use of ldap:// vs ldaps:// in the AuthLDAPUrl.  AuthLDAPStartTLS was
redundant.  Implementing the true starttls concept should probably be
added to the "To do" list of enhancements.
    The SDK specific #defines are in apr-util.  They exist in
apr_ldap.h (ie., apr_ldap.hw, apr_ldap.hnw).  We defined
them in the same location as the previous NETSCAPE_SSL #defines.  I will
go ahead and commit this code to the 2.1 tree.  Since I primarily work
on the NetWare platform, I did not attempt to fix up the Unix or Win32
makefiles.  Most likely these changes will break the builds.  The
makefiles will need to be updated to comply with the #defines values in (Unix) and apr_ldap.hw (Win32).  Could somebody on those
platforms fix the makefiles?


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions 

>>> Thursday, February 13, 2003 10:43:30 PM >>>
Brad Nicholes wrote:

>   Over the last couple of weeks one of our Novell LDAP SDK engineers
> took a look at mod_auth_ldap to  try to standardize it across
> SDKs especially with regards to SSL.


> - Added a support framework (using #defines) for multiple vendor
> SDKs.  The framework currently  supports the SDKs from Novell,
> OpenLDAP, and Microsoft.  (Spent significant time testing  compiling
> running with the various SDKs on Win32.  However, ran into problems
> Microsoft's  SDK.  It GPFs when doing an ldap_set_option.)

The purpose of LDAP support being in apr-util is so that machine 
specific and SDK specific issues can be addressed there. The #defines 
you mention should not be in mod_ldap, they should rather be in

> - Removed the AuthLDAPStartTLS directive from mod_auth_ldap.  The
> AuthLDAPUrl directive is used to  specify clear (ldap://) or SSL
> (ldaps://) connections.  

I'm not clear on this one - is there not a difference between SSL (make

secure connection and speak LDAP) and TLS (make an insecure connection

and then say starttls to upgrade the connection to a secure one)?

> I would like to commit these changes to the 2.1 tree as soon as
> possible and also back port them to  the 2.0 if acceptable.

+1 on committing to v2.1 as soon as possible :)

-----------------------------------------		"There's a moon
					over Bourbon Street

View raw message