Bug 47501

Summary: [ldap] Setting LDAP_OPT_REFHOPLIMIT fails with OpenLDAP
Product: APR Reporter: Alexey Varlamov <alexey.v.varlamov>
Component: APR-utilAssignee: Apache Portable Runtime bugs mailinglist <bugs>
Status: NEW ---    
Severity: major CC: lars
Priority: P2 Keywords: PatchAvailable
Version: HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Suggested fix to the problem.

Description Alexey Varlamov 2009-07-09 04:19:17 UTC
Created attachment 23948 [details]
Suggested fix to the problem.

apr_ldap_set_option() incorrectly handles setting LDAP_OPT_REFHOPLIMIT with OpenLDAP, see the patch attached. The reason is that OpenLDAP does define the LDAP_OPT_REFHOPLIMIT (under comment /* private and experimental options */
/* OpenLDAP specific options */) but apparently does support setting it.
(Tried with latest v2.4.16 of OpenLDAP).

This appears to be broken since revision 640388, as a result LDAP authentication in trunk HTTPD does not work with OpenLDAP, the following error is logged:
[Thu Jul 09 11:05:18 2009] [debug] util_ldap.c(381): Setting referral hop limit to 5.
[Thu Jul 09 11:05:18 2009] [debug] util_ldap.c(389): Unable to set LDAP_OPT_REFHOPLIMIT option to 5: -1.
[Thu Jul 09 11:05:18 2009] [warn] [client 127.0.0.1] [8816] auth_ldap authenticate: user user1 authentication failed; URI /private [Unable to set LDAP_OPT_REFHOPLIMIT.][Can't contact LDAP server], referer: http://localhost:8000/
Comment 1 Stefan Fritsch 2009-10-06 10:52:27 UTC
I can confirm that this is broken with openldap 2.4.17 and that Alexey's patch fixes the problem.
Comment 2 Ruediger Pluem 2009-10-06 12:06:42 UTC
What about older OpenLDAP versions (e.g. 2.3.x)? Do they still run fine with the patch?
Comment 3 Ruediger Pluem 2009-10-06 12:09:36 UTC
(In reply to comment #2)
> What about older OpenLDAP versions (e.g. 2.3.x)? Do they still run fine with
> the patch?

Ok. So I guess I confused myself. I guess the correct statement from Alexey should be:

The reason is that OpenLDAP does define the
LDAP_OPT_REFHOPLIMIT (under comment /* private and experimental options */
/* OpenLDAP specific options */) but apparently does *NOT* support setting it.
Comment 4 Alexey Varlamov 2009-10-07 02:41:55 UTC
Right, that's my typo - OpenLDAP does *NOT* support setting the option.
Also note, that ldap support is moving to main APR - so the initial patch may be not complete for the latest trunk, both APR and APR-utils should be fixed.
Comment 5 Ruediger Pluem 2009-10-07 12:02:47 UTC
Now the patch makes perfect sense :-).
Comment 6 Eric Covener 2009-10-31 07:08:51 UTC
(In reply to comment #5)
> Now the patch makes perfect sense :-).

While it's already the behavior for Novell, I really don't like the behavior of this block of code.  The comment talks about reasonable defaults, but this method should only be called if you're looking to change them anyway and you've passed in an explicit number of hops.

Meanwhile, LDAP_OPT_REHOPLIMIT isn't even ldap_get_option()'able in openldap.  I am fixing HTTPD to not make this APR call if the user hasn't explicitly asked for a change from the SDK defaults.  

Interested in comments from others, but I do not think it's wise to no-op this call if we can't honor the specific value passed in.
Comment 7 Alexey Varlamov 2009-11-09 03:05:45 UTC
Well, the only (speculative) concern I have is that the suggested change in APR behavior can affect other programs (beside httpd) depending on APR. 
OTOH major release change may be enough warrant.