Re: ldap ssl authentication httpd 2, solaris 8

ERIC K. CHEU Tue, 06 Jan 2004 11:29:45 -0800

Okay... finally got ldap ssl to work with the novell libraries on both
solaris 7 and 8.  It does take some hacking of the source code and you
have to compile httpd with different libraries. Here are the steps that I
did:


1.  Make sure your paths is set correctly so that you are either using
        the appropriate ld or as program accordingly (if you are using
        gcc, then you will want to use gnu ld or as, if you use,
        sunworkshop's cc, then you will want to use solaris as and ld).
2.  setenv LD_LIBRARY_PATH /usr/slocal/novell/lib
        (I installed the novell ldap libaries in /usr/slocal/novell, and
        am using tcsh shell)
3.  as root
        touch /tmp/mod_ldap_cache
        (found this on google somewhere that initializing the cache
        can cause problems for some reason on solaris).
3.  I configured with these options (and set the appropriate
        environmental variables for CPPFLAGS and LDFLAGS):

        configured by ./configure, generated by GNU Autoconf 2.54,
          with options \"'--with-prefix=/var/test'
        '--with-ssl=/afs/uncg.edu/@sys/opt/openssl'
         '--with-ldap-include=/usr/slocal/novell/include'
        '--with-ldap-lib=/usr/slocal/novell/lib' '--with-ldap'
         '--enable-ssl' '--enable-ldap'
        '--enable-auth-ldap' 'CPPFLAGS=-I/usr/slocal/novell/include'
        'LDFLAGS=-L/usr/slocal/novell/lib'\"
4. Modifies 4 files after configure finished:

supernova# diff modules/ssl/ssl_engine_init.c
/tmp/httpd-2.0.48/modules/ssl/ssl_engine_init.c
116a117
>       OpenSSL_add_all_algorithms();
118c119
<     SSL_library_init();
---
> //    SSL_library_init();
139,140c140,141
<     MODSSL_TMP_KEYS_FREE(mc, RSA);
<     MODSSL_TMP_KEYS_FREE(mc, DH);
---
> //    MODSSL_TMP_KEYS_FREE(mc, RSA);
> //    MODSSL_TMP_KEYS_FREE(mc, DH);


supernova# diff modules/experimental/mod_auth_ldap.c
/tmp/httpd-2.0.48/modules/experimental/mod_auth_ldap.c
741c741,749
<     result = apr_ldap_url_parse(url, &(urld));
---
>       result= ldap_url_parse_ext( url, &(urld));
>       if(urld->lud_scope == -1) {
>               urld->lud_scope = LDAP_SCOPE_BASE;
>       }
>       if(urld->lud_host !=NULL && urld->lud_host == '\0'){
>               LDAP_FREE(urld->lud_host);
>               urld->lud_host = NULL;
>       }
> //    result = apr_ldap_url_parse(url, &(urld));


supernova# diff modules/experimental/util_ldap.c
/tmp/httpd-2.0.48/modules/experimental/util_ldap.c
62a63,66
> #define LDAP_OPT_X_TLS                          0x6000
> #define LDAP_OPT_X_TLS_CACERTFILE       0x6002
> #define LDAP_OPT_X_TLS_HARD             1

supernova# diff ~ekcheu/apr_ldap.h  srclib/apr-util/include/apr_ldap.h
83c83
< #define APR_HAS_NOVELL_LDAPSDK      0
---
> #define APR_HAS_NOVELL_LDAPSDK      1
114c114,115
< #define APR_HAS_OPENLDAP_LDAPSDK 1
---
> //#define APR_HAS_OPENLDAP_LDAPSDK 1
> #define APR_HAS_NOVELL_LDAPSDK 1

5.  Typed 'make'

        At the end, make will fail to compile httpd, so I just do it
        manually at the top of the httpd tree.  For solaris 8, I used
        sun workshop cc:

