Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
Thank you all very much! I try and actually what you are saying later :) On Tue, Feb 18, 2014 at 9:52 PM, Eric Covener cove...@gmail.com wrote: For when we revisit, or maybe for Michael -- In APU, the immediate problem with SSL is that apr_ldap_ssl_init happens before the certificate options are set. The underlying Tivoli toolkit wants info about the global_certs passed into that call. autoconf for basic stuff, not really used because we bake it into httpd below: http://people.apache.org/~covener/patches/apuldap-itds1.diff replacement we use instead of apr_ldap_ssl_init for tivoli: http://people.apache.org/~covener/patches/tivoli_ssl_init.txt On Tue, Feb 18, 2014 at 3:42 PM, Graham Leggett minf...@sharp.fm wrote: On 18 Feb 2014, at 10:35 PM, Eric Covener cove...@gmail.com wrote: I (IBM) have some patches in this area that didn't make it to APR or HTTPD :( Unortunately Tivoli SSL initialization doesn't fit into how APU initializes SSL and we are currently using hacks in both APU and HTTPD. I am about half way through the APR v2.0 replacement of the API. Not only is the init really tricky, with every toolkit out there having a unique variation, but the bind has a bunch of variation too. Then there is the passing of binary objects which has toolkit specific definitions of lengths. It has made coming up with an API quite a challenge. My current biggest challenge is a pile of work I have that needs doing, so can't look at it now alas. Regards, Graham -- -- Eric Covener cove...@gmail.com
configuring apr-util --with-ldap against idsldap (aka tivoli)
After running the idslink -l 32 (will look at 64 bit later, one thing at a time) and adding symbolic links in /usr/include to the version currently installed ./configure does complete, and says that ldap support is enabled - HOWEVER - i expect it is not going to support ldaps because configure is only checking for ldap_sslinit() and not for ldap_ssl_init() which is what is in the idsldap library: root@x093:[/opt/IBM/ldap/V6.1/lib]nm /opt/IBM/ldap/V6.1/lib/libibmldap.a | grep ldap_ | grep init .ldap_create_password_policy_bind_init_request T 261032 .ldap_init T 884 .ldap_init_all_global_mutex T 53576 .ldap_init_all_mutex_once T 53200 .ldap_init_iconv T 41260 .ldap_krb_init_tkt T 271232 .ldap_lc_initT 48 .ldap_msg_table_init T4888 .ldap_msginitT 21052 .ldap_ssl_client_init T 249848 .ldap_ssl_environment_init T 249824 .ldap_ssl_init T 249872 .ldap_ssl_pkcs11_client_init T 249728 .ldap_ssl_pkcs11_environment_init T 249752 /project/aus61ldap/build/aus61ldapsb/src/libraries/libldap/ldap_init.c f - ldap_create_password_policy_bind_init_request D 58384 12 ldap_initD 53752 12 ldap_init_all_global_mutex D 57556 12 ldap_init_all_mutex_once D 53620 12 ldap_init_all_mutex_once d 60292 4 ldap_init_iconv D 58552 12 ldap_krb_init_tktD 60148 12 ldap_lc_init D 53608 12 ldap_msg_table_init D 53812 12 ldap_msginit D 54316 12 ldap_ssl_client_init D 57268 12 ldap_ssl_environment_init D 57256 12 ldap_ssl_initD 57280 12 ldap_ssl_pkcs11_client_init D 57208 12 ldap_ssl_pkcs11_environment_init D 57220 12 Just thought I would list any routine in the library that has init in the name. 1) Am I correct is assumming that ldap connectivity over ssl is not going to be recognized? See include/apr_ldap.h created... attachment Thank you for your consideration. /* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the License); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an AS IS BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* * apr_ldap.h is generated from apr_ldap.h.in by configure -- do not edit apr_ldap.h */ /** * @file apr_ldap.h * @brief APR-UTIL LDAP */ #ifndef APU_LDAP_H #define APU_LDAP_H /** * @defgroup APR_Util_LDAP