https://issues.apache.org/bugzilla/show_bug.cgi?id=48505
charlie <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW --- Comment #11 from charlie <[email protected]> 2010-01-22 14:49:11 UTC --- OK, I'm going to document this exhaustively. Please bear with me. MY PLATFORM: I am using the mod_authnz_ldap that ships with Red Hat Enterprise Linux v5.4, as part of their httpd-2.2.3-31.el5_4.2 package. The problem I am seeing is consistent with the hundreds of similar problems easily found with Google from various releases and builds of Apache 2.2 with the ASF LDAP auth modules. My underlying libraries are OpenLDAP and I have turned debugging up to the point of crippling the server, which allows me to see exactly what Apache is doing and why so many people are whining and complaining. THE ISSUE: The problem appears to be in the AuthLDAPURL directive, which is not compliant with RFC2255 (the current relevant RFCs are 4516 and 4510) as documented, because the RFCs do not specify host failover syntax as far as I can determine. I have searched extensively, and while there is a "de facto standard" for failover specification used by nearly all LDAP capable software (except Apache) I could not find any RFC that explicitly addressed failover host specification syntax. Embedding multiple host names the way Apache does in the midst of an otherwise RFC compliant string breaks compliancy. If Apache uses the de facto standard as used by IBM, HP, OpenLDAP, and PADL, there will be no more problems - the underlying libraries will be able to do whatever they are capable of doing instead of being restricted by Apache's ability to parse, and all the things people are trying to do will work. If Apache continues to use the current syntax, users must make a choice of either efficiency or security - they cannot have both in a failover configuration. APACHE DOCS: >From the apache module itself (viewed via mod_info.c) the spec is described >as: ldap://host[:port]/basedn[?attrib[?scope[?filter]]] the module doc additionally states: "Host is the name of the LDAP server. Use a space separated list of hosts to specify redundant servers" A second parameter of "LDAP connection mode" is allowed with permitted values of NONE, SSL, or TLS/STARTTLS. WHY THIS IS SUCH A PROBLEM: LDAP lookups frequently contain passwords, and ldap services frequently use dissimilar schema. In real world LDAP deployments, system architects usually want to encrypt ldap lookups across networks for security, but do not wish to incur encryption overhead on ldap lookups using local secure channels (such as the loopback interface or named pipes or a separate network, depending on OS capabilities and site setup). Less commonly, sites that have dual LDAP backends (typically OpenLDAP and Active Directory) may present a single replicated data set using different attributes and thus may require different filter or port specifications for different hosts specified as failovers. AuthLDAPURL's syntax prevents this by forcing a single set of parameters across hosts, which is not required by the underlying libraries. EXAMPLES: This is a commonly used LDAP failover configuration in PADL's pam_ldap and nss_ldap configurations (on Red Hat, both are in /etc/ldap.conf): uri ldap://127.0.0.1:389/ ldaps://remotehost.example.com:636/ Note how the local loopback has no encryption, but the failover host is forced into an SSL tunnel. Here's another, with a named pipe: uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator Here's one for a machine that runs scalix, note the weird port: uri ldapi://%2fvar%2frun%2fldapi_sock/ ldap://127.0.0.1:9009/ ldaps://failoverhost.example.com/ These are (host obscured) real-world examples from running machines using PADL's pam_ldap to access OpenLDAP's client libraries. NONE of these configurations can be achieved with the Apache module's AuthLDAPURL syntax using the same libraries. The limitation is not in the libraries, it's in the AuthLDAPURL syntax. RECOMMENDED SOLUTION: In order to avoid breaking current applications that are using any of the "hacks" found on the net, implement a new parameter AuthLDAPURI (note uri rather than url, this is consistent with LDAP v3 nomenclature as per RFC) which behaves exactly like OpenLDAP & PADL syntax. This syntax allows all the various combinations that users want and is completely compliant with both RFC2255 (historical) and RFC4516 (current) as well as LDAPS and STARTTLS. AuthLDAPURI ldap[s]://host[:port]/basedn[?attrib[?scope[?filter]]] "Use a space separated list of URIs to specify redundant servers" CONCLUSION: I hope this clears up the confusion about the problems users are encountering in the wild. Google currently shows 23,100 hits when searching "ldap failover in apache 2.2", and they all seem to be complaints. There are clearly hundreds of sites struggling to find a solution to their misunderstanding of the Apache 2.2 LDAP limitations. These limitations are not present in the underlying libraries. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
