Standarizing mod_auth_ldap across LDAP SDKs...

Thu, 13 Feb 2003 14:20:28 -0800 

  Over the last couple of weeks one of our Novell LDAP SDK engineers
took a look at mod_auth_ldap to  try to standardize it across various
SDKs especially with regards to SSL.  I believe that these  changes will
simplify configuring SSL for mod_auth_ldap and also isolate the SSL
functionality to  mod_ldap rather than speading it across both modules. 
As a result we are proposing the following  changes to mod_auth_ldap and
mod_ldap.  

- Added LDAP SSL support for the Novell LDAP SDK 
- Fixed memory leaks in mod_ldap
- Added a support framework (using #defines) for multiple vendor LDAP
SDKs.  The framework currently  supports the SDKs from Novell, NetScape,
OpenLDAP, and Microsoft.  (Spent significant time testing  compiling and
running with the various SDKs on Win32.  However, ran into problems with
Microsoft's  SDK.  It GPFs when doing an ldap_set_option.)
- Removed all SSL & vendor LDAP SDK dependencies from mod_auth_ldap. 
The vendor SDK dependencies are  all grouped in mod_ldap.
- Removed the AuthLDAPStartTLS directive from mod_auth_ldap.  The
AuthLDAPUrl directive is used to  specify clear (ldap://) or SSL
(ldaps://) connections.  
- Removed LDAPCertDBPath directive from mod_ldap. Replaced by the
following:
- Added new generic SSL directives to mod_ldap:
        LDAPTrustedCA - specifies the Trusted Certificate Authority
used for SSL server cert  verification.  
        LDAPTrustedCAType - specifies the certificate authority type
(DER_FILE, BASE64_FILE,  CERT7_DB_PATH).  The SDKs require different
types.    
  These two directives are used together to support the different SDKs.
 
- Since mod_ldap is the LDAP connection mgr it always loads with or
without SSL connection support.   It logs the status of SSL support in
the log file.  The modules which use mod_ldap (ie:  mod_auth_ldap)
decide what type of connections to request (clear / SSL) and what to do
if SSL  connections are not available.  Mod_auth_LDAP currently fails
the authentication request if the url  specifies ldaps:// and SSL
connections are not supported by mod_ldap.

Through our testing we have run across two outstanding issues.  One of
which I have already  mentioned:
- Microsoft's LDAP SDK GPFs when doing an ldap_set_option.
- If caching is disabled in mod_ldap (cache values all set to -1), the
code faults.  The current  design appears to have problems when run with
all caching turned off.

I would like to commit these changes to the 2.1 tree as soon as
possible and also back port them to  the 2.0 if acceptable.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com

Attachment: util_ldap.h.patch
Description: Binary data

Attachment: util_ldap.c.patch
Description: Binary data

Attachment: mod_auth_ldap.c.patch
Description: Binary data

Attachment: apr_ldap.h.in.patch
Description: Binary data

Attachment: apr_ldap.hnw.patch
Description: Binary data

Attachment: apr_ldap.hw.patch
Description: Binary data

Reply via email to