Bug 42682 - Apache child terminates with signal 11 when using Sun LDAP with SSL
Summary: Apache child terminates with signal 11 when using Sun LDAP with SSL
Status: NEW
Alias: None
Product: APR
Classification: Unclassified
Component: APR (show other bugs)
Version: HEAD
Hardware: Sun Solaris
: P2 major (vote)
Target Milestone: ---
Assignee: Apache Portable Runtime bugs mailinglist
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2007-06-17 08:11 UTC by Kevin Richter
Modified: 2011-12-02 17:50 UTC (History)
1 user (show)



Attachments
make mod_ldap work with Solaris LDAP (also contains APR fix) (4.02 KB, patch)
2010-09-02 07:45 UTC, Stefan Fritsch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Richter 2007-06-17 08:11:58 UTC
Solaris 10. Apache 2.2.4.
Apache is built with the native Sun LDAP libs in /usr/lib and /usr/include
Apache is built without SSL! Conflicting SSL libs cannot be the point.

At the beginning Apache log says:
[info] APR LDAP: Built with Sun Microsystems Inc. LDAP SDK
[info] LDAP: SSL support available

Without SSL the LDAP authorization is fine.

Using SSL an Apache child is killed, exactely when calling the ldap function
ldap_simple_bind_s
(context: uldap_connection_open, in: modules/ldap/util_ldap.c)

Row 390 or so... I have put a lot of debug lines in that file.


Apache log:
[notice] child pid 25209 exit signal Segmentation fault (11)


I have changed the the source code to use the function ldap_bind_s, but the
error is the same.


Any ideas?
Comment 1 Ruediger Pluem 2007-06-18 12:38:15 UTC
Please provide a backtrace from the crashed process as described in
http://httpd.apache.org/dev/debugging.html.
Comment 2 Kevin Richter 2007-06-22 09:44:39 UTC
I have no idea, what to do exactely. I have played a bit. Set a breakpoint to
the naughty "ldap_simple_bind_s" function. Two debugs - each one a bit different.

Watch yourself, if this is useful. If not, please tell me, what you need. 


rayone# gdb httpd
GNU gdb 6.2.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.10"...
(gdb) b ldap_simple_bind_s
Function "ldap_simple_bind_s" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (ldap_simple_bind_s) pending.
(gdb) run -X -d /opt/kevin/apache-2.2.4
Starting program: /opt/kevin/apache-2.2.4/bin/httpd -X -d /opt/kevin/apache-2.2.4
warning: Lowest section in /usr/lib/libpthread.so.1 is .dynamic at 00000074
warning: Lowest section in /usr/lib/libthread.so.1 is .dynamic at 00000074
warning: Lowest section in /usr/lib/libdl.so.1 is .dynamic at 00000094
Breakpoint 2 at 0xff242cbc
Pending breakpoint "ldap_simple_bind_s" resolved
[New LWP 1]
[New LWP 2]
[New LWP 3]
[New LWP 4]
[LWP 2 exited]
[New LWP 2]
[Switching to LWP 3]

Breakpoint 2, 0xff242cbc in ldap_simple_bind_s () from /usr/lib/libldap.so.5
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xff24eacc in do_ldapssl_connect () from /usr/lib/libldap.so.5
(gdb) where
#0  0xff24eacc in do_ldapssl_connect () from /usr/lib/libldap.so.5
#1  0xff24eeac in ldapssl_connect () from /usr/lib/libldap.so.5
(gdb) s
Single stepping until exit from function do_ldapssl_connect,
which has no line number information.
warning: rw_common (): unable to read at addr 0xfeeedc5c
warning: rw_common (): unable to read at addr 0xfeeedc60
thread_to_lwp: td_ta_map_id2thr Debugger service failed
(gdb) bt
#0  0xff24eacc in do_ldapssl_connect () from /usr/lib/libldap.so.5
#1  0xff24eeac in ldapssl_connect () from /usr/lib/libldap.so.5
(gdb) q
The program is running.  Exit anyway? (y or n) y
Quitting: procfs: unconditionally_kill, proc_kill line 4701, /proc/06979: No
such file or directory.




