Bug 54358 - Status 500 when using ldap on Solaris because apr_ldap_rebind_add returns APR_ENOTIMPL and LDAPReferrals is On by default
Summary: Status 500 when using ldap on Solaris because apr_ldap_rebind_add returns APR...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ldap (show other bugs)
Version: 2.5-HEAD
Hardware: Sun Solaris
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-29 13:00 UTC by Rainer Jung
Modified: 2012-12-29 13:40 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rainer Jung 2012-12-29 13:00:01 UTC
LDAPReferrals is "On" by default. So every new LDAP connection calls 

uldap_connection_open() ->
uldap_connection_init() ->
apr_ldap_rebind_add() ->
apr_ldap_rebind_set_callback()

in modules/ldap/util_ldap.c.

But in apr-util the function apr_ldap_rebind_set_callback() is only implemented if APR_HAS_TIVOLI_LDAPSDK or APR_HAS_OPENLDAP_LDAPSDK or APR_HAS_NOVELL_LDAPSDK, otherwise it just returns APR_ENOTIMPL and Apache errs out with status 500. The following SDKs thus potentially are affected:

- APR_HAS_NETSCAPE_LDAPSDK
- APR_HAS_SOLARIS_LDAPSDK
- APR_HAS_MOZILLA_LDAPSDK
- APR_HAS_MICROSOFT_LDAPSDK
- APR_HAS_ZOS_LDAPSDK
- APR_HAS_OTHER_LDAPSDK

Possible fixes:

- set LDAPReferrals to "Off" by default on the platforms for which rebind is not implemented (and document it)
- ignore errors from the rebind calls
- implement rebind in more platforms

Concerning the last option for Solaris:

- man pages say the feature does exist
- man pages are unfortunatley not consistent with system headers about the function signature:

From man pages:

void ldap_set_rebind_proc(LDAP *ld, int (*rebindproc));

and

int rebindproc(LDAP *ld, char **whop, char **credp,
               int *methodp, int freeit);

From header file /usr/include/ldap.h:

LDAP_API(void) LDAP_CALL ldap_set_rebind_proc(LDAP *ld,
        LDAP_REBINDPROC_CALLBACK *rebindproc, void *arg);

and

typedef int (LDAP_CALL LDAP_CALLBACK LDAP_REBINDPROC_CALLBACK)(LDAP *ld,
        char **dnp, char **passwdp, int *authmethodp, int freeit, void *arg);

so header files indicate an additional "arg" argument. A short compilation test indicates the header files are right, man pages are wrong.
Comment 1 Eric Covener 2012-12-29 13:40:52 UTC
+1 to flipping the default under those SDKs in 2.4 and turning it off by default altogether in trunk.