Bug 962819 - Apache Use of LDAP+SSL Doesn't Work on Windows
Apache Use of LDAP+SSL Doesn't Work on Windows
Status: VERIFIED
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd (Show other bugs)
2.0.0,2.0.1
Unspecified Unspecified
urgent Severity urgent
: ---
: ---
Assigned To: Weinan Li
Libor Fuka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-14 09:56 EDT by Jimmy Wilson
Modified: 2015-08-31 23:00 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously in JBoss Enterprise Web Server, httpd partially supported the Microsoft Windows version of the LDAP SDK. The SSL information for secure LDAP should be stored in the registry but this is not supported by httpd/apr. On Windows, a combination of LDAP and SSL did not work correctly and displayed the following error message: <screen>LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.</screen> This issue is fixed in JBoss Enterprise Web Server 2.1 and the secure LDAP information is now stored in the registry without errors as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
httpd error_log (8.12 KB, text/plain)
2013-10-22 08:34 EDT, Libor Fuka
no flags Details
access_log (417 bytes, text/plain)
2013-10-22 08:35 EDT, Libor Fuka
no flags Details
ldap conf (804 bytes, text/plain)
2013-10-22 08:35 EDT, Libor Fuka
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 54626 None None None Never

  None (edit)
Description Jimmy Wilson 2013-05-14 09:56:12 EDT
Apache use of LDAP+SSL doesn't work on Windows.

There's an upstream bug report (linked).
Comment 2 Jean-frederic Clere 2013-05-14 10:57:36 EDT
This bug isn't yet fixed in 2.4.x upstream.
Additionally it is a bit tricky to test/develop on windows so except people from the ASF fix the bug we won't be able to have it EWS 2.0.1.
Comment 5 Mandar Joshi 2013-05-29 13:02:43 EDT
Added DocText.

@Jean-Frederic Clere, can you please review the Doc Text content?
Comment 7 Weinan Li 2013-05-29 22:46:37 EDT
This issue won't be included in EWS 2.0.1 as it's already NACKed by PM
Comment 8 Misha H. Ali 2013-05-30 03:09:39 EDT
Identified by Jean-Frederic as a Known Issue. Added release note, assuming no workaround exists. Need SMEs to confirm the release note is accurate.
Comment 9 Jean-frederic Clere 2013-09-25 12:05:26 EDT
I have submitted a better patch upstream for 2.2.25. Now porting to 2.2.22
Comment 10 Jean-frederic Clere 2013-10-14 08:13:14 EDT
The upstream patch "https://issues.apache.org/bugzilla/attachment.cgi?id=30881"
also applies to our httpd version.
Comment 11 Mladen Turk 2013-10-16 04:44:56 EDT
I have rebuild httpd with applied patch
You can download binaries from
https://brewweb.devel.redhat.com/buildinfo?buildID=300050

Note that you only need to extract and copy mod_ldap.so and mod_authnz_ldap.so
over the existing EWS.

Please check if that does the tick.
Comment 12 Libor Fuka 2013-10-22 02:30:51 EDT
Is this bug ON_QA ?
If so, please change the status.
Comment 13 Libor Fuka 2013-10-22 05:27:24 EDT
Are you sure Mladen, that only mod_ldap.so and mod_authnz_ldap.so copies from build are enough ?
The test still returns httpd status code 500 - internal server error
Comment 14 Mladen Turk 2013-10-22 06:22:56 EDT
(In reply to Libor Fuka from comment #13)
> Are you sure Mladen, that only mod_ldap.so and mod_authnz_ldap.so copies
> from build are enough ?
> The test still returns httpd status code 500 - internal server error

The patch only touches util_ldap.c so yes, that's the only file changed by this patch. No other files are affected.
Comment 15 Libor Fuka 2013-10-22 08:34:00 EDT
ok, so patch doesn't work.
Comment 16 Libor Fuka 2013-10-22 08:34:46 EDT
Created attachment 814970 [details]
httpd error_log
Comment 17 Libor Fuka 2013-10-22 08:35:13 EDT
Created attachment 814971 [details]
access_log
Comment 18 Libor Fuka 2013-10-22 08:35:46 EDT
Created attachment 814972 [details]
ldap conf
Comment 19 Mladen Turk 2013-10-22 09:57:29 EDT
Do you have a log files without patched mod_ldap?
Comment 20 Libor Fuka 2013-10-23 03:09:03 EDT
Yes, I  have. error_log is the same.
Comment 21 Jean-frederic Clere 2013-10-23 09:11:46 EDT
[Tue Oct 22 04:39:14 2013] [info] [client 127.0.0.1] [3152] auth_ldap authenticate: user hnelson authentication failed; URI /ldap-status [LDAP: ldap_simple_bind_s() failed][Server Down]

Are you sure the ldap server is running?
Comment 22 Libor Fuka 2013-10-23 09:13:15 EDT
Sure, LDAP is running
Comment 23 Jean-frederic Clere 2013-10-23 10:16:06 EDT
you should remove the STARTTLS in the AuthLDAPURL
Comment 24 Libor Fuka 2013-10-23 10:56:15 EDT
The result is the same without or with STARTTLS
Comment 25 Jean-frederic Clere 2013-10-23 11:40:53 EDT
Note: TLS | STARTTLS is not supported by the Windows operating system LDAP SDK you need to use SSL or ldaps://
Comment 26 Libor Fuka 2013-10-25 07:43:11 EDT
Tested with SSL and it still doesn't work :(
Comment 28 Libor Fuka 2013-10-29 10:03:42 EDT
New build: https://brewweb.devel.redhat.com/buildinfo?buildID=302150
Comment 29 Libor Fuka 2013-10-30 02:52:00 EDT
VERIFED build from #28 (mod_ldap.so, mod_authnz_ldap.so) on MS Windows 2008 32-bit, MS Windows 2008 64-bit, MS Windows 2008R2 64-bit.
No regressions found.
Comment 30 Mandar Joshi 2014-08-08 08:14:26 EDT
Changed Doc type to Bug Fix.
Updated Doc Text.

Note You need to log in before you can comment on or make changes to this bug.