Summary: | mod_authnz_ldap not working under WLDAP32 (novell/iplanet ldap config) | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Alberto Colosi <alcol> |
Component: | mod_authz_ldap | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED LATER | ||
Severity: | blocker | CC: | stingertough |
Priority: | P1 | Keywords: | MassUpdate |
Version: | 2.2.6 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Windows 2000 |
Description
Alberto Colosi
2007-10-09 06:46:35 UTC
Debating between closing INVALID, or marking NEEDINFO. Please get real, "a Win32 Platform" is a non-answer. Identify your OS and service pack level (there's a nifty spot to stuff that above, it's identified by bugzilla as "OS"). Recognize on Win32 this uses the LDAP client interface bundled in the Active Directory support. The support for ldap_s/starttls is going to be determined by which epoch of AD support is installed on this box. Thank about leaving it (for now) as needing info and not as invalid! mainly becouse undel RedHat Linux it work Linux xxxxxxxxxxxxxx 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux Win32 is a Windows 2000 platorm English language with Sp4 all all installed from MS Windows Update WEB site. The only differenceis that the MSI package from APACHE download (for WINDOWS) is compiled with MS LDAP SDK. On Linux I use Novell SDK but work fine with Netscape IPLANET sdk too. Why the same httpd.conf don't work if is working under linux? I have added these lines inside the httpd.conf for Windows: LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so below.... Alias /swd "d:/Inetpub/ftproot/directory" <Location /directory> Order deny,allow Allow from 10.0.0.0/8 Deny from all ReadmeName README HeaderName HEADER AuthType basic AuthBasicProvider ldap AuthName "REALM REALM" AuthLDAPUrl ldap://ldap.domain.top:389/O=xxx,c=yy?uid?sub NONE AuthLDAPBindDN ldapuser AuthLDAPBindPassword ldappassword AuthzLDAPAuthoritative off AuthLDAPRemoteUserIsDN on require valid-user Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec </Location> error.log (LogLevel DEBUG): [Tue Oct 09 15:01:43 2007] [debug] mod_authnz_ldap.c(376): [client 10.x.x.x] [1572] auth_ldap authenticate: using URL ldap://ldap.domain.top:389/O=xxx,c=yy? uid?sub [Tue Oct 09 15:01:43 2007] [warn] [client 10.x.x.x] [1572] auth_ldap authenticate: user authentication failed; URI /swd/ [ldap_search_ext_s() for user failed][Errore di filtro] is a standalone machine and have to browse against a LOTUS DOMINO 7 LDAP server with authentication but without SSL. If I put a wrong AuthLDAPBindDN ldapuser AuthLDAPBindPassword ldappassword pairs I'm able to see (on the LOTUS DOMINO CONSOLE) an LDAP Authentication error. If LDAP user and password are valid I get no errors on my LOTUS DOMINO console. From my linux bon: Server version: Apache/2.2.6 (Unix) Server built: Sep 8 2007 18:35:50 Server version: Apache/2.2.6 (Unix) Server built: Sep 8 2007 18:35:50 Server's Module Magic Number: 20051115:5 Server loaded: APR 1.2.2, APR-Util 1.2.2 Compiled using: APR 1.2.2, APR-Util 1.2.2 Architecture: 32-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/usr/local/apache2" -D SUEXEC_BIN="/usr/local/apache2/bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="logs/accept.lock" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" Compiled in modules: core.c mod_authn_file.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authnz_ldap.c mod_authz_default.c mod_auth_basic.c mod_include.c mod_filter.c mod_deflate.c util_ldap.c mod_log_config.c mod_env.c mod_mime_magic.c mod_expires.c mod_usertrack.c mod_unique_id.c mod_setenvif.c mod_ssl.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_info.c mod_cgi.c mod_cgid.c mod_negotiation.c mod_dir.