We have been trying to set up Apache on Windows with ldaps (ssl) authentication, using apr-util compiled with the Microsoft ldap sdk, with little success. Looking at the log output, reading the source code and discussions on email lists indicate that there is a bug in the interaction between httpd (util_ldap.c) and apr-util which makes this combination impossible. In short, this is what happens (with more detail below): - util_ldap.c always calls apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...), even when there are no global certs - apr_ldap_set_option(...,APR_LDAP_OPT_TLS_CERT,...) always fails when called with APR_HAS_MICROSOFT_LDAPSDK - when this fails, ldaps is disabled The probable fix would be in util_ldap.c, the function util_ldap_post_config. Immediately after calling apr_ldap_ssl_init(), the function calls apr_ldap_set_option() with global certs. The fix would be only make the call to apr_ldap_set_option() when there are in fact any global certs defined. Coded blindly, as I don't have a build environment: rc = apr_ldap_ssl_init(p, NULL, 0, &(result_err)); - if (APR_SUCCESS == rc) { + if (APR_SUCCESS == rc && !apr_is_empty_array(st->global_certs)) { rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT, (void *)st->global_certs, &(result_err)); } ++++++++++++++++++++++++++++++++ 1) Extracs of httpd-config: LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so <Location /> AuthLDAPURL ldaps://127.0.0.1:1389/ou=People,dc=example,dc=com?uid </Location> 2) The error_log has the following entries: [Mon Feb 25 22:21:18 2013] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK [Mon Feb 25 22:21:18 2013] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. 3) During initialization of util_ldap.c (http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c?view=markup), in util_ldap_post_config(): After calling apr_ldap_ssl_init(), on line 2031, the method apr_ldap_set_option (APR_LDAP_OPT_TLS_CERT) is always called, regardless of whether there are any global certs or not. 2020 /* 2021 * Initialize SSL support, and log the result for the benefit of the admin. 2022 * 2023 * If SSL is not supported it is not necessarily an error, as the 2024 * application may not want to use it. 2025 */ 2026 rc = apr_ldap_ssl_init(p, 2027 NULL, 2028 0, 2029 &(result_err)); 2030 if (APR_SUCCESS == rc) { 2031 rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT, 2032 (void *)st->global_certs, &(result_err)); 2033 } 2034 2035 if (APR_SUCCESS == rc) { 2036 st->ssl_supported = 1; 2037 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, 2038 "LDAP: SSL support available" ); 2039 } 2040 else { 2041 st->ssl_supported = 0; 2042 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, 2043 "LDAP: SSL support unavailable%s%s", 2044 result_err ? ": " : "", 2045 result_err ? result_err->reason : ""); 2046 } 4) Now, in apr_ldap (http://svn.apache.org/viewvc/apr/apr-util/tags/1.4.1/ldap/apr_ldap_option.c?view=markup), the method apr_ldap_set_option() forwards to option_set_cert() (line 396), which ends up in the following code which *always* fails. 627 #if APR_HAS_MICROSOFT_LDAPSDK 628 /* Microsoft SDK use the registry certificate store - error out 629 * here with a message explaining this. */ 630 result->reason = "LDAP: CA certificates cannot be set using this method, " 631 "as they are stored in the registry instead."; 632 result->rc = -1; 633 #endif
looks sensible, but i think we ought to also: * block LDAPTrustedGlobalCert on MS SDK * change the INFO messages that follow for the MS SDK.
I am working on a better patch.
Created attachment 30881 [details] patch again the 2.2.25
http://svn.apache.org/viewvc?view=revision&revision=r1526436
Good morning, I am facing the same problem as Mr Lygre. We are using Apache 2.2.29, and trying to connect to a directory (Sun Directory Server) in ldaps. I receive the same message as mentionned in this post : [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. By reading this article, we thought the 2.2.25 was correcting the problem. Do you have any information about this ? Is it really corrected on the 2.2.25 ? Is there still some cases where the correction is not enough ? Any help would be much appreciated. Thanks in advance, JC
(In reply to JCCousteille from comment #5) > Good morning, > > I am facing the same problem as Mr Lygre. > We are using Apache 2.2.29, and trying to connect to a directory (Sun > Directory Server) in ldaps. > I receive the same message as mentionned in this post : > [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK > [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set > using this method, as they are stored in the registry instead. > > By reading this article, we thought the 2.2.25 was correcting the problem. > Do you have any information about this ? Is it really corrected on the > 2.2.25 ? > Is there still some cases where the correction is not enough ? > No, this was only fixed in trunk. It needs to be backported.
I'm not convinced this actually is a problem. If you grep the code for ssl_supported there isn't anything functional that uses it except for: static apr_status_t util_ldap_cleanup_module(void *data) { server_rec *s = data; util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config( s->module_config, &ldap_module); if (st->ssl_supported) { apr_ldap_ssl_deinit(); } return APR_SUCCESS; } apr_ldap_ssl_deinit() simply calls ldapssl_client_deinit() if it's available and if you look at apr-ldap.h that's configured against the microsoft sdk: #define APR_HAS_LDAPSSL_CLIENT_DEINIT 0 So that doesn't do anything. There is this commented block in mod_authnz_ldap.c /* authn_ldap_config_t *sec = (authn_ldap_config_t *) ap_get_module_config(s->module_config, &authnz_ldap_module); if (sec->secure) { if (!util_ldap_ssl_supported(s)) { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, "LDAP: SSL connections (ldaps://) not supported by utilLDAP"); return(!OK); } } */ But as it's commented, it's irrelevant. I just staged both a 2.4.16 and 2.2.31 install and had no problems connecting to an ldaps server once I trusted the right certificate in the microsoft certificate management console even though it stated: LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. That said, the patch in trunk is broken as it was hueristically applied wrong, and it will not compile on windows. I'll upload a new version of it. But best i can tell, this simply ensures ldapssl_client_deinit is called if it's supported, and cosmetically fixes that message so it's correct. I don't see any functional changes otherwise.
Created attachment 33094 [details] fixed version of patch in trunk this patch applies properly to 2.4.16 and should replace the fix in trunk.