Bug 191307
Summary: | The certificate mapping capability of mod_authz_ldap appears to be disabled in the RedHat binaries and source files. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Glenn Hobbs <gerry.hobbs> |
Component: | mod_authz_ldap | Assignee: | Joe Orton <jorton> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | benl |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2007-0232 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-05-01 17:13:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Glenn Hobbs
2006-05-10 17:31:13 UTC
Thanks for the report. Can you post the configuration which you're using? We're using httpd-2.0.52-22, mod_ssl-2.0.52-22 and the authz mentioned above to authenticate off of MS Active Directory. Non-certificate (user/pword) auth to the AD works correctly. Going by the directions found at http://authzldap.othello.ch/configuration.html (Step 10) we tried variations on config parameters, basiclly all possible values for AuthzLDAPMapMethod and AuthzLDAPMethod with no success. Failing the obvious I turned the LogLevel to DEBUG and AuthzLDAPLogLevel to DEBUG. This yeilded lots of other debug messages but nothing from any of the authz files. I guessed that debug messages were compiled out of the authz build. (Grab a copy of the authz sources for the rest of this! (: ) So I grabbed the source RPM and rebuilt it, adding to the SPEC file -DDEBUG and (per mod_authz_ldap.h) - DAUTHZ_LDAP_DEBUG This finally yielded a few messages from authz .c modules but strangely no results from certmap.c where the action is supposed to be. After a while I figured out that the symbol AUTHZ_LDAP_HAVE_SSL was not evaluating TRUE and this caused all of the function bodies in certmap.c to be #ifdef'd out of the compilation. I hardcoded AUTHZ_LDAP_HAVE_SSL into mod_authz_ldap.h and rebuilt the RPM. Still no luck... the critical code sections were not being compiled. I discovered the EAPI symbol was also not defined which was the source of the problems, so I #defined it in the mod_authz_ldap.h. Recompiled and BLAM, it compiled the critical sections of code. I verified this by using the symbols command to look for debug strings unique to the certmap.c file. But apache bombs out with undefined symbols for the new authz.so when I tried to restart it. So the root of the problem is the EAPI symbol not being defined. Thanks, yes, this was tracked down in a separate bug too. Experimental test packages are now available which contain a patch to correct this issue. These packages are unsupported and have not gone through the Red Hat QA process. http://people.redhat.com/~jorton/Nahant-mazl/ Any feedback from testing these packages is very welcome. To obtain supported packages please contact Red Hat Global Support via http://www.redhat.com/support The component this request has been filed against is not planned for inclusion in the next update. The decision is based on weighting the priority and number of requests for a component as well as the impact on the Red Hat Enterprise Linux user-base: other components are considered having higher priority and the number of changes we intend to include in update cycles is limited. Product Management has reviewed and declined this request. You may appeal this decision by reopening this request. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0232.html |