Bug 962819

Summary: Apache Use of LDAP+SSL Doesn't Work on Windows
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Jimmy Wilson <jawilson>
Component: httpdAssignee: Weinan Li <weli>
Status: CLOSED EOL QA Contact: Libor Fuka <lfuka>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 2.0.0, 2.0.1CC: jclere, jdoyle, mturk, myarboro, pslavice, rsvoboda, weli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously in JBoss Enterprise Web Server, httpd partially supported the Microsoft Windows version of the LDAP SDK. The SSL information for secure LDAP should be stored in the registry but this is not supported by httpd/apr. On Windows, a combination of LDAP and SSL did not work correctly and displayed the following error message: <screen>LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.</screen> This issue is fixed in JBoss Enterprise Web Server 2.1 and the secure LDAP information is now stored in the registry without errors as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-13 12:09:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
httpd error_log
none
access_log
none
ldap conf none

Description Jimmy Wilson 2013-05-14 13:56:12 UTC 
Apache use of LDAP+SSL doesn't work on Windows.

There's an upstream bug report (linked).
Comment 2 Jean-frederic Clere 2013-05-14 14:57:36 UTC 
This bug isn't yet fixed in 2.4.x upstream.
Additionally it is a bit tricky to test/develop on windows so except people from the ASF fix the bug we won't be able to have it EWS 2.0.1.
Comment 5 Mandar Joshi 2013-05-29 17:02:43 UTC 
Added DocText.

@Jean-Frederic Clere, can you please review the Doc Text content?
Comment 7 Weinan Li 2013-05-30 02:46:37 UTC 
This issue won't be included in EWS 2.0.1 as it's already NACKed by PM
Comment 8 Misha H. Ali 2013-05-30 07:09:39 UTC 
Identified by Jean-Frederic as a Known Issue. Added release note, assuming no workaround exists. Need SMEs to confirm the release note is accurate.
Comment 9 Jean-frederic Clere 2013-09-25 16:05:26 UTC 
I have submitted a better patch upstream for 2.2.25. Now porting to 2.2.22
Comment 10 Jean-frederic Clere 2013-10-14 12:13:14 UTC 
The upstream patch "https://issues.apache.org/bugzilla/attachment.cgi?id=30881"
also applies to our httpd version.
Comment 11 Mladen Turk 2013-10-16 08:44:56 UTC 
I have rebuild httpd with applied patch
You can download binaries from
https://brewweb.devel.redhat.com/buildinfo?buildID=300050

Note that you only need to extract and copy mod_ldap.so and mod_authnz_ldap.so
over the existing EWS.

Please check if that does the tick.
Comment 12 Libor Fuka 2013-10-22 06:30:51 UTC 
Is this bug ON_QA ?
If so, please change the status.
Comment 13 Libor Fuka 2013-10-22 09:27:24 UTC 
Are you sure Mladen, that only mod_ldap.so and mod_authnz_ldap.so copies from build are enough ?
The test still returns httpd status code 500 - internal server error
Comment 14 Mladen Turk 2013-10-22 10:22:56 UTC 
(In reply to Libor Fuka from comment #13)
> Are you sure Mladen, that only mod_ldap.so and mod_authnz_ldap.so copies
> from build are enough ?
> The test still returns httpd status code 500 - internal server error

The patch only touches util_ldap.c so yes, that's the only file changed by this patch. No other files are affected.
Comment 15 Libor Fuka 2013-10-22 12:34:00 UTC 
ok, so patch doesn't work.
Comment 16 Libor Fuka 2013-10-22 12:34:46 UTC 
Created attachment 814970 [details]
httpd error_log
Comment 17 Libor Fuka 2013-10-22 12:35:13 UTC 
Created attachment 814971 [details]
access_log
Comment 18 Libor Fuka 2013-10-22 12:35:46 UTC 
Created attachment 814972 [details]
ldap conf
Comment 19 Mladen Turk 2013-10-22 13:57:29 UTC 
Do you have a log files without patched mod_ldap?
Comment 20 Libor Fuka 2013-10-23 07:09:03 UTC 
Yes, I  have. error_log is the same.
Comment 21 Jean-frederic Clere 2013-10-23 13:11:46 UTC 
[Tue Oct 22 04:39:14 2013] [info] [client 127.0.0.1] [3152] auth_ldap authenticate: user hnelson authentication failed; URI /ldap-status [LDAP: ldap_simple_bind_s() failed][Server Down]

Are you sure the ldap server is running?
Comment 22 Libor Fuka 2013-10-23 13:13:15 UTC 
Sure, LDAP is running
Comment 23 Jean-frederic Clere 2013-10-23 14:16:06 UTC 
you should remove the STARTTLS in the AuthLDAPURL
Comment 24 Libor Fuka 2013-10-23 14:56:15 UTC 
The result is the same without or with STARTTLS
Comment 25 Jean-frederic Clere 2013-10-23 15:40:53 UTC 
Note: TLS | STARTTLS is not supported by the Windows operating system LDAP SDK you need to use SSL or ldaps://
Comment 26 Libor Fuka 2013-10-25 11:43:11 UTC 
Tested with SSL and it still doesn't work :(
Comment 27 Jean-frederic Clere 2013-10-25 12:41:36 UTC 
We need one more patch http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/util_ldap.h?r1=1375696&r2=1445119&pathrev=1445119&view=patch
Comment 28 Libor Fuka 2013-10-29 14:03:42 UTC 
New build: https://brewweb.devel.redhat.com/buildinfo?buildID=302150
Comment 29 Libor Fuka 2013-10-30 06:52:00 UTC 
VERIFED build from #28 (mod_ldap.so, mod_authnz_ldap.so) on MS Windows 2008 32-bit, MS Windows 2008 64-bit, MS Windows 2008R2 64-bit.
No regressions found.
Comment 30 Mandar Joshi 2014-08-08 12:14:26 UTC 
Changed Doc type to Bug Fix.
Updated Doc Text.