Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
Thank you all very much! I try and actually what you are saying later :) On Tue, Feb 18, 2014 at 9:52 PM, Eric Covener cove...@gmail.com wrote: For when we revisit, or maybe for Michael -- In APU, the immediate problem with SSL is that apr_ldap_ssl_init happens before the certificate options are set. The underlying Tivoli toolkit wants info about the global_certs passed into that call. autoconf for basic stuff, not really used because we bake it into httpd below: http://people.apache.org/~covener/patches/apuldap-itds1.diff replacement we use instead of apr_ldap_ssl_init for tivoli: http://people.apache.org/~covener/patches/tivoli_ssl_init.txt On Tue, Feb 18, 2014 at 3:42 PM, Graham Leggett minf...@sharp.fm wrote: On 18 Feb 2014, at 10:35 PM, Eric Covener cove...@gmail.com wrote: I (IBM) have some patches in this area that didn't make it to APR or HTTPD :( Unortunately Tivoli SSL initialization doesn't fit into how APU initializes SSL and we are currently using hacks in both APU and HTTPD. I am about half way through the APR v2.0 replacement of the API. Not only is the init really tricky, with every toolkit out there having a unique variation, but the bind has a bunch of variation too. Then there is the passing of binary objects which has toolkit specific definitions of lengths. It has made coming up with an API quite a challenge. My current biggest challenge is a pile of work I have that needs doing, so can't look at it now alas. Regards, Graham -- -- Eric Covener cove...@gmail.com
configuring apr-util --with-ldap against idsldap (aka tivoli)
After running the idslink -l 32 (will look at 64 bit later, one thing at a
time) and adding symbolic links in /usr/include to the version currently
installed ./configure does complete, and says that ldap support is enabled
- HOWEVER - i expect it is not going to support ldaps because configure is
only checking for ldap_sslinit() and not for ldap_ssl_init() which is what
is in the idsldap library:
root@x093:[/opt/IBM/ldap/V6.1/lib]nm /opt/IBM/ldap/V6.1/lib/libibmldap.a |
grep ldap_ | grep init
.ldap_create_password_policy_bind_init_request T 261032
.ldap_init T 884
.ldap_init_all_global_mutex T 53576
.ldap_init_all_mutex_once T 53200
.ldap_init_iconv T 41260
.ldap_krb_init_tkt T 271232
.ldap_lc_initT 48
.ldap_msg_table_init T4888
.ldap_msginitT 21052
.ldap_ssl_client_init T 249848
.ldap_ssl_environment_init T 249824
.ldap_ssl_init T 249872
.ldap_ssl_pkcs11_client_init T 249728
.ldap_ssl_pkcs11_environment_init T 249752
/project/aus61ldap/build/aus61ldapsb/src/libraries/libldap/ldap_init.c
f -
ldap_create_password_policy_bind_init_request D 58384 12
ldap_initD 53752 12
ldap_init_all_global_mutex D 57556 12
ldap_init_all_mutex_once D 53620 12
ldap_init_all_mutex_once d 60292 4
ldap_init_iconv D 58552 12
ldap_krb_init_tktD 60148 12
ldap_lc_init D 53608 12
ldap_msg_table_init D 53812 12
ldap_msginit D 54316 12
ldap_ssl_client_init D 57268 12
ldap_ssl_environment_init D 57256 12
ldap_ssl_initD 57280 12
ldap_ssl_pkcs11_client_init D 57208 12
ldap_ssl_pkcs11_environment_init D 57220 12
Just thought I would list any routine in the library that has init in the
name.
1) Am I correct is assumming that ldap connectivity over ssl is not going
to be recognized?
See include/apr_ldap.h created... attachment
Thank you for your consideration.
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the License); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an AS IS BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* apr_ldap.h is generated from apr_ldap.h.in by configure -- do not edit apr_ldap.h
*/
/**
* @file apr_ldap.h
* @brief APR-UTIL LDAP
*/
#ifndef APU_LDAP_H
#define APU_LDAP_H
/**
* @defgroup APR_Util_LDAP LDAP
* @ingroup APR_Util
* @{
*/
/* this will be defined if LDAP support was compiled into apr-util */
#define APR_HAS_LDAP 1
/* identify the LDAP toolkit used */
#define APR_HAS_NETSCAPE_LDAPSDK 0
#define APR_HAS_SOLARIS_LDAPSDK 0
#define APR_HAS_NOVELL_LDAPSDK0
#define APR_HAS_MOZILLA_LDAPSDK 0
#define APR_HAS_OPENLDAP_LDAPSDK 0
#define APR_HAS_MICROSOFT_LDAPSDK 0
#define APR_HAS_TIVOLI_LDAPSDK1
#define APR_HAS_ZOS_LDAPSDK 0
#define APR_HAS_OTHER_LDAPSDK 0
/*
* Handle the case when LDAP is enabled
*/
#if APR_HAS_LDAP
/*
* The following #defines are DEPRECATED and should not be used for
* anything. They remain to maintain binary compatibility.