/tmp/novel/httpd-2.0.48/srclib/apr/libtool --silent --mode=link
/usr/local/bin/cc -g -DSOLARIS2=8 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT
-I/usr/slocal/novell/include -I/usr/slocal/novell/include
-I/tmp/novel/httpd-2.0.48/srclib/apr/include
-I/tmp/novel/httpd-2.0.48/srclib/apr-util/include -I/usr/local/include
-I/tmp/novel/httpd-2.0.48/srclib/apr-util/xml/expat/lib -I.
-I/tmp/novel/httpd-2.0.48/os/unix
-I/tmp/novel/httpd-2.0.48/server/mpm/prefork
-I/tmp/novel/httpd-2.0.48/modules/http
-I/tmp/novel/httpd-2.0.48/modules/filters
-I/tmp/novel/httpd-2.0.48/modules/proxy -I/tmp/novel/httpd-2.0.48/include
-I/afs/uncg.edu/@sys/opt/openssl/include/openssl
-I/afs/uncg.edu/@sys/opt/openssl/include
-I/tmp/novel/httpd-2.0.48/modules/dav/main -export-dynamic
-L/usr/local/lib -L/tmp/novel/httpd-2.0.48/srclib/apr-util/xml/expat/lib
-L/afs/uncg.edu/@sys/opt/openssl/lib -R/afs/uncg.edu/@sys/opt/openssl/lib
-L/usr/slocal/novell/lib -o httpd modules.lo modules/aaa/mod_access.la
modules/aaa/mod_auth.la modules/experimental/mod_ldap.la
modules/experimental/mod_auth_ldap.la modules/filters/mod_include.la
modules/loggers/mod_log_config.la modules/metadata/mod_env.la
modules/metadata/mod_setenvif.la modules/ssl/mod_ssl.la
modules/http/mod_http.la modules/http/mod_mime.la
modules/generators/mod_status.la modules/generators/mod_autoindex.la
modules/generators/mod_asis.la modules/generators/mod_cgi.la
modules/mappers/mod_negotiation.la modules/mappers/mod_dir.la
modules/mappers/mod_imap.la modules/mappers/mod_actions.la
modules/mappers/mod_userdir.la modules/mappers/mod_alias.la
modules/mappers/mod_so.la server/mpm/prefork/libprefork.la
server/libmain.la os/unix/libos.la
/tmp/novel/httpd-2.0.48/srclib/pcre/libpcre.la
/tmp/novel/httpd-2.0.48/srclib/apr-util/libaprutil-0.la -ldl -lpthread
-ldb /tmp/novel/httpd-2.0.48/srclib/apr-util/xml/expat/lib/libexpat.la
/tmp/novel/httpd-2.0.48/srclib/apr/libapr-0.la -lsendfile -lrt -lm
-lsocket -lnsl -lresolv -ldl -L/usr/slocal/novell/lib -lldapsdk -lldapssl
-lssl -lcrypto

        For solaris 7 I used gcc:

        /tmp/httpd-2.0.48/srclib/apr/libtool --silent --mode=link gcc -g
-O2 -pthreads -DSOLARIS2=7 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT
-DAP_HAVE_DESIGNATED_INITIALIZER -I/usr/slocal/novell/include
-I/tmp/httpd-2.0.48/srclib/apr/include -I/tm
p/httpd-2.0.48/srclib/apr-util/include
-I/tmp/httpd-2.0.48/srclib/apr-util/xml/expat/lib -I.
 -I/tmp/httpd-2.0.48/os/unix -I/tmp/httpd-2.0.48/server/mpm/prefork
 -I/tmp/httpd-2.0.48/modules/http -I/tmp/httpd-2.0.48/modules/filters
-I/tmp/httpd-2.0.48/modules/proxy -I/tmp/httpd-2.0.48/include
-I/afs/uncg.edu/@sys/opt/openssl/include/openssl
 -I/afs/uncg.edu/@sys/opt/openssl/include
-I/tmp/httpd-2.0.48/modules/dav/main -export-dynamic
-L/tmp/httpd-2.0.48/srclib/apr-util/xml/expat/lib
-L/afs/uncg.edu/@sys/opt/openssl/lib -R/afs/uncg.edu/@sys/opt/openssl/lib
-L/usr/slocal/novell/lib -o httpd modules.lo modules/aaa/mod_access.la
 modules/aaa/mod_auth.la
modules/experimental/mod_ldap.la modules/experimental/mod_auth_ldap.la
modules/filters/mod_include.la modules/loggers/mod_log_config.la
modules/metadata/mod_env.la modules/metadata/mod_setenvif.la
modules/ssl/mod_ssl.la modules/http/mod_http.la modules/http/mod_mime.la
modules/generators/mod_status.la
 modules/generators/mod_autoindex.la modules/generators/mod_asis.la
modules/generators/mod_cgi.la modules/mappers/mod_negotiation.la
modules/mappers/mod_dir.la modules/mappers/mod_imap.la
 modules/mappers/mod_actions.la modules/mappers/mod_userdir.la
 modules/mappers/mod_alias.la modules/mappers/mod_so.la
server/mpm/prefork/libprefork.la server/libmain.la os/unix/libos.la
/tmp/httpd-2.0.48/srclib/pcre/libpcre.la
 /tmp/httpd-2.0.48/srclib/apr-util/libaprutil-0.la -ldl -lpthread -lgdbm
-ldb /tmp/httpd-2.0.48/srclib/apr-util/xml/expat/lib/libexpat.la
/tmp/httpd-2.0.48/srclib/apr/libapr-0.la -lrt -lm -lsocket -lnsl -lresolv
 -ldl -L/usr/slocal/novell/lib -lldapsdk -lldapssl -lssl -lcrypto


Make sure that you don't compile any native ldap libraries (such as
the one included on solaris 8), otherwise certain functions, such as
ldapssl_init will fail.
6.  make install
7.  Edit httpd.conf of course, to make sure you load the right DER
        or B64 certificate (and also point to the right ssl certificates
        so that https will work.  No point in using ldap ssl if you also
        don't use https).
8.  Make sure with your novell administrator, when testing, that you
        first point to the full path of your DN (and not aliases), as
        aliases may not always work (AuthLDAPURL  line).

Re: ldap ssl authentication httpd 2, solaris 8

Reply via email to