Bug 191307

Summary: The certificate mapping capability of mod_authz_ldap appears to be disabled in the RedHat binaries and source files.
Product: Red Hat Enterprise Linux 4 Reporter: Glenn Hobbs <gerry.hobbs>
Component: mod_authz_ldapAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: benl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0232 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 17:13:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Glenn Hobbs 2006-05-10 17:31:13 UTC 
Description of problem:

The certificate mapping capability of mod_authz_ldap appears to be disabled in 
the RedHat binaries and source files.

Version-Release number of selected component (if applicable):

mod_authz_ldap-0.26-2

How reproducible:

Never works

Steps to Reproduce:
1.  enable certificate mapping in the authz_ldap.conf file
2.  restart apache
3.  attempt to access a directory were certficate mapping in on.
 
  
Actual results:
  The user is prompted for the certificate.  However, the code in the 
mod_authz_ldap source for certificate mapping always returns null.  I.E the 
user is not mapped and the authorization fails.


Expected results:
  The user is prompted for the certificate.  The user if for whom the 
certificate matches is returned and the authorization succeeds.

Additional info:
Comment 1 Joe Orton 2006-05-16 15:15:43 UTC 
Thanks for the report.  Can you post the configuration which you're using?
Comment 2 Glenn Hobbs 2006-06-29 21:09:50 UTC 
We're using 
httpd-2.0.52-22, mod_ssl-2.0.52-22 and the authz mentioned above to 
authenticate off of MS Active Directory.  Non-certificate (user/pword) auth to 
the AD works correctly.

Going by the directions found at http://authzldap.othello.ch/configuration.html 
(Step 10) we tried variations on config parameters, basiclly all possible 
values for AuthzLDAPMapMethod and AuthzLDAPMethod with no success.

Failing the obvious I turned the LogLevel to DEBUG and AuthzLDAPLogLevel to 
DEBUG.  This yeilded lots of other debug messages but nothing from any of the 
authz files.

I guessed that debug messages were compiled out of the authz build. (Grab a 
copy of the authz sources for the rest of this! (: ) So I grabbed the source 
RPM and rebuilt it, adding to the SPEC file -DDEBUG and (per mod_authz_ldap.h) -
DAUTHZ_LDAP_DEBUG

This finally yielded a few messages from authz .c modules but strangely no 
results from certmap.c where the action is supposed to be.  After a while I 
figured out that the symbol AUTHZ_LDAP_HAVE_SSL was not evaluating TRUE and 
this caused all of the function bodies in certmap.c to be #ifdef'd out of the 
compilation.

I hardcoded AUTHZ_LDAP_HAVE_SSL into mod_authz_ldap.h and rebuilt the RPM.  
Still no luck... the critical code sections were not being compiled.  I 
discovered the EAPI symbol was also not defined which was the source of the 
problems, so I #defined it in the mod_authz_ldap.h.

Recompiled and BLAM, it compiled the critical sections of code.  I verified 
this by using the symbols command to look for debug strings unique to the 
certmap.c file.  But apache bombs out with undefined symbols for the new 
authz.so when I tried to restart it.

So the root of the problem is the EAPI symbol not being defined.
Comment 3 Joe Orton 2006-07-11 13:50:27 UTC 
Thanks, yes, this was tracked down in a separate bug too.

Experimental test packages are now available which contain a patch to
correct this issue.  These packages are unsupported and have not gone
through the Red Hat QA process.

http://people.redhat.com/~jorton/Nahant-mazl/

Any feedback from testing these packages is very welcome.  To obtain supported
packages please contact Red Hat Global Support via http://www.redhat.com/support
Comment 5 RHEL Program Management 2006-10-09 22:07:18 UTC 
The component this request has been filed against is not planned for inclusion
in the next update. The decision is based on weighting the priority and number
of requests for a component as well as the impact on the Red Hat Enterprise
Linux user-base: other components are considered having higher priority and the
number of changes we intend to include in update cycles is limited.
Comment 6 RHEL Program Management 2006-10-09 22:16:35 UTC 
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request.
Comment 15 Red Hat Bugzilla 2007-05-01 17:13:06 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0232.html