* The original code defined the OPENLDAP SDK as present regardless
* of what really was there, which was way bogus. In addition, the
* apr_ldap_url_parse*() functions have been rewritten specifically for
* APR, so the APR_HAS_LDAP_URL_PARSE macro is forced to zero.
*/
#if APR_HAS_TIVOLI_LDAPSDK
#define APR_HAS_LDAP_SSL 0
#else
#define APR_HAS_LDAP_SSL 1
#endif
#define APR_HAS_LDAP_URL_PARSE 0
#if APR_HAS_OPENLDAP_LDAPSDK !defined(LDAP_DEPRECATED)
/* Ensure that the deprecated interfaces are still exposed
* with OpenLDAP = 2.3; these were exposed by default in earlier
* releases. */
#define LDAP_DEPRECATED 1
#endif
/*
* Include the standard LDAP header files.
*/
#include lber.h
#include ldap.h
/*
* Detected standard functions
*/
#define APR_HAS_LDAPSSL_CLIENT_INIT 0
#define APR_HAS_LDAPSSL_CLIENT_DEINIT 0
#define APR_HAS_LDAPSSL_ADD_TRUSTED_CERT 0
#define APR_HAS_LDAP_START_TLS_S 0
#define APR_HAS_LDAP_SSLINIT 0
#define APR_HAS_LDAPSSL_INIT 0
#define APR_HAS_LDAPSSL_INSTALL_ROUTINES 0
/*
* Make sure the secure LDAP port is defined
*/
#ifndef LDAPS_PORT
#define LDAPS_PORT 636 /* ldaps:///
Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
maybe I also need to add --with-crypto (warning message when building httpd) for SSL/EVP, but would appreciate verification. On Tue, Feb 18, 2014 at 8:46 PM, Michael Felt mamf...@gmail.com wrote: After running the idslink -l 32 (will look at 64 bit later, one thing at a time) and adding symbolic links in /usr/include to the version currently installed ./configure does complete, and says that ldap support is enabled - HOWEVER - i expect it is not going to support ldaps because configure is only checking for ldap_sslinit() and not for ldap_ssl_init() which is what is in the idsldap library: root@x093:[/opt/IBM/ldap/V6.1/lib]nm /opt/IBM/ldap/V6.1/lib/libibmldap.a | grep ldap_ | grep init .ldap_create_password_policy_bind_init_request T 261032 .ldap_init T 884 .ldap_init_all_global_mutex T 53576 .ldap_init_all_mutex_once T 53200 .ldap_init_iconv T 41260 .ldap_krb_init_tkt T 271232 .ldap_lc_initT 48 .ldap_msg_table_init T4888 .ldap_msginitT 21052 .ldap_ssl_client_init T 249848 .ldap_ssl_environment_init T 249824 .ldap_ssl_init T 249872 .ldap_ssl_pkcs11_client_init T 249728 .ldap_ssl_pkcs11_environment_init T 249752 /project/aus61ldap/build/aus61ldapsb/src/libraries/libldap/ldap_init.c f - ldap_create_password_policy_bind_init_request D 58384 12 ldap_initD 53752 12 ldap_init_all_global_mutex D 57556 12 ldap_init_all_mutex_once D 53620 12 ldap_init_all_mutex_once d 60292 4 ldap_init_iconv D 58552 12 ldap_krb_init_tktD 60148 12 ldap_lc_init D 53608 12 ldap_msg_table_init D 53812 12 ldap_msginit D 54316 12 ldap_ssl_client_init D 57268 12 ldap_ssl_environment_init D 57256 12 ldap_ssl_initD 57280 12 ldap_ssl_pkcs11_client_init D 57208 12 ldap_ssl_pkcs11_environment_init D 57220 12 Just thought I would list any routine in the library that has init in the name. 1) Am I correct is assumming that ldap connectivity over ssl is not going to be recognized? See include/apr_ldap.h created... attachment Thank you for your consideration.
Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
I (IBM) have some patches in this area that didn't make it to APR or HTTPD :( Unortunately Tivoli SSL initialization doesn't fit into how APU initializes SSL and we are currently using hacks in both APU and HTTPD. On Tue, Feb 18, 2014 at 2:46 PM, Michael Felt mamf...@gmail.com wrote: After running the idslink -l 32 (will look at 64 bit later, one thing at a time) and adding symbolic links in /usr/include to the version currently installed ./configure does complete, and says that ldap support is enabled - HOWEVER - i expect it is not going to support ldaps because configure is only checking for ldap_sslinit() and not for ldap_ssl_init() which is what is in the idsldap library: root@x093:[/opt/IBM/ldap/V6.1/lib]nm /opt/IBM/ldap/V6.1/lib/libibmldap.a | grep ldap_ | grep init .ldap_create_password_policy_bind_init_request T 261032 .ldap_init T 884 .ldap_init_all_global_mutex T 53576 .ldap_init_all_mutex_once T 53200 .ldap_init_iconv T 41260 .ldap_krb_init_tkt T 271232 .ldap_lc_initT 48 .ldap_msg_table_init T4888 .ldap_msginitT 21052 .ldap_ssl_client_init T 249848 .ldap_ssl_environment_init T 249824 .ldap_ssl_init T 249872 .ldap_ssl_pkcs11_client_init T 249728 .ldap_ssl_pkcs11_environment_init T 249752 /project/aus61ldap/build/aus61ldapsb/src/libraries/libldap/ldap_init.c f - ldap_create_password_policy_bind_init_request D 58384 12 ldap_initD 53752 12 ldap_init_all_global_mutex D 57556 12 ldap_init_all_mutex_once D 53620 12 ldap_init_all_mutex_once d 60292 4 ldap_init_iconv D 58552 12 ldap_krb_init_tktD 60148 12 ldap_lc_init D 53608 12 ldap_msg_table_init D 53812 12 ldap_msginit D 54316 12 ldap_ssl_client_init D 57268 12 ldap_ssl_environment_init D 57256 12 ldap_ssl_initD 57280 12 ldap_ssl_pkcs11_client_init D 57208 12 ldap_ssl_pkcs11_environment_init D 57220 12 Just thought I would list any routine in the library that has init in the name. 1) Am I correct is assumming that ldap connectivity over ssl is not going to be recognized? See include/apr_ldap.h created... attachment Thank you for your consideration. -- Eric Covener cove...@gmail.com
Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
On 18 Feb 2014, at 10:35 PM, Eric Covener cove...@gmail.com wrote: I (IBM) have some patches in this area that didn't make it to APR or HTTPD :( Unortunately Tivoli SSL initialization doesn't fit into how APU initializes SSL and we are currently using hacks in both APU and HTTPD. I am about half way through the APR v2.0 replacement of the API. Not only is the init really tricky, with every toolkit out there having a unique variation, but the bind has a bunch of variation too. Then there is the passing of binary objects which has toolkit specific definitions of lengths. It has made coming up with an API quite a challenge. My current biggest challenge is a pile of work I have that needs doing, so can't look at it now alas. Regards, Graham --
Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
For when we revisit, or maybe for Michael -- In APU, the immediate problem with SSL is that apr_ldap_ssl_init happens before the certificate options are set. The underlying Tivoli toolkit wants info about the global_certs passed into that call. autoconf for basic stuff, not really used because we bake it into httpd below: http://people.apache.org/~covener/patches/apuldap-itds1.diff replacement we use instead of apr_ldap_ssl_init for tivoli: http://people.apache.org/~covener/patches/tivoli_ssl_init.txt On Tue, Feb 18, 2014 at 3:42 PM, Graham Leggett minf...@sharp.fm wrote: On 18 Feb 2014, at 10:35 PM, Eric Covener cove...@gmail.com wrote: I (IBM) have some patches in this area that didn't make it to APR or HTTPD :( Unortunately Tivoli SSL initialization doesn't fit into how APU initializes SSL and we are currently using hacks in both APU and HTTPD. I am about half way through the APR v2.0 replacement of the API. Not only is the init really tricky, with every toolkit out there having a unique variation, but the bind has a bunch of variation too. Then there is the passing of binary objects which has toolkit specific definitions of lengths. It has made coming up with an API quite a challenge. My current biggest challenge is a pile of work I have that needs doing, so can't look at it now alas. Regards, Graham -- -- Eric Covener cove...@gmail.com
