apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 42682] Apache child terminates with signal 11 when using Sun LDAP with SSL
Date Thu, 02 Sep 2010 11:43:57 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=42682

--- Comment #6 from Stefan Fritsch <sf@sfritsch.de> 2010-09-02 07:43:53 EDT ---
There are a couple of problems here.

- As noted by Nick, apr_ldap_init() should pass the "secure" parameter on to
the LDAP library. This alone is not enouogh, though.

- Solaris LDAP does not support activating SSL by using ldap_set_option. The
only way is to pass 1 as second parameter in ldapssl_init().

- Apache httpd's mod_ldap currently always passes secure == APR_LDAP_NONE to
apr_ldap_init() and then tries to enable SSL later with apr_ldap_set_option(). 
To make it possible to use Solaris LDAP with mod_ldap, mod_ldap would have to
enable SSL at apr_ldap_init-time and skip the apr_ldap_set_option(...,
APR_LDAP_OPT_TLS_CERT, ...) call. Of course, doing this unconditionally would
break various SSL features with other LDAP libraries.

One way to solve this would be to have some '#if APR_HAS_SOLARIS_LDAPSDK' in
mod_ldap. This breaks the apr-ldap abstraction, but AFAIK apr-ldap will be axed
anyway.

On the other hand, the documentation for apr_ldap_init() already recommends:
"set the SSL mode here if no per connection client certificates are present,
otherwise set secure APR_LDAP_NONE here, then set the per connection client
certificates, followed by setting the SSL mode via apr_ldap_set_option()". Is
this a way forward or is the risk too high that this would break mod_ssl with
some other LDAP library?

The attached patch tries implement the second solution. It works with Solaris
LDAP, but I haven't tested it with any other SDK. Does this look good?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org


Mime
View raw message