> Description of problem: When performing an LDAP request using curl through a HTTP proxy in tunnel mode (curl option '-p' or '--proxytunnel'), curl hangs trying to connect directly to the LDAP server using the proxy port. > Version-Release number of selected component (if applicable): curl-7.15.5-9.el5 > How reproducible: 100% > Steps to Reproduce: 1. Install and configure a Squid proxy that allows CONNECT method requests to LDAP ports. 2. Use curl to send a request to an LDAP server using the proxy tunnel option '-p': curl -x 1.1.1.1:3128 -p ldap://2.2.2.2/ou=users,dc=example,dc=net??sub?uid=foo > Actual results: curl hangs trying to connect to the LDAP server using the proxy port: connect(4, {sa_family=AF_INET, sin_port=htons(3128), sin_addr=inet_addr("2.2.2.2")}, 16) = ? ERESTARTSYS (To be restarted) > Expected results: curl should attempt to connect to the proxy server instead of the LDAP server and return the LDAP search result: DN: uid=foo,ou=Users,dc=example,dc=net cn: Foo Bar givenName: foo sn: bar uid: foo objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: posixAccount uidNumber: 12345 gidNumber: 12345 homeDirectory: /home/foo loginShell: /bin/bash mail: foo > Additional info: Fixed upstream in c59dba338ea2c71fa0422a8594928d3c1787469e on 17/09/2010
We've discussed the issue with Pierre Carrier. The upstream patch is not applicable, since it modifies lib/openldap.c, which does not exist in RHEL-5 at all. A solution to this would be to modify lib/ldap.c, which allows to dlopen openldap library. The key problem right now seems to be lack of ldap_init_fd() function in RHEL-5. I'll clone this bug for openldap, in order to get some feedback on the issue from its maintainer.
Created attachment 462308 [details] Pierre's patch adapted for el5
Created attachment 462321 [details] less intrusive version of the patch I realized we should not require users to update openldap unless they are interested in using LDAP over HTTP proxy. The improved patch should solve the problem. Plain LDAP now works with both old and new openldap packages. Only if user needs LDAP over HTTP proxy, the update of openldap is required.
Created attachment 462337 [details] with a warning if the symbol is not available
(In reply to comment #6) > Created attachment 462337 [details] > with a warning if the symbol is not available Sounds like a good idea and the message is clear to me. We only can't use the original macro for that purpose: >@@ -316,7 +317,25 @@ CURLcode Curl_ldap(struct connectdata *conn, bool *done) > DYNA_GET_FUNCTION(void (__cdecl *)(void *, int), ber_free); > DYNA_GET_FUNCTION(int (__cdecl *)(void *, int, void *), ldap_set_option); > >- server = (*ldap_init)(conn->host.name, (int)conn->port); >+ if(conn->bits.tunnel_proxy && conn->bits.httpproxy) { >+ /* for LDAP over HTTP proxy */ >+ status = DYNA_GET_FUNCTION(int (__cdecl *)(int, int, char *, void *), ldap_init_fd) >+ if(status == CURLE_FUNCTION_NOT_FOUND) { ldap_init_fd = (int (__cdecl *)(int, int, char *, void *)) DynaGetFunction("ldap_init_fd"); if(!ldap_init_fd) {
available updates for stable Fedora: curl-7.20.1-5.fc13 curl-7.21.0-6.fc14
Created attachment 471918 [details] resulting patch Pierre, could you please review final version of the patch? Thanks in advance!
Hello Kamil, Looks good to me. Whilst checking the return of dlsym, I realized we should probably go with introducing "probably". We could even go a step further with: - failf(data, "Your openldap version is too old for HTTP proxying", dlerror()); + failf(data, "Cannot use ldap_init_fd (%s), " + "your openldap version is probably too old for HTTP proxying", dlerror()); With best regards, -- Pierre
Created attachment 471932 [details] resulting patch V2 Sounds like a good idea. An updated patch attached.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, an attempt to send an LDAP request through an HTTP proxy tunnel ended up with cURL trying to connect to the LDAP server directly using a wrong port number. With this update, the underlying source code has been modified to address this issue, and cURL now works as expected.
Created attachment 474826 [details] resulting patch V3 Pierre, could you please review the updated patch? This should fix the crash on i386: @@ -271,7 +271,7 @@ CURLcode Curl_ldap(struct connectdata *conn, bool *done) void (__cdecl *ber_free)(void *, int); int (__cdecl *ldap_set_option)(void *, int, void *); - void *server; + void *server = NULL; LDAPURLDesc *ludp = NULL; const char *mod_name; void *result;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0241.html