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c "Why the same httpd.conf don't work if is working under linux?" Because there are about a half dozen different SDK's and we picked the one that we don't have to be bothered to distribute as part of a win32 binary (and deal with all the licensing implications of). Glad it works for you on linux. On to your problem; it /should/ work based on quick verification that the Windows 2000 client drivers are still endorsed against Windows 2003 servers, which suggests they are as current as necessary. I'm researching, and will update this incident in the next few days after some validation. I suspect it's based on the MS preference to connect to starttls enabled servers, or that it's due to connecting to a starttls ldap service for which you haven't registered the server certificate with the client. I just installed on a Windows 2003 server with SP2 and all installed from MS Windows Update till date 01 Oct. 2007 Happen the same as on my Windows 2000 Server box. httpd.conf (is the same)! working on linux but not on Win2000Srv and Win2003Srv. Unix box, conf lines: # # Tested OK with HTTPD 2.2.0 and mod_authnz_ldap.so with Novell LDAP SDK # ./configure --enable-deflate --enable-mime-magic --enable-expires --enable- usertrack --enable-unique-id --enable-ssl --with-ssl=/usr/local/ssl --enable- http --enable-mod-info --enable-info --enable-cgi --enable-cgid --enable- spelling --enable-module=all --with-ldap --enable-ldap --enable-auth-ldap -- enable-authnz-ldap --with-ldap-include=/home/colosi/dev/ldap/novell-cldap-devel- 2006.02.20-1linux/include/ --with-ldap-lib=/home/colosi/dev/ldap/novell-cldap- devel-2006.02.20-1linux/lib/ # # Tested OK with HTTPD 2.2.0 and mod_authnz_ldap.so with iPlanet LDAP SDK # # ./configure --enable-deflate --enable-mime-magic --enable-expires --enable- usertrack --enable-unique-id --enable-ssl --with-ssl=/usr/local/ssl --enable- http --enable-mod-info --enable-info --enable-cgi --enable-cgid --enable- spelling --enable-module=all --with-ldap --enable-ldap --enable-auth-ldap -- enable-authnz-ldap --with-ldap-include=../../ldap/iplanet/include --with-ldap- lib=../../ldap/iplanet/lib/ totale 168 drwxr-xr-x 8 30 mem 4096 20 feb 2006 . drwx------ 5 colosi colosi 4096 15 feb 2007 .. -r--r--r-- 1 30 mem 2894 14 feb 2006 COPYRIGHT.HSpencer -r--r--r-- 1 30 mem 1341 14 feb 2006 COPYRIGHT.OpenLDAP drwxr-xr-x 3 30 mem 4096 16 feb 2006 doc drwxr-xr-x 2 30 mem 4096 14 feb 2006 include drwxr-xr-x 3 30 mem 4096 14 feb 2006 lib -r--r--r-- 1 30 mem 1988 14 feb 2006 LICENSE.OpenLDAP -r--r--r-- 1 30 mem 6279 14 feb 2006 LICENSE.OpenSSL drwxr-xr-x 3 30 mem 4096 14 feb 2006 man -r--r--r-- 1 30 mem 41486 14 feb 2006 README.txt drwxr-xr-x 3 30 mem 4096 14 feb 2006 samples -rw-r--r-- 1 30 mem 50340 14 feb 2006 SDK_CHANGELOG.html -rw-r--r-- 1 30 mem 2001 6 feb 2006 SDK_DEPENDENCIES.html -rw-r--r-- 1 30 mem 10279 15 mar 2005 SDK_LICENSE drwxr-xr-x 3 30 mem 4096 14 feb 2006 tools [root@xxxx lib]# ls -la totale 5832 drwxr-xr-x 3 30 mem 4096 14 feb 2006 . drwxr-xr-x 8 30 mem 4096 20 feb 2006 .. drwxr-xr-x 2 30 mem 4096 14 feb 2006 debug -rwxr-xr-x 1 30 mem 46043 14 feb 2006 libldapgss.so -rwxr-xr-x 1 30 mem 46043 14 feb 2006 libldapgss.so.0 -rwxr-xr-x 1 30 mem 46043 14 feb 2006 libldapgss.so.0.0.0 -rwxr-xr-x 1 30 mem 795907 14 feb 2006 libldapsdk.so -rwxr-xr-x 1 30 mem 795907 14 feb 2006 libldapsdk.so.0 -rwxr-xr-x 1 30 mem 795907 14 feb 2006 libldapsdk.so.0.0.0 -rwxr-xr-x 1 30 mem 960437 14 feb 2006 libldapssl.so -rwxr-xr-x 1 30 mem 960437 14 feb 2006 libldapssl.so.0 -rwxr-xr-x 1 30 mem 960437 14 feb 2006 libldapssl.so.0.0.0 -rwxr-xr-x 1 30 mem 161387 14 feb 2006 libldapx.so -rwxr-xr-x 1 30 mem 161387 14 feb 2006 libldapx.so.0 -rwxr-xr-x 1 30 mem 161387 14 feb 2006 libldapx.so.0.0.0 someone forgot this ticket?!. I'll be old with white airs ;) Is this the same as bug 43617? See also https://bugzilla.redhat.com/show_bug.cgi?id=471898 and http://opensolaris.org/jive/thread.jspa?threadID=84321&tstart=0 (In reply to comment #9) > Is this the same as bug 43617? > > See also https://bugzilla.redhat.com/show_bug.cgi?id=471898 and > http://opensolaris.org/jive/thread.jspa?threadID=84321&tstart=0 > Does not look to be related to me. no one here? (In reply to comment #11) > no one here? Can you reproduce on Windows 2008 and generate the tracing described here: http://msdn.microsoft.com/en-us/library/aa366152%28VS.85%29.aspx (Caution, it may have your bind DN embedded in it.) Or at least confirm this still occurs on a Windows 2003 with recent maintenance? I don't think there will be much effort in working on a sole report of a failure on Windows 2000. thanks for the patch. i installed it on centos v5.5, apache v2.2, and php v5.2.13. i restarted apache and still get 500 error. my PHP is using fast cgi. Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated. |