Bug 191307 - The certificate mapping capability of mod_authz_ldap appears to be disabled in the RedHat binaries and source files.
Summary: The certificate mapping capability of mod_authz_ldap appears to be disabled i...
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: mod_authz_ldap   
(Show other bugs)
Version: 4.0
Hardware: i386
OS: Linux
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact:
Keywords: Reopened
Depends On:
TreeView+ depends on / blocked
Reported: 2006-05-10 17:31 UTC by Glenn Hobbs
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHBA-2007-0232
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 17:13:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0232 normal SHIPPED_LIVE mod_authz_ldap bug fix update 2007-05-01 17:13:03 UTC

Description Glenn Hobbs 2006-05-10 17:31:13 UTC
Description of problem:

The certificate mapping capability of mod_authz_ldap appears to be disabled in 
the RedHat binaries and source files.

Version-Release number of selected component (if applicable):


How reproducible:

Never works

Steps to Reproduce:
1.  enable certificate mapping in the authz_ldap.conf file
2.  restart apache
3.  attempt to access a directory were certficate mapping in on.
Actual results:
  The user is prompted for the certificate.  However, the code in the 
mod_authz_ldap source for certificate mapping always returns null.  I.E the 
user is not mapped and the authorization fails.

Expected results:
  The user is prompted for the certificate.  The user if for whom the 
certificate matches is returned and the authorization succeeds.

Additional info:

Comment 1 Joe Orton 2006-05-16 15:15:43 UTC
Thanks for the report.  Can you post the configuration which you're using?

Comment 2 Glenn Hobbs 2006-06-29 21:09:50 UTC
We're using 
httpd-2.0.52-22, mod_ssl-2.0.52-22 and the authz mentioned above to 
authenticate off of MS Active Directory.  Non-certificate (user/pword) auth to 
the AD works correctly.

Going by the directions found at http://authzldap.othello.ch/configuration.html 
(Step 10) we tried variations on config parameters, basiclly all possible 
values for AuthzLDAPMapMethod and AuthzLDAPMethod with no success.

Failing the obvious I turned the LogLevel to DEBUG and AuthzLDAPLogLevel to 
DEBUG.  This yeilded lots of other debug messages but nothing from any of the 
authz files.

I guessed that debug messages were compiled out of the authz build. (Grab a 
copy of the authz sources for the rest of this! (: ) So I grabbed the source 
RPM and rebuilt it, adding to the SPEC file -DDEBUG and (per mod_authz_ldap.h) -

This finally yielded a few messages from authz .c modules but strangely no 
results from certmap.c where the action is supposed to be.  After a while I 
figured out that the symbol AUTHZ_LDAP_HAVE_SSL was not evaluating TRUE and 
this caused all of the function bodies in certmap.c to be #ifdef'd out of the 

I hardcoded AUTHZ_LDAP_HAVE_SSL into mod_authz_ldap.h and rebuilt the RPM.  
Still no luck... the critical code sections were not being compiled.  I 
discovered the EAPI symbol was also not defined which was the source of the 
problems, so I #defined it in the mod_authz_ldap.h.

Recompiled and BLAM, it compiled the critical sections of code.  I verified 
this by using the symbols command to look for debug strings unique to the 
certmap.c file.  But apache bombs out with undefined symbols for the new 
authz.so when I tried to restart it.

So the root of the problem is the EAPI symbol not being defined.

Comment 3 Joe Orton 2006-07-11 13:50:27 UTC
Thanks, yes, this was tracked down in a separate bug too.

Experimental test packages are now available which contain a patch to
correct this issue.  These packages are unsupported and have not gone
through the Red Hat QA process.


Any feedback from testing these packages is very welcome.  To obtain supported
packages please contact Red Hat Global Support via http://www.redhat.com/support

Comment 5 RHEL Product and Program Management 2006-10-09 22:07:18 UTC
The component this request has been filed against is not planned for inclusion
in the next update. The decision is based on weighting the priority and number
of requests for a component as well as the impact on the Red Hat Enterprise
Linux user-base: other components are considered having higher priority and the
number of changes we intend to include in update cycles is limited.

Comment 6 RHEL Product and Program Management 2006-10-09 22:16:35 UTC
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request. 

Comment 15 Red Hat Bugzilla 2007-05-01 17:13:06 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.