rayone# gdb httpd
GNU gdb 6.2.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.10"...
(gdb) b ldap_simple_bind_s
Function "ldap_simple_bind_s" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (ldap_simple_bind_s) pending.
(gdb)  run -X -d /opt/kevin/apache-2.2.4
Starting program: /opt/kevin/apache-2.2.4/bin/httpd -X -d /opt/kevin/apache-2.2.4
warning: Lowest section in /usr/lib/libpthread.so.1 is .dynamic at 00000074
warning: Lowest section in /usr/lib/libthread.so.1 is .dynamic at 00000074
warning: Lowest section in /usr/lib/libdl.so.1 is .dynamic at 00000094
Breakpoint 2 at 0xff242cbc
Pending breakpoint "ldap_simple_bind_s" resolved
[New LWP 1]
[New LWP 2]
[New LWP 3]
[New LWP 4]
[LWP 2 exited]
[New LWP 2]
[Switching to LWP 3]

Breakpoint 2, 0xff242cbc in ldap_simple_bind_s () from /usr/lib/libldap.so.5
(gdb) bt
#0  0xff242cbc in ldap_simple_bind_s () from /usr/lib/libldap.so.5
#1  0xfe742ab0 in uldap_connection_open () from
/opt/kevin/apache-2.2.4/modules/mod_ldap.so
#2  0xfe74377c in uldap_cache_checkuserid () from
/opt/kevin/apache-2.2.4/modules/mod_ldap.so
#3  0xfe881c54 in authn_ldap_check_password () from
/opt/kevin/apache-2.2.4/modules/mod_authnz_ldap.so
#4  0xfe840dd8 in authenticate_basic_user () from
/opt/kevin/apache-2.2.4/modules/mod_auth_basic.so
#5  0x00035610 in ap_run_check_user_id ()
#6  0x00037700 in ap_process_request_internal ()
#7  0x000468e8 in ap_process_request ()
#8  0x00043d48 in ap_process_http_connection ()
#9  0x00040584 in ap_run_process_connection ()
#10 0x0004ada4 in worker_thread ()
#11 0xff05c12c in dummy_worker () from /opt/kevin/apache-2.2.4/lib/libapr-1.so.0
#12 0xfeec0504 in _lwp_start () from /usr/lib/libc.so.1
#13 0xfeec0504 in _lwp_start () from /usr/lib/libc.so.1
Previous frame identical to this frame (corrupt stack?)
(gdb) s
Single stepping until exit from function ldap_simple_bind_s,
which has no line number information.
0xfeebeb18 in _ti_bind_guard () from /usr/lib/libc.so.1
(gdb) s
Single stepping until exit from function _ti_bind_guard,
which has no line number information.
0xfeebeb50 in _ti_bind_clear () from /usr/lib/libc.so.1
(gdb) s
Single stepping until exit from function _ti_bind_clear,
which has no line number information.
0xff2428f0 in ldap_simple_bind () from /usr/lib/libldap.so.5
(gdb) s
Single stepping until exit from function ldap_simple_bind,
which has no line number information.
0xff242910 in simple_bind_nolock () from /usr/lib/libldap.so.5
(gdb) s
Single stepping until exit from function simple_bind_nolock,
which has no line number information.

Program received signal SIGSEGV, Segmentation fault.
0xff24eacc in do_ldapssl_connect () from /usr/lib/libldap.so.5
(gdb) c
Continuing.
warning: rw_common (): unable to read at addr 0xfeeedc5c
warning: rw_common (): unable to read at addr 0xfeeedc60
thread_to_lwp: td_ta_map_id2thr Debugger service failed

Comment 3 Kevin Richter 2007-06-22 10:24:55 UTC
One thing to add:

The Sun LDAP SSL libs are working fine. ldapsearch and ldaplist use them.