LDAP * @ingroup APR_Util * @{ */ /* this will be defined if LDAP support was compiled into apr-util */ #define APR_HAS_LDAP 1 /* identify the LDAP toolkit used */ #define APR_HAS_NETSCAPE_LDAPSDK 0 #define APR_HAS_SOLARIS_LDAPSDK 0 #define APR_HAS_NOVELL_LDAPSDK0 #define APR_HAS_MOZILLA_LDAPSDK 0 #define APR_HAS_OPENLDAP_LDAPSDK 0 #define APR_HAS_MICROSOFT_LDAPSDK 0 #define APR_HAS_TIVOLI_LDAPSDK1 #define APR_HAS_ZOS_LDAPSDK 0 #define APR_HAS_OTHER_LDAPSDK 0 /* * Handle the case when LDAP is enabled */ #if APR_HAS_LDAP /* * The following #defines are DEPRECATED and should not be used for * anything. They remain to maintain binary compatibility. * The original code defined the OPENLDAP SDK as present regardless * of what really was there, which was way bogus. In addition, the * apr_ldap_url_parse*() functions have been rewritten specifically for * APR, so the APR_HAS_LDAP_URL_PARSE macro is forced to zero. */ #if APR_HAS_TIVOLI_LDAPSDK #define APR_HAS_LDAP_SSL 0 #else #define APR_HAS_LDAP_SSL 1 #endif #define APR_HAS_LDAP_URL_PARSE 0 #if APR_HAS_OPENLDAP_LDAPSDK !defined(LDAP_DEPRECATED) /* Ensure that the deprecated interfaces are still exposed * with OpenLDAP = 2.3; these were exposed by default in earlier * releases. */ #define LDAP_DEPRECATED 1 #endif /* * Include the standard LDAP header files. */ #include lber.h #include ldap.h /* * Detected standard functions */ #define APR_HAS_LDAPSSL_CLIENT_INIT 0 #define APR_HAS_LDAPSSL_CLIENT_DEINIT 0 #define APR_HAS_LDAPSSL_ADD_TRUSTED_CERT 0 #define APR_HAS_LDAP_START_TLS_S 0 #define APR_HAS_LDAP_SSLINIT 0 #define APR_HAS_LDAPSSL_INIT 0 #define APR_HAS_LDAPSSL_INSTALL_ROUTINES 0 /* * Make sure the secure LDAP port is defined */ #ifndef LDAPS_PORT #define LDAPS_PORT 636 /* ldaps:///
Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
maybe I also need to add --with-crypto (warning message when building httpd) for SSL/EVP, but would appreciate verification. On Tue, Feb 18, 2014 at 8:46 PM, Michael Felt mamf...@gmail.com wrote: After running the idslink -l 32 (will look at 64 bit later, one thing at a time) and adding symbolic links in /usr/include to the version currently installed ./configure does complete, and says that ldap support is enabled - HOWEVER - i expect it is not going to support ldaps because configure is only checking for ldap_sslinit() and not for ldap_ssl_init() which is what is in the idsldap library: root@x093:[/opt/IBM/ldap/V6.1/lib]nm /opt/IBM/ldap/V6.1/lib/libibmldap.a | grep ldap_ | grep init .ldap_create_password_policy_bind_init_request T 261032 .ldap_init T 884 .ldap_init_all_global_mutex T 53576 .ldap_init_all_mutex_once T 53200 .ldap_init_iconv T 41260 .ldap_krb_init_tkt T 271232 .ldap_lc_initT 48 .ldap_msg_table_init T4888 .ldap_msginitT 21052 .ldap_ssl_client_init T 249848 .ldap_ssl_environment_init T 249824 .ldap_ssl_init T 249872 .ldap_ssl_pkcs11_client_init T 249728 .ldap_ssl_pkcs11_environment_init T 249752 /project/aus61ldap/build/aus61ldapsb/src/libraries/libldap/ldap_init.c f - ldap_create_password_policy_bind_init_request D 58384 12 ldap_initD 53752 12 ldap_init_all_global_mutex D 57556 12 ldap_init_all_mutex_once D 53620 12 ldap_init_all_mutex_once d 60292 4 ldap_init_iconv D 58552 12 ldap_krb_init_tktD 60148 12 ldap_lc_init D 53608 12 ldap_msg_table_init D 53812 12 ldap_msginit D 54316 12 ldap_ssl_client_init D 57268 12 ldap_ssl_environment_init D 57256 12 ldap_ssl_initD 57280 12 ldap_ssl_pkcs11_client_init D 57208 12 ldap_ssl_pkcs11_environment_init D 57220 12 Just thought I would list any routine in the library that has init in the name. 1) Am I correct is assumming that ldap connectivity over ssl is not going to be recognized? See include/apr_ldap.h created... attachment Thank you for your consideration.
Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
I (IBM) have some patches in this area that didn't make it to APR or HTTPD :( Unortunately Tivoli SSL initialization doesn't fit into how APU initializes SSL and we are currently using hacks in both APU and HTTPD. On Tue, Feb 18, 2014 at 2:46 PM, Michael Felt mamf...@gmail.com wrote: After running the idslink -l 32 (will look at 64 bit later, one thing at a time) and adding symbolic links in /usr/include to the version currently installed ./configure does complete, and says that ldap support is enabled - HOWEVER - i expect it is not going to support ldaps because configure is only checking for ldap_sslinit() and not for ldap_ssl_init() which is what is in the idsldap library: root@x093:[/opt/IBM/ldap/V6.1/lib]nm /opt/IBM/ldap/V6.1/lib/libibmldap.a | grep ldap_ | grep init .ldap_create_password_policy_bind_init_request T 261032 .ldap_init T 884 .ldap_init_all_global_mutex T 53576 .ldap_init_all_mutex_once T 53200 .ldap_init_iconv T 41260 .ldap_krb_init_tkt T 271232 .ldap_lc_initT 48 .ldap_msg_table_init T4888 .ldap_msginitT 21052 .ldap_ssl_client_init T 249848 .ldap_ssl_environment_init T 249824 .ldap_ssl_init T 249872 .ldap_ssl_pkcs11_client_init T 249728 .ldap_ssl_pkcs11_environment_init T 249752 /project/aus61ldap/build/aus61ldapsb/src/libraries/libldap/ldap_init.c f - ldap_create_password_policy_bind_init_request D 58384 12 ldap_initD 53752 12 ldap_init_all_global_mutex D 57556 12 ldap_init_all_mutex_once D 53620 12 ldap_init_all_mutex_once d 60292 4 ldap_init_iconv D 58552 12 ldap_krb_init_tktD 60148 12 ldap_lc_init D 53608 12 ldap_msg_table_init D 53812 12 ldap_msginit D 54316 12 ldap_ssl_client_init D 57268 12 ldap_ssl_environment_init D 57256 12 ldap_ssl_initD 57280 12 ldap_ssl_pkcs11_client_init D 57208 12 ldap_ssl_pkcs11_environment_init D 57220 12 Just thought I would list any routine in the library that has init in the name. 1) Am I correct is assumming that ldap connectivity over ssl is not going to be recognized? See include/apr_ldap.h created... attachment Thank you for your consideration. -- Eric Covener cove...@gmail.com
Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
On 18 Feb 2014, at 10:35 PM, Eric Covener cove...@gmail.com wrote: I (IBM) have some patches in this area that didn't make it to APR or HTTPD :( Unortunately Tivoli SSL initialization doesn't fit into how APU initializes SSL and we are currently using hacks in both APU and HTTPD. I am about half way through the APR v2.0 replacement of the API. Not only is the init really tricky, with every toolkit out there having a unique variation, but the bind has a bunch of variation too. Then there is the passing of binary objects which has toolkit specific definitions of lengths. It has made coming up with an API quite a challenge. My current biggest challenge is a pile of work I have that needs doing, so can't look at it now alas. Regards, Graham --
Re: configuring apr-util --with-ldap against idsldap (aka tivoli)
For when we revisit, or maybe for Michael -- In APU, the immediate problem with SSL is that apr_ldap_ssl_init happens before the certificate options are set. The underlying Tivoli toolkit wants info about the global_certs passed into that call. autoconf for basic stuff, not really used because we bake it into httpd below: http://people.apache.org/~covener/patches/apuldap-itds1.diff replacement we use instead of apr_ldap_ssl_init for tivoli: http://people.apache.org/~covener/patches/tivoli_ssl_init.txt On Tue, Feb 18, 2014 at 3:42 PM, Graham Leggett minf...@sharp.fm wrote: On 18 Feb 2014, at 10:35 PM, Eric Covener cove...@gmail.com wrote: I (IBM) have some patches in this area that didn't make it to APR or HTTPD :( Unortunately Tivoli SSL initialization doesn't fit into how APU initializes SSL and we are currently using hacks in both APU and HTTPD. I am about half way through the APR v2.0 replacement of the API. Not only is the init really tricky, with every toolkit out there having a unique variation, but the bind has a bunch of variation too. Then there is the passing of binary objects which has toolkit specific definitions of lengths. It has made coming up with an API quite a challenge. My current biggest challenge is a pile of work I have that needs doing, so can't look at it now alas. Regards, Graham -- -- Eric Covener cove...@gmail.com