Re: Imap Name Change - NetWare Build

[Brad Nicholes]

Done, Thanks

Brad

 [EMAIL PROTECTED] Thursday, April 07, 2005 5:20:23 PM 
Greetings All,
Just trying a build of 2.1 following the mod_imap - mod_imagemap name 
change, and the attached patches are needed to build for NetWare:

In http 21. root directory:

--- NWGNUmakefile.orig  2005-02-15 06:42:40.0 +1100
+++ NWGNUmakefile   2005-04-08 08:46:50.0 +1000
@@ -215,7 +215,7 @@
$(OBJDIR)/mod_cgi.o \
$(OBJDIR)/mod_dir.o \
$(OBJDIR)/mod_env.o \
-   $(OBJDIR)/mod_imap.o \
+   $(OBJDIR)/mod_imagemap.o \
$(OBJDIR)/mod_include.o \
$(OBJDIR)/mod_log_config.o \
$(OBJDIR)/mod_mime.o \

In http-2.1\os\netware directory:

--- modules.c.orig  2005-02-05 10:08:46.0 +1100
+++ modules.c   2005-04-08 09:05:55.0 +1000
@@ -39,7 +39,7 @@
  extern module env_module;
  extern module log_config_module;
  extern module asis_module;
-extern module imap_module;
+extern module imagemap_module;
  extern module actions_module;
  extern module setenvif_module;
  extern module nwssl_module;
@@ -62,7 +62,7 @@
env_module,
log_config_module,
asis_module,
-  imap_module,
+  imagemap_module,
actions_module,
setenvif_module,
nwssl_module,
@@ -87,7 +87,7 @@
{env_module, env_module},
{log_config_module, log_config_module},
{asis_module, asis_module},
-  {imap_module, imap_module},
+  {imagemap_module, imagemap_module},
{actions_module, actions_module},
{setenvif_module, setenvif_module},
{nwssl_module, nwssl_module},
@@ -112,7 +112,7 @@
env_module,
log_config_module,
asis_module,
-  imap_module,
+  imagemap_module,
actions_module,
setenvif_module,
nwssl_module,

Cheers,
Norm

Re: simple-conf ready for merge

[Brad Nicholes]

  I see your rational, but I am looking at it from the point of view that the 
user knows that one of the first things that they need to do is tweak the MPM 
to fit their load/resource requirements.  This is more a matter of where it 
they go?  I could have sworn they were right here a minute ago.  And I 
certainly wouldn't classify them as extra.

[ Side note:
The other question is How much confusion does the presence of these 
directives add to the config file?  That mess of IfModule xxx_mpm was 
horribly confusing IMHO.  That could be solved by intelligently 
including only the section for the relevant mpm in the default config, 
but that would require more complex build changes than I am up to.

I agree,  but I would still rather see only the applicable platform MPM 
directives anyway no matter whether they are implemented in httpd.conf or 
extra/httpd-mpm.conf.  

Brad

 [EMAIL PROTECTED] Wednesday, April 06, 2005 1:17:10 PM 


Brad Nicholes wrote:
I'm still not a big fan of removing the MPM settings from the httpd.conf 
 file.  All of the other extra .conf files contain supplemental configuration 
 but the MPM configuration seems to be more along the lines of a ServerRoot or 
 Listen.  Despite the fact that these are technically module directives, MPM 
 directives just feel more like core directives.

It's not really a question of core/module.  Lots of core directives were 
removed too.  The question is: Is this a directive that many/most users 
need to change?  For most of the mpm directives, the answer is clearly 
no.  (Although you could argue about something like 
MaxClients/MaxThreads.)

[ Side note:
The other question is How much confusion does the presence of these 
directives add to the config file?  That mess of IfModule xxx_mpm was 
horribly confusing IMHO.  That could be solved by intelligently 
including only the section for the relevant mpm in the default config, 
but that would require more complex build changes than I am up to.
]

Joshua.

Re: simple-conf branch

[Brad Nicholes]

+1 to Greg's comment, I also think that for a new users, having a bunch of 
little .conf files will be more confusing.  For experienced users, they will 
split up the .conf file however they see fit anyway.  So it doesn't really 
matter.

Brad

 [EMAIL PROTECTED] Sunday, April 03, 2005 1:33:06 AM 
On Sat, Apr 02, 2005 at 02:58:26PM -0500, Joshua Slive wrote:
 Please take a look at
 http://svn.apache.org/repos/asf/httpd/httpd/branches/simple-conf/docs/conf/ 
 
 This is my long-threatened project to massively simplify the basic 
 httpd.conf by splitting a bunch of stuff out into smaller files in the 
 extra/ directory that are not included by default.

As long as the default is a single file, then I'm cool with this. The key
here is that the gazillion little .conf files are *not* included in the
default .conf file. That would be a pain because changes could involve one
or more of N separate files.

So: given that... I'm very supportive of a smaller default file.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

So what is the real status of 2.1.x...

[Brad Nicholes]

The STATUS file says:

2.1.4   : in development
2.1.3   : Released on  2/22/2005 as alpha.