And my PHP-5.2.2 is build successfully against them. A short summary, what the
PHP stuff calls:

char *certpath = "/data/conf";
ldapssl_advclientauth_init( certpath, NULL, 1, certpath, NULL, 1, certpath,
LDAPSSL_AUTH_WEAK );
ldap = ldapssl_init( host, port, 1 );
ldap_bind_s(ld->link, ldap_bind_dn, ldap_bind_pw, LDAP_AUTH_SIMPLE);

No more, no less. And no signal 11 when PHP calls the ldap_bind_s function! :-)
Comment 4 Kevin Richter 2007-06-22 13:41:45 UTC
Yeah. I have successfully changed the source code. Now SSL works without errors
or delays! :)


File srclib/apr-util/ldap/apr_ldap_init.c, Line 149:
Change
    *ldap = ldapssl_init(hostname, portno, 0);
to
    *ldap = ldapssl_init(hostname, portno, 1);



File modules/ldap/util_ldap.c, Line 256:
Delete or comment out the whole block.

f.ex.:

    /* switch on SSL/TLS
    if (APR_LDAP_NONE != ldc->secure) {
        apr_ldap_set_option(ldc->pool, ldc->ldap,
                            APR_LDAP_OPT_TLS, &ldc->secure, &(result));
        if (LDAP_SUCCESS != result->rc) {
            uldap_connection_unbind( ldc );
            ldc->reason = result->reason;
            return(result->rc);
        }
    } */
Comment 5 Nick Kew 2009-11-15 15:24:17 UTC
Looks like you've found a simple bug, that parameter should be the "secure" argument to apr_ldap_init.  I guess your report has been ignored because noone really supports LDAP toolkits other than OpenLDAP, but now I've seen it I'll fix this in trunk as soon as svn comes back.

Belated thanks for the report and diagnosis.
Comment 6 Stefan Fritsch 2010-09-02 07:43:53 UTC
There are a couple of problems here.

- As noted by Nick, apr_ldap_init() should pass the "secure" parameter on to the LDAP library. This alone is not enouogh, though.

- Solaris LDAP does not support activating SSL by using ldap_set_option. The only way is to pass 1 as second parameter in ldapssl_init().

- Apache httpd's mod_ldap currently always passes secure == APR_LDAP_NONE to apr_ldap_init() and then tries to enable SSL later with apr_ldap_set_option().  To make it possible to use Solaris LDAP with mod_ldap, mod_ldap would have to enable SSL at apr_ldap_init-time and skip the apr_ldap_set_option(..., APR_LDAP_OPT_TLS_CERT, ...) call. Of course, doing this unconditionally would break various SSL features with other LDAP libraries.

One way to solve this would be to have some '#if APR_HAS_SOLARIS_LDAPSDK' in mod_ldap. This breaks the apr-ldap abstraction, but AFAIK apr-ldap will be axed anyway.

On the other hand, the documentation for apr_ldap_init() already recommends: "set the SSL mode here if no per connection client certificates are present, otherwise set secure APR_LDAP_NONE here, then set the per connection client certificates, followed by setting the SSL mode via apr_ldap_set_option()". Is this a way forward or is the risk too high that this would break mod_ssl with some other LDAP library?

The attached patch tries implement the second solution. It works with Solaris LDAP, but I haven't tested it with any other SDK. Does this look good?
Comment 7 Stefan Fritsch 2010-09-02 07:45:28 UTC
Created attachment 25969 [details]
make mod_ldap work with Solaris LDAP (also contains APR fix)
Comment 8 Stefan Fritsch 2011-06-25 11:20:04 UTC
(In reply to comment #7)
> Created attachment 25969 [details]
> make mod_ldap work with Solaris LDAP (also contains APR fix)

This patch breaks ldaps with OpenLDAP, so it's not suitable for integration as it is.
Comment 9 Graham Leggett 2011-06-26 23:01:09 UTC
The attached patch makes a number of indiscriminate changes to the APIs for all the supported LDAP toolkits, rather than limiting this to Solaris only. In terms of changes to apr_ldap, the changes suggested by Kevin Richter should be enough to make Solaris support work.

As for mod_ldap, for some reason this code is only supporting the scenario where SSL is turned on after the client certificates are set with apr_ldap_set_option(). The second scenario, when secure is set by calling apr_ldap_init() with the secure parameter is ignored, through no clear reason that I can see. In theory, fixing this should be as simple as passing ldc->secure into apr_ldap_init() instead of APR_LDAP_NONE.
Comment 10 Stefan Fritsch 2011-12-02 17:50:34 UTC
Committed changes that only change behavior for Solaris LDAP:

apr 1.5: r1209594
apr 1.4: r1209597

httpd trunk: r1209601
httpd 2.4: r1209604