I am sponsoring this case for Jeff Trawick. It enables Apache (via APR) to
use OpenLDAP.
I'll make the contract between this case and PSARC/2008/507 available soon.
Template Version: @(#)sac_nextcase %I% %G% SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Apache and APR-Util Using OpenLDAP
1.2. Name of Document Author/Supplier:
Author: Jeff Trawick
1.3 Date of This Document:
21 February, 2009
4. Technical Description
2. Summary
2.1. Switch APR-Util to OpenLDAP
APR-Util is a support library used by Apache HTTP Server and
other applications. APR-Util provides limited abstractions
for LDAP libraries; it detects which libraries are available,
determines their capabilities, and provides helper functions
for more complex features such as configuring SSL certificates
for communication with the LDAP server. Applications are
expected to make direct calls to portable functions in the
underlying LDAP library and use APR-Util-specific calls for
non-portable operations.
APR-Util is most often used with OpenLDAP, though it does have
some support for a handful of other LDAP libraries, including
native Solaris LDAP. However, ldaps does not work with native
Solaris LDAP.
This project will change the APR-Util build configuration to
use OpenLDAP instead of native Solaris LDAP.
2.2 Switch Apache HTTP Server to OpenLDAP
Apache HTTP Server (Apache) uses the LDAP feature of APR-Util to
handle most LDAP details. (In fact it is the only publically
known application on any platform which uses that feature.)
It links to the LDAP libraries specified by APR-Util, includes
header files from paths specified by APR-Util, etc.; it uses
a mix of portable LDAP library calls and APR-Util calls to
implement Apache's LDAP features. Apache will not need to be
modified to build with OpenLDAP, but the APR-Util changes will
be reflected in different libraries and header files used by
Apache, and the LDAP calls made by Apache could change based
on compile-time tests for symbols in the APR-Util or LDAP header
files.
Note that the Apache documentation for mod_ldap at
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#settingcerts
states "SSL/TLS for the native Solaris LDAP libraries is not yet
supported. If required, install and use the OpenLDAP libraries
instead."
4. Technical Description:
4.1. Special library issues
4.1.1. Implications of the choice of LDAP SDK
The native Solaris LDAP and OpenLDAP SDKs implement some of the
same symbols. Any libraries loaded into the same process as
APR-Util and Apache must use the same LDAP SDK, or the behavior
is undefined.
Other users of the OpenSolaris-delivered OpenLDAP client library
should understand that the interfaces are Volatile and hence may
change in an incompatible manner in the future.
The LDAP SDK use in APR-Util is segregated to the separate
library apr_ldap.so which is loaded dynamically if APR-Util
LDAP functions are called, providing mitigation for a potential
user-provided APR-Util application which independently uses LDAP.
A list of packages within Nevada (b105) using APR-Util are shown
below, along with their use of LDAP:
i. Apache (and its commands) in SUNWapch22
This currently uses Solaris libldap, but that will be changed
by this project via the APR-Util build changes.
ii. mod_perl's APR.so, also packaged within SUNWapch22
and
iii. Subversion commands and libraries in SUNWsvn, Subversion
Perl and Python interfaces in SUNWsvn-python
These all use APR-Util but use neither the APR-Util LDAP
interfaces nor the Solaris LDAP interfaces.
Thus, the other applications in Nevada which use APR-Util will
not be negatively impacted by this change.
Special note about APR and Solaris LDAP:
Any application which uses APR-Util (libaprutil-1.so) also uses
APR (libapr-1.so). libapr-1.so has an unused reference to
libldap.so via another Solaris library it uses. Thus, any
application which uses APR-Util has an unused reference to
libldap.so. The packages in Nevada using APR-Util, listed above,
were checked with ldd -u to confirm that they did not use
libldap.so (other than Apache, which is changed with this
project).
4.1.2. Special OpenLDAP reentrancy considerations
OpenLDAP provides reentrant builds of the LDAP client functions
in libldap_r-2.4.so, and non-reentrant builds in libldap-2.4.so.
Because APR-Util supports threaded applications, it will use the
reentrant build.
Traditionally this distinction between libldap vs. libldap_r has
been a problem, particularly with applications like Apache which
have a plugin architecture which leads to unanticipated
combinations of code in the same address space. If APR-Util (and
thus Apache) uses the reentrant build and some Apache module uses
a library which uses the non-reentrant build, it is undefined
which build will actually be used.
Some distributors of OpenLDAP solve this problem by providing only
the reentrant build of the library, and pointing libldap to the
reentrant build. Because the potential problem has not been
avoided on OpenSolaris, a restriction for any applications or
libraries which may also use OpenLDAP in conjunction with APR-Util
is that they use the reentrant build.
4.1.3. Existing reference to native Solaris LDAP in libraries
used by Apache
libapr-1.so (APR, used by Apache and APR-Util) indirectly
references libldap.so, but ldd reports that libldap.so is an
unused dependency.
4.2. Bug/RFE Number(s):
6778978 ldaps causes Apache to segfault
6798092 APR-Util should use OpenLDAP instead of native Solaris LDAP
4.5. Interfaces:
This affects both APR-Util and Apache.
Imported Interfaces removed (no longer being imported):
NAME STABILITY NOTES
----------------------------------------------------------------------
LDAP Evolving PSARC/1997/276 et seq.
New Imported Interfaces:
NAME STABILITY NOTES
----------------------------------------------------------------------
OpenLDAP Volatile PSARC/2008/507
A contract for consuming the Volatile OpenLDAP interfaces from
PSARC/2008/507 will signed as part of this case proceedings.
4.6. Doc Impact:
Web Stack documentation should indicate that Apache and APR-Util
use the OpenLDAP SDK.
(The important detail of which LDAP SDK is utilized has been
omitted from the documentation in previous releases.)
4.6.1. Implications for Apache configuration
Refer users to the OpenLDAP-specific details for configuring ldaps
connections at
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#settingcerts
If practical, include within the documentation a sample LDAP
configuration showing ldaps connections to a directory server.
4.6.1. Implications for libraries that can be loaded into Apache
or other processes with APR-Util
State that Apache and APR-Util use the OpenLDAP SDK, and
specifically the libraries libldap_r-2.4.so and liblber-2.4.so, so
any other LDAP libraries cannot be loaded into Apache or other
processes with APR-Util.
Note also that the OpenLDAP interfaces in OpenSolaris are
classified as Volatile and may change in an incompatible
manner in future updates or releases.
4.7. Admin/Config Impact:
APR-Util does not have an administration interface.
Non-SSL LDAP configurations of Apache will continue to work as-is.
SSL LDAP connections can now be configured.
4.10. Packaging & Delivery:
// What packages, clusters or metaclusters does this proposal
// impact? What is its impact on install/upgrade?
APR-Util's LDAP interface is package SUNWapu13-ldap.
SUNWapu13-ldap will be changed to add a dependency on SUNWopenldap.
Native Solaris LDAP is part of SUNWcsl, which will continue to be
a dependency of SUNWapu13-ldap.
4.12. Dependencies:
// List all dependencies that this proposal has on other
// proposals, components or products. Include interface
// specifics above in the interfaces section; list component
// version requirements here.
OpenLDAP 2.4.x in package SUNWopenldap
(/usr/include/openldap/*.h, libldap_r-2.4.so, liblber-2.4.so)
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
sfw
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
