Description of problem: The certificate mapping capability of mod_authz_ldap appears to be disabled in the RedHat binaries and source files. Version-Release number of selected component (if applicable): mod_authz_ldap-0.26-2 How reproducible: Never works Steps to Reproduce: 1. enable certificate mapping in the authz_ldap.conf file 2. restart apache 3. attempt to access a directory were certficate mapping in on. Actual results: The user is prompted for the certificate. However, the code in the mod_authz_ldap source for certificate mapping always returns null. I.E the user is not mapped and the authorization fails. Expected results: The user is prompted for the certificate. The user if for whom the certificate matches is returned and the authorization succeeds. Additional info:
Thanks for the report. Can you post the configuration which you're using?
We're using httpd-2.0.52-22, mod_ssl-2.0.52-22 and the authz mentioned above to authenticate off of MS Active Directory. Non-certificate (user/pword) auth to the AD works correctly. Going by the directions found at http://authzldap.othello.ch/configuration.html (Step 10) we tried variations on config parameters, basiclly all possible values for AuthzLDAPMapMethod and AuthzLDAPMethod with no success. Failing the obvious I turned the LogLevel to DEBUG and AuthzLDAPLogLevel to DEBUG. This yeilded lots of other debug messages but nothing from any of the authz files. I guessed that debug messages were compiled out of the authz build. (Grab a copy of the authz sources for the rest of this! (: ) So I grabbed the source RPM and rebuilt it, adding to the SPEC file -DDEBUG and (per mod_authz_ldap.h) - DAUTHZ_LDAP_DEBUG This finally yielded a few messages from authz .c modules but strangely no results from certmap.c where the action is supposed to be. After a while I figured out that the symbol AUTHZ_LDAP_HAVE_SSL was not evaluating TRUE and this caused all of the function bodies in certmap.c to be #ifdef'd out of the compilation. I hardcoded AUTHZ_LDAP_HAVE_SSL into mod_authz_ldap.h and rebuilt the RPM. Still no luck... the critical code sections were not being compiled. I discovered the EAPI symbol was also not defined which was the source of the problems, so I #defined it in the mod_authz_ldap.h. Recompiled and BLAM, it compiled the critical sections of code. I verified this by using the symbols command to look for debug strings unique to the certmap.c file. But apache bombs out with undefined symbols for the new authz.so when I tried to restart it. So the root of the problem is the EAPI symbol not being defined.
Thanks, yes, this was tracked down in a separate bug too. Experimental test packages are now available which contain a patch to correct this issue. These packages are unsupported and have not gone through the Red Hat QA process. http://people.redhat.com/~jorton/Nahant-mazl/ Any feedback from testing these packages is very welcome. To obtain supported packages please contact Red Hat Global Support via http://www.redhat.com/support
The component this request has been filed against is not planned for inclusion in the next update. The decision is based on weighting the priority and number of requests for a component as well as the impact on the Red Hat Enterprise Linux user-base: other components are considered having higher priority and the number of changes we intend to include in update cycles is limited.
Product Management has reviewed and declined this request. You may appeal this decision by reopening this request.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0232.html