[Auth_ldap] openldap, ldap_initialize, TLS, etc.

Joseph Dane jdane at hawaii.edu
Mon Apr 3 12:53:42 PDT 2006 

a collegue and I spent a day last week trying to get auth_ldap 1.6.1
working with openldap 2.3.20, w/o any luck.  we did learn a few
things, though, and I thought I'd share them here, since I saw several
message in the archives that looked like people were having similar
problems.

first, the typical advice of hacking auth_ldap.c to unconditionaly
call ldap_init instead of ldap_initialize probably works.   I had read
a few things in various openldap list archives about ldap_initialize
being the new and improved way of doing things (despite this function
not existing AFAICT in any standards documents) so I wanted to see if
I could get it to work.

so, I left the call to ldap_initialize in there.

the first hassle was that the error reporting done by auth_ldap at the
point of the initialization call is lacking.  it uses whatever happens
to be in errno at the time, which turns out to often be ENOENT, since
part of the initialization process is to look around for various "rc"
files, which invariably don't exist.  so the result is a message in
the logs like this:

[Fri Mar 31 15:20:44 2006] [error] Could not connect to LDAP server: No such file or directory

which is an absolute red herring.  the problem turned out to have
nothing whatever to do with a file not found.

the problem, in a nutshell, is that ldap_initialize does *not* want
and cannot handle "full" LDAP URIs, as specified in RFC 2255 and
described in the auth_ldap documentation.  instead, it wants a comma
separated list of "url"s, meaning at most 

 scheme://host:port

and nothing more.  try to pass an LDAP URI in there, with a typical
base DN (note "comma separated list" above), and you'll get obscure
errors about bad URIs.  or rather, you won't get such errors, because
auth_ldap swallows them.  I had the idea that maybe I could encode the
URI, i.e instead of using

 AuthLDAPUrl ldaps://ldap1.its.hawaii.edu/ou=people,dc=hawaii,dc=edu?uid

I might use 

 AuthLDAPUrl ldaps://ldap1.its.hawaii.edu/ou=people%2cdc=hawaii%2cdc=edu?uid

that got me a bit farther, but still didn't seem to work, and I gave
up on it w/o much further investigation.

I have to ventilate a bit here about the absolute lack of any
documentation of the ldap_initialize function.  documentation seems of
course to always get less attention that it should, particularly in
open source projects, but this case seems particularly egregious, the
function being the first thing one has to call in all cases to use the
library.

Anyhow, I need to figure out a way forward here.  I can see a few
options:

 * use ldap_init rather than ldap_initialize, and startTLS.  this
   works, and is probably the way we'll go forward.  but it sucks to
   have to apply a patch to auth_ldap.c every time we need to
   compile.  also, this won't work for people who can't use startTLS,
   for whatever reason.

 * use ldap_init with an https URL.  sounds simple enough, and the log
   messages seem to indicate that a secure connection is being
   requested, but then the logs say

[Mon Apr  3 09:12:00 2006] [error] Could not bind to LDAP server `ldap1.its.hawaii.edu' as cn=webdev,ou=Specials,dc=hawaii,dc=edu: Inappropriate authentication

   which I think generally means that it tried to authenticate over a
   non-secure connection.  I've tcpdumped the interface, and sure
   enough the connection attempt is made to the non-secure port.  the
   source in auth_ldap_config I think shows why

  if (strncmp(url, "ldaps", 5) == 0) {
    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
		 cmd->server, "{%d} requesting secure LDAP", (int)getpid());
#ifdef WITH_SSL
    sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
    sec->secure = 1;
#else
#if defined(WITH_OPENLDAP) && LDAP_VENDOR_VERSION <= 20000
    return "Secure LDAP (ldaps://) not supported. Rebuild auth_ldap";
#endif
#endif
   if you don't have WITH_SSL (which doesn't work at all with
    openldap) you're SOL.

 * fix the call to ldap_initialize such that it uses just the parts of
   the URL that openldap wants to see.  this might be the best
   approach for auth_ldap itself to take going forward, seeing how the
   openldap people seem to be pushing ldap_initialize as the way to
   go.

sorry for the excessively long message.  I wanted to get something
into the archives to help people who find themselves in a similar
situation.  I find auth_ldap extremely useful, but it has been
something of a hassle to get going.

-- 

joe

More information about the Auth_ldap mailing list