From: lavalamp at spiritual-machines dot org
Operating system: FreeBSD / NetBSD / OpenBSD ?
PHP version: 5.0.4
PHP Bug Type: LDAP related
Bug description: FreeBSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls[_s]()
Description:
------------
For whatever reason, the php4 and php5 from FreeBSD ports refuses to
properly configure SSL/TLS
support for the LDAP module.
This breaks the TLS/SSL functionality in net/phpldapadmin and
sysutils/ldap-account-manager
(CC'ing maintainers)
I've got two current i386/RELENG_5_3 boxes. Both with Apache
apache-2.0.54_2 and
openldap-client-2.2.27.
The ldap client binaries are linked to SSL fine and can talk both ldaps://
and Start_TLS over
ldap://. That's out of the question.
One with php4-4.4.0, one with php5-5.0.3_2 (see below). Both have the
LDAP and SSL php
extension modules installed:
$ egrep -i "ldap|ssl" /usr/local/etc/php/extensions.ini
extension=openssl.so
extension=ldap.so
# ldd /usr/local/lib/php/20020429/ldap.so
/usr/local/lib/php/20020429/ldap.so:
libldap-2.2.so.7 => /usr/local/lib/libldap-2.2.so.7 (0x28174000)
liblber-2.2.so.7 => /usr/local/lib/liblber-2.2.so.7 (0x281a7000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x281b4000)
libssl.so.3 => /usr/lib/libssl.so.3 (0x282c8000)
The php5 box is as well:
$ ldd /usr/local/lib/php/20041030/ldap.so
/usr/local/lib/php/20041030/ldap.so:
libldap-2.2.so.7 => /usr/local/lib/libldap-2.2.so.7 (0x28173000)
liblber-2.2.so.7 => /usr/local/lib/liblber-2.2.so.7 (0x281a6000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x281b3000)
libssl.so.3 => /usr/lib/libssl.so.3 (0x282c7000)
The problem is that ldap_start_tls() is an unregistered/invalid function.
When i run the functions.php at
http://www.sitepoint.com/article/php-command-line-2
ldap_start_tls() isn't listed on either machine (see below).
# pkg_info |grep -i php
libmcrypt-2.5.7_1 Multi-cipher cryptographic library (used in PHP)
pear-XML_RPC-1.4.0 PHP implementation of the XML-RPC protocol
php4-4.4.0 PHP Scripting Language (Apache Module and CLI)
php4-ctype-4.4.0 The ctype shared extension for php
php4-dba-4.4.0 The dba shared extension for php
php4-extensions-1.0 A "meta-port" to install PHP extensions
php4-gettext-4.4.0 The gettext shared extension for php
php4-ldap-4.4.0 The ldap shared extension for php
php4-mcrypt-4.4.0 The mcrypt shared extension for php
php4-mysql-4.4.0 The mysql shared extension for php
php4-openssl-4.4.0 The openssl shared extension for php
php4-overload-4.4.0 The overload shared extension for php
php4-pcre-4.4.0 The pcre shared extension for php
php4-pear-4.4.0 PEAR framework for PHP
php4-pgsql-4.4.0 The pgsql shared extension for php
php4-posix-4.4.0 The posix shared extension for php
php4-session-4.4.0 The session shared extension for php
php4-tokenizer-4.4.0 The tokenizer shared extension for php
php4-xml-4.4.0 The xml shared extension for php
php4-zlib-4.4.0 The zlib shared extension for php
phpldapadmin-0.9.7.a6,1 A set of PHP-scripts to administer LDAP servers
$ pkg_info |grep -i php5
php5-5.0.4_1 PHP Scripting Language (Apache Module and CLI)
php5-bz2-5.0.3_2 The bz2 shared extension for php
php5-calendar-5.0.3_2 The calendar shared extension for php
php5-ctype-5.0.3_2 The ctype shared extension for php
php5-curl-5.0.4_2 The curl shared extension for php
php5-dom-5.0.3_2 The dom shared extension for php
php5-exif-5.0.3_2 The exif shared extension for php
php5-extensions-1.0 A "meta-port" to install PHP extensions
php5-ftp-5.0.3_2 The ftp shared extension for php
php5-gd-5.0.3_2 The gd shared extension for php
php5-gettext-5.0.3_2 The gettext shared extension for php
php5-iconv-5.0.3_2 The iconv shared extension for php
php5-imap-5.0.3_2 The imap shared extension for php
php5-ldap-5.0.4_2 The ldap shared extension for php
php5-mcrypt-5.0.3_2 The mcrypt shared extension for php
php5-mhash-5.0.3_2 The mhash shared extension for php
php5-mysql-5.0.3_2 The mysql shared extension for php
php5-odbc-5.0.4_2 The odbc shared extension for php
php5-openssl-5.0.3_2 The openssl shared extension for php
php5-pcre-5.0.3_2 The pcre shared extension for php
php5-pear-5.0.3_2 PEAR framework for PHP
php5-pgsql-5.0.3_2 The pgsql shared extension for php
php5-posix-5.0.3_2 The posix shared extension for php
php5-session-5.0.3_2 The session shared extension for php
php5-simplexml-5.0.3_2 The simplexml shared extension for php
php5-soap-5.0.3_2 The soap shared extension for php
php5-sqlite-5.0.3_2 The sqlite shared extension for php
php5-sysvmsg-5.0.3_2 The sysvmsg shared extension for php
php5-sysvsem-5.0.3_2 The sysvsem shared extension for php
php5-sysvshm-5.0.3_2 The sysvshm shared extension for php
php5-tokenizer-5.0.3_2 The tokenizer shared extension for php
php5-xml-5.0.3_2 The xml shared extension for php
php5-zlib-5.0.3_2 The zlib shared extension for php
php4box# php public_html/functions.php -e ldap
ldap_connect
ldap_close
ldap_bind
ldap_unbind
ldap_read
ldap_list
ldap_search
ldap_free_result
ldap_count_entries
ldap_first_entry
ldap_next_entry
ldap_get_entries
ldap_first_attribute
ldap_next_attribute
