We have been trying to set up Apache on Windows with ldaps (ssl) authentication, using apr-util compiled with the Microsoft ldap sdk.
I believe I have identified a bug in the interaction between httpd (util_ldap.c) and apr-util which makes this combination impossible. This email is an attempt to explain the problem and get a second set of eyes on this. If people agree that this is / might be a bug, I'll file the proper issue and take it from there.
Does the below sound like a reasonable analysis? Am I missing something?
2020 /*
2021 * Initialize SSL support, and log the result for the benefit of the admin.
2022 *
2023 * If SSL is not supported it is not necessarily an error, as the
2024 * application may not want to use it.
2025 */
2026 rc = apr_ldap_ssl_init(p,
2027 NULL,
2028 0,
2029 &(result_err));
2030 if (APR_SUCCESS == rc) {
2031 rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,
2032 (void *)st->global_certs, &(result_err));
2033 }
2034
2035 if (APR_SUCCESS == rc) {
2036 st->ssl_supported = 1;
2037 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
2038 "LDAP: SSL support available" );
2039 }
2040 else {
2041 st->ssl_supported = 0;
2042 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
2043 "LDAP: SSL support unavailable%s%s",
2044 result_err ? ": " : "",
2045 result_err ? result_err->reason : "");
2046 }
627 #if APR_HAS_MICROSOFT_LDAPSDK
628 /* Microsoft SDK use the registry certificate store - error out
629 * here with a message explaining this. */
630 result->reason = "LDAP: CA certificates cannot be set using this method, "
631 "as they are stored in the registry instead.";
632 result->rc = -1;
633 #endif
3) The error_log has the following entries:
[Mon Feb 25 22:21:18 2013] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK
[Mon Feb 25 22:21:18 2013] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.
4) The bug, then, is that using the microsoft ldap sdk *always* fails with SSL:
- util_ldap.c always calls apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...), even when there are no global certs
- apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...) always fails when called with APR_HAS_MICROSOFT_LDAPSDK, even when there are no certs
5) Extracs of our config:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
6) There are two reasonable (?) fixes:
- util_ldap_post_config() should not call apr_ldap_set_option if there are not global certs (similar test can be found in same file, line 264)
- option_set_cert() should not fail if there are no certificates being set (probably less correct, but also more tolerant)
Does this sound like / look like a reasonable analysis? Am I missing something?
--
Eirik
There is no high like a tango high
There is no low like a tango low