54140 – Possible LDAP authentication regression with 2.2.23 release

Bug 54140 - Possible LDAP authentication regression with 2.2.23 release

Summary: Possible LDAP authentication regression with 2.2.23 release

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ldap (show other bugs)
Version:	2.2.23
Hardware:	PC Mac OS X 10.4

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	FixedInTrunk

Depends on:
Blocks:

Reported:	2012-11-12 18:11 UTC by Mark Phippard
Modified:	2014-02-17 13:52 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Phippard 2012-11-12 18:11:43 UTC

I also added this as a comment in the closed bug: 39095.  I did not want to simply reopen and old bug, but it looks similar.

I package Subversion Edge which bundles Apache 2.2.23 + SVN 1.7.7.  The version that includes Apache 2.2.23 was only released on October 26th and we have already had at least a dozen different users reporting they are now getting a problem with LDAP authentication on Windows servers.

A user will get an HTTP 500 when making a Subversion request, and then subsequent requests for that user will be fine again for a while.  When they get the error, this is what is logged:

[info] [client 204.11.125.146] [1248] auth_ldap authenticate: user XXXXX authentication failed; URI /svn/reposname [LDAP: ldap_simple_bind_s() failed][Unavailable]

This is only happening with Windows Apache servers.  I note that the 2.2.23 release includes the following change, which seems innocuous but also seems to be the only change related to LDAP in the CHANGES

http://svn.apache.org/viewvc?view=revision&revision=1375696

--- httpd/httpd/branches/2.2.x/include/util_ldap.h      2012/08/21
17:48:34        1375695
+++ httpd/httpd/branches/2.2.x/include/util_ldap.h      2012/08/21
17:48:58        1375696
@@ -30,7 +30,7 @@
#include "apr_time.h"
#include "apr_ldap.h"
-#if APR_HAS_MICROSOFT_LDAPSDK
+#ifdef LDAP_UNAVAILABLE
#define AP_LDAP_IS_SERVER_DOWN(s)                ((s) == LDAP_SERVER_DOWN
\
                 ||(s) == LDAP_UNAVAILABLE)
#else

Comment 1 Eric Covener 2012-11-12 18:36:43 UTC

AFAICT It's an enum on Windows and not a macro, so the new test doesn't work.

Comment 2 Eric Covener 2012-11-12 19:00:21 UTC

thanks for the report, if you're able to rebuild, please confirm the following rev does the trick?

http://svn.apache.org/viewvc/httpd/httpd/trunk/include/util_ldap.h?r1=1408402&r2=1408401&pathrev=1408402&view=patch

Comment 3 Mark Phippard 2012-11-12 19:02:45 UTC

Thanks.  We will apply that patch to our 2.2.23 build and I will let you know.  It will probably take a couple of days to get back to you.

Comment 4 Mark Phippard 2012-11-26 14:06:25 UTC

Sorry, realized that I never updated this issue.

We applied the change in r1408402 to our 2.2.23 builds and released an update to our community.  We have verification from several sources that this resolved the LDAP problems they were having.  I think this change would be great to backport to the 2.2.x releases if it has not been already.

I do not know the issue tracker policy, so I will leave it to you to mark this issue as fixed.

Thanks

Comment 5 Stefan Fritsch 2013-03-03 16:44:13 UTC

fixed in 2.4.4 and 2.2.24