mod_ldap does not perform Start TLS properly. Per RFC2830, Start TLS is an LDAPv3 Extended Operation. As such, LDAPv3 must be selected as the protocol version PRIOR to performing the Start TLS operation. util_ldap.c does not do this, resulting in LDAP "Not Available" errors (interpreted, "extended operations are not available in LDAPv2 per RFC") when it is attempted to be used. The solution is trivial: change to LDAPv3 before attempting to use Extended Operations. Please consider the attached code move. It should apply clean to 2.2.0 and snapshot 20060105173307. --- util_ldap.c.orig 2006-01-05 15:23:46.237518000 -0500 +++ util_ldap.c 2006-01-05 15:24:16.355137000 -0500 @@ -263,6 +263,9 @@ return(result->rc); } + /* always default to LDAP V3 */ + ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version); + /* set client certificates */ if (!apr_is_empty_array(ldc->client_certs)) { apr_ldap_set_option(ldc->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT, @@ -292,9 +295,6 @@ /* Set the alias dereferencing option */ ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref)); - /* always default to LDAP V3 */ - ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version); - /*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */ #ifdef APR_LDAP_OPT_VERIFY_CERT apr_ldap_set_option(ldc->pool, ldc->ldap,
Patch applied to trunk and proposed for backport
Trunk commit: r370856 (http://svn.apache.org/viewcvs.cgi?rev=370856&view=rev) Backport proposal: r370857 (http://svn.apache.org/viewcvs.cgi?rev=370857&view=rev)