httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eirik Lygre <eirik.ly...@gmail.com>
Subject [users@httpd] Bug using authnz_ldap_module with Microsoft LDAP SDK and ldaps (secure ldap)?
Date Tue, 26 Feb 2013 15:00:34 GMT
We have been trying to set up Apache on Windows with ldaps (ssl)
authentication, using apr-util compiled with the Microsoft ldap sdk.

I believe I have identified a bug in the interaction between httpd
(util_ldap.c) and apr-util which makes this combination impossible. This
email is an attempt to explain the problem and get a second set of eyes on
this. If people agree that this is / might be a bug, I'll file the proper
issue and take it from there.

Does the below sound like a reasonable analysis? Am I missing something?


1) During initialization of util_ldap.c (
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c?view=markup),
in util_ldap_post_config(): After calling apr_ldap_ssl_init(), on line
2031, the method apr_ldap_set_option (APR_LDAP_OPT_TLS_CERT) is always
called, regardless of whether there are any global certs or not.

2020     /*
2021      * Initialize SSL support, and log the result for the benefit of
the admin.
2022      *
2023      * If SSL is not supported it is not necessarily an error, as the
2024      * application may not want to use it.
2025      */
2026     rc = apr_ldap_ssl_init(p,
2027                       NULL,
2028                       0,
2029                       &(result_err));
2030     if (APR_SUCCESS == rc) {
2031         rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,
2032                                  (void *)st->global_certs,
&(result_err));
2033     }
2034
2035    if (APR_SUCCESS == rc) {
2036        st->ssl_supported = 1;
2037        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
2038                     "LDAP: SSL support available" );
2039    }
2040    else {
2041        st->ssl_supported = 0;
2042        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
2043                     "LDAP: SSL support unavailable%s%s",
2044                     result_err ? ": " : "",
2045                     result_err ? result_err->reason : "");
2046    }

2) Now, in apr_ldap (
http://svn.apache.org/viewvc/apr/apr-util/tags/1.4.1/ldap/apr_ldap_option.c?view=markup),
the method apr_ldap_set_option() forwards to option_set_cert() (line 396),
which ends up in the following code which *always* fails.

627   #if APR_HAS_MICROSOFT_LDAPSDK
628       /* Microsoft SDK use the registry certificate store - error out
629        * here with a message explaining this. */
630       result->reason = "LDAP: CA certificates cannot be set using this
method, "
631                        "as they are stored in the registry instead.";
632       result->rc = -1;
633   #endif

3) The error_log has the following entries:

[Mon Feb 25 22:21:18 2013] [info] APR LDAP: Built with Microsoft
Corporation. LDAP SDK
[Mon Feb 25 22:21:18 2013] [info] LDAP: SSL support unavailable: LDAP: CA
certificates cannot be set using this method, as they are stored in the
registry instead.

4) The bug, then, is that using the microsoft ldap sdk *always* fails with
SSL:

- util_ldap.c always calls
apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...), even when there are no
global certs
- apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...) always fails when
called with APR_HAS_MICROSOFT_LDAPSDK, even when there are no certs

5) Extracs of our config:

LoadModule ldap_module        modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
<Location />
    AuthLDAPURL ldaps://127.0.0.1:1389/ou=People,dc=example,dc=com?uid
</Location>

6) There are two reasonable (?) fixes:

- util_ldap_post_config() should not call apr_ldap_set_option if there are
not global certs (similar test can be found in same file, line 264)
- option_set_cert() should not fail if there are no certificates being set
(probably less correct, but also more tolerant)

Does this sound like / look like a reasonable analysis? Am I missing
something?

-- 
Eirik

There is no high like a tango high
There is no low like a tango low

Mime
View raw message