ldap_get_attributes
ldap_get_values
ldap_get_values_len
ldap_get_dn
ldap_explode_dn
ldap_dn2ufn
ldap_add
ldap_delete
ldap_modify
ldap_mod_add
ldap_mod_replace
ldap_mod_del
ldap_errno
ldap_err2str
ldap_error
ldap_compare
ldap_sort
ldap_rename
ldap_get_option
ldap_set_option
ldap_first_reference
ldap_next_reference
ldap_set_rebind_proc
php5 box$ php functions.php -e ldap ldap_connect
ldap_close
ldap_bind
ldap_unbind
ldap_read
ldap_list
ldap_search
ldap_free_result
ldap_count_entries
ldap_first_entry
ldap_next_entry
ldap_get_entries
ldap_first_attribute
ldap_next_attribute
ldap_get_attributes
ldap_get_values
ldap_get_values_len
ldap_get_dn
ldap_explode_dn
ldap_dn2ufn
ldap_add
ldap_delete
ldap_modify
ldap_mod_add
ldap_mod_replace
ldap_mod_del
ldap_errno
ldap_err2str
ldap_error
ldap_compare
ldap_sort
ldap_get_option
ldap_set_option
ldap_parse_result
ldap_first_reference
ldap_next_reference
ldap_rename
ldap_set_rebind_proc
Reproduce code:
---------------
I traced it down:
in /usr/ports/net/php5-ldap/work/php-5.0.4/ext/ldap/configure ->
conftest -> ldap_start_tls_s();
ldap_start_tls_s return false -> ac_cv_func_ldap_start_tls_s=no in
config.log
config.log -> ldap.h -> #undef HAVE_LDAP_START_TLS_S
config.c -> HAVE_LDAP_START_TLS_S -> PHP_FE(ldap_start_tls, NULL)
...therefore ldap_start_tls isn't registered. The question is why the
conftest.c in GNU
autoconf is failing with:
configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'
...Which is odd since:
php4$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches
Binary file lib/pam_ldap.so matches
php4$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s
function. */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s
and...
php5$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches
php5$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s
function. */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s
..from 'make configure' in ports/net/php5-ldap/
checking for LDAP support... yes, shared
checking for LDAP Cyrus SASL support... no
checking for 3 arg ldap_set_rebind_proc... yes
checking for ldap_parse_reference... no
checking for ldap_start_tls_s... no
checking for ldap_bind_s... yes
...from config.log:
configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'
configure:5051: $? = 1
configure: failed program was:
Expected result:
----------------
...
Actual result:
--------------
I don't dable in GNU Autoconf, and I recommend everyine else do the same,
but if someone actually wants to fix the autoconf ascpet of this so that a
Patch on the Free/NetBSD side isn't required forever, then god speed.
My temporary solution is:
1) cd /usr/{ports,pkgsrc}/{net/php5-ldap,databases/php-ldap} on
{Free,Net}BSD respectively
2) sudo make configure
3) sudo vim
On FreeBSD
work/php-5.0.4/ext/ldap/config.h or..
work/php-4.4.0/ext/ldap/config.h
on NetBSD:
work/php-5.0.4/ext/ldap/config.h
4) Change:
/* Define to 1 if you have the `ldap_start_tls_s' function. */
/* #undef HAVE_LDAP_START_TLS_S */
To:
#define HAVE_LDAP_START_TLS_S 1
5) sudo make install
6) carry on pretending that your employee data is secure
$ cat ~/public_html/testtls.php
<?
if (function_exists('ldap_start_tls'))
echo "I see it!\n";
?>
[0] [EMAIL PROTECTED]:/$ php ~/public_html/testtls.php
I see it!
7) ...sit around on your day off and try to determine how the following
piece of code from
configure.sh was [ever] supposed to determine if ldap_start_tls_s() was a
valid function w/o
including arguments -I/usr/local/include, -L/usr/local/lib to gcc(1) or
#including ldap.h or
lber.h, and wonder who is responsible >:}
*cough*
http://chora.php.net/diff.php/php-src/ext/ldap/config.m4?php=3c934ff67902f7c5ce419c901b82c77e&r
1=1.23&r2=1.24&ty=h&num=10
*cough* ... 8-) ...i dunno, maybe it "just works(r)" on Linux >:}
--
Edit bug report at http://bugs.php.net/?id=34361&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34361&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=34361&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=34361&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=34361&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=34361&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=34361&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=34361&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=34361&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=34361&r=support
Expected behavior: http://bugs.php.net/fix.php?id=34361&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=34361&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=34361&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=34361&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34361&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=34361&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=34361&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=34361&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=34361&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=34361&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=34361&r=mysqlcfg
