Bug using authnz_ldap_module with Microsoft LDAP SDK and ldaps (secure ldap)?

[Eirik Lygre <eirik.lygre@xxxxxxxxx>]

We have been trying to set up Apache on Windows with ldaps (ssl) authentication, using apr-util compiled with the Microsoft ldap sdk.

I believe I have identified a bug in the interaction between httpd (util_ldap.c) and apr-util which makes this combination impossible. This email is an attempt to explain the problem and get a second set of eyes on this. If people agree that this is / might be a bug, I'll file the proper issue and take it from there.

Does the below sound like a reasonable analysis? Am I missing something?

1) During initialization of util_ldap.c (http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c?view=markup), in util_ldap_post_config(): After calling apr_ldap_ssl_init(), on line 2031, the method apr_ldap_set_option (APR_LDAP_OPT_TLS_CERT) is always called, regardless of whether there are any global certs or not.

2020     /*

2021      * Initialize SSL support, and log the result for the benefit of the admin.

2022      *

2023      * If SSL is not supported it is not necessarily an error, as the

2024      * application may not want to use it.

2025      */

2026     rc = apr_ldap_ssl_init(p,

2027                       NULL,

2028                       0,

2029                       &(result_err));

2030     if (APR_SUCCESS == rc) {

2031         rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,

2032                                  (void *)st->global_certs, &(result_err));

2033     }

2034

2035    if (APR_SUCCESS == rc) {

2036        st->ssl_supported = 1;

2037        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

2038                     "LDAP: SSL support available" );

2039    }

2040    else {

2041        st->ssl_supported = 0;

2042        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

2043                     "LDAP: SSL support unavailable%s%s",

2044                     result_err ? ": " : "",

2045                     result_err ? result_err->reason : "");

2046    }

2) Now, in apr_ldap (http://svn.apache.org/viewvc/apr/apr-util/tags/1.4.1/ldap/apr_ldap_option.c?view=markup), the method apr_ldap_set_option() forwards to option_set_cert() (line 396), which ends up in the following code which *always* fails.

627   #if APR_HAS_MICROSOFT_LDAPSDK

628       /* Microsoft SDK use the registry certificate store - error out

629        * here with a message explaining this. */

630       result->reason = "LDAP: CA certificates cannot be set using this method, "

631                        "as they are stored in the registry instead.";

632       result->rc = -1;

633   #endif

3) The error_log has the following entries:

[Mon Feb 25 22:21:18 2013] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK

[Mon Feb 25 22:21:18 2013] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.

4) The bug, then, is that using the microsoft ldap sdk *always* fails with SSL:

- util_ldap.c always calls apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...), even when there are no global certs

- apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...) always fails when called with APR_HAS_MICROSOFT_LDAPSDK, even when there are no certs

5) Extracs of our config:

LoadModule ldap_module        modules/mod_ldap.so

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

<Location />

    AuthLDAPURL ldaps://127.0.0.1:1389/ou=People,dc=example,dc=com?uid

</Location>

6) There are two reasonable (?) fixes:

- util_ldap_post_config() should not call apr_ldap_set_option if there are not global certs (similar test can be found in same file, line 264)

- option_set_cert() should not fail if there are no certificates being set (probably less correct, but also more tolerant)

Does this sound like / look like a reasonable analysis? Am I missing something?

--
Eirik

There is no high like a tango high
There is no low like a tango low