Red Hat Bugzilla – Bug 191307
The certificate mapping capability of mod_authz_ldap appears to be disabled in the RedHat binaries and source files.
Last modified: 2007-11-30 17:07:24 EST
Description of problem:
The certificate mapping capability of mod_authz_ldap appears to be disabled in
the RedHat binaries and source files.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. enable certificate mapping in the authz_ldap.conf file
2. restart apache
3. attempt to access a directory were certficate mapping in on.
The user is prompted for the certificate. However, the code in the
mod_authz_ldap source for certificate mapping always returns null. I.E the
user is not mapped and the authorization fails.
The user is prompted for the certificate. The user if for whom the
certificate matches is returned and the authorization succeeds.
Thanks for the report. Can you post the configuration which you're using?
httpd-2.0.52-22, mod_ssl-2.0.52-22 and the authz mentioned above to
authenticate off of MS Active Directory. Non-certificate (user/pword) auth to
the AD works correctly.
Going by the directions found at http://authzldap.othello.ch/configuration.html
(Step 10) we tried variations on config parameters, basiclly all possible
values for AuthzLDAPMapMethod and AuthzLDAPMethod with no success.
Failing the obvious I turned the LogLevel to DEBUG and AuthzLDAPLogLevel to
DEBUG. This yeilded lots of other debug messages but nothing from any of the
I guessed that debug messages were compiled out of the authz build. (Grab a
copy of the authz sources for the rest of this! (: ) So I grabbed the source
RPM and rebuilt it, adding to the SPEC file -DDEBUG and (per mod_authz_ldap.h) -
This finally yielded a few messages from authz .c modules but strangely no
results from certmap.c where the action is supposed to be. After a while I
figured out that the symbol AUTHZ_LDAP_HAVE_SSL was not evaluating TRUE and
this caused all of the function bodies in certmap.c to be #ifdef'd out of the
I hardcoded AUTHZ_LDAP_HAVE_SSL into mod_authz_ldap.h and rebuilt the RPM.
Still no luck... the critical code sections were not being compiled. I
discovered the EAPI symbol was also not defined which was the source of the
problems, so I #defined it in the mod_authz_ldap.h.
Recompiled and BLAM, it compiled the critical sections of code. I verified
this by using the symbols command to look for debug strings unique to the
certmap.c file. But apache bombs out with undefined symbols for the new
authz.so when I tried to restart it.
So the root of the problem is the EAPI symbol not being defined.
Thanks, yes, this was tracked down in a separate bug too.
Experimental test packages are now available which contain a patch to
correct this issue. These packages are unsupported and have not gone
through the Red Hat QA process.
Any feedback from testing these packages is very welcome. To obtain supported
packages please contact Red Hat Global Support via http://www.redhat.com/support
The component this request has been filed against is not planned for inclusion
in the next update. The decision is based on weighting the priority and number
of requests for a component as well as the impact on the Red Hat Enterprise
Linux user-base: other components are considered having higher priority and the
number of changes we intend to include in update cycles is limited.
Product Management has reviewed and declined this request. You may appeal this
decision by reopening this request.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.