The ap_release.h header file says:

   2.1.5-dev

The distribution page /dist/httpd says:

   httpd-2.1.3-beta.tar.gz


Are we BETA yet or not?  I am assuming that the true status is:

- httpd-2.1.3-beta.tar.gz - should really be ALPHA
- STATUS file needs to be updated to 
2.1.5   : in development
2.1.4   : pending BETA released
2.1.3   : Released on  2/22/2005 as alpha.
- ap_release.h - no change.

Am I missing something?

Brad

Re: Enhancement of mod_charset_lite

[Brad Nicholes]

   Open an enhancement request in Bugzilla 
http://httpd.apache.org/bug_report.html  an include the patch file there.

Brad

 [EMAIL PROTECTED] Thursday, March 24, 2005 4:47:52 AM 
Hello,

for my personal needs i had to add some functionality to mod_charset_lite.
Here is what i did:

1) Add an option AllowProxied that makes it work also on proxied requests
(usefull in a reverse proxy environment which uses mod_proxy_html to return
to the  original encoding).

2) Add an option AdjustHeader that adjusts the content-type header according
to the destination encoding.

If someone is interested in these changes, i am not sure where to post them.

Greetings,

Jens Stutte

Re: 2.1.4 available for testing

[Brad Nicholes]

+1 NetWare

Brad

 [EMAIL PROTECTED] Wednesday, March 16, 2005 2:00:47 PM 
Hi all,

There are some 2.1.4-alpha tarballs waiting to be tested at:

  http://httpd.apache.org/dev/dist/ 

Please report back with any problems.

Thanks for testing!


Sander

Re: [STATUS] (httpd-2.0) Wed Mar 9 23:45:36 2005

[Brad Nicholes]

   For 2.0 auth_ldap and mod_ldap it will probably forever remain
experimental.  There have been a lot of changes that have gone into the
2.1 version that IMO allowed it to graduate from experimental to a
standard module.  Most of these patches will never be backported to 2.0.
 In fact Josh's patch will probably not be backported (although it is
simple enough that it could be) simply because the two code bases have
become so different that it is difficult to backport anything.  In most
cases a backport is actually a rewrite.  
   For this reason, I am ++1 for any effort to get 2.1/2.2 to BETA and
released.  Even if the latest Multiple AAA provider discussion has to
wait for 2.4.  We need exposure for the new authnz_ldap and util_ldap
modules as well as the new auth module structure itself.

Brad

 [EMAIL PROTECTED] Thursday, March 10, 2005 7:24 AM 
Paul Querna wrote:

 Jess Holle wrote:

 Rodent of Unusual Size wrote:

 CURRENT VOTES:

* Promote mod_ldap and mod_auth_ldap from experimental to
  non experimental status.
  +1: bnicholes, wrowe
  +0: minfrin (wait till the last cache bugs are ironed out)
  

 I think we're pretty well there -- at least in 2.0.53 plus the
recent 
 patch from Josh Fenlason to cover the case when a shared cache file

 is not specified on a platform supporting shared memory.

 Thoughts?

 It was promoted in 2.1.  Why change the status for 2.0.x?

No big reason.  Though I believe a non-experimental status is accurate

now, I can understand if no one wants to rearrange any sources in
2.0.x.

I was just reviewing the 2.0 status and the quoted portion above made
it 
sound like this was still under consideration for 2.0.

--
Jess Holle

Auth_ldap experimental status (was:Re: [STATUS] (httpd-2.0) Wed Mar 9 23:45:36 2005)

[Brad Nicholes]

   I am of the same opinion as Justin in that I believe that multiple
auth providers can be put into 2.2 at anytime.  If it happens to make it
before initial release fine.  If it is after, it is just additional
functionality which won't break backward compatibility.  As far as
backporting other authnz_ldap patches, Josh's patch is minor and can be
easily done.  Other's may take a lot more work and the problem that we
have right now is that there are very few of us that are looking at
auth_ldap and even fewer that are reviewing backports and voting.  So
getting the required 3-votes doesn't happen very fast if at all.  Also,
if we can get 2.2 moving and out soon, backports won't matter anyway.

Brad

 Jess Holle [EMAIL PROTECTED] Thursday, March 10, 2005 9:06:21 AM 
Agreed on all points *except* that we *really* need multiple LDAP 
providers as soon as possible.  Thus if there is any way to get this 
into 2.2 that would be *very* helpful.

Well, I'd also like to see Josh's patch back in 2.0.x as we'll have to

continue patching it into each and every Apache 2.0.x build ourselves
if 
it is not merged into 2.0.x.  [I don't like leaving crashes around in

executables we ship when they are so easily amended.]

--
Jess Holle

Re: Proposed LDAP Fix

[Brad Nicholes]

The patch has been committed to httpd-trunk.

thanks,
Brad

 [EMAIL PROTECTED] Tuesday, March 08, 2005 7:26:02 AM 
I had problems with LDAP modules in 2.0.53 on Windows.  It
authenticates
fine, but when I shut down apache I get those Microsoft alerts saying
something went wrong.  It only happens when I have the ldap modules
enabled.  The problem is in modules/experimental/util_ldap_cache.c in
the util_ldap_cache_module_kill() method.  The cache_file is null.
Adding a null check prior to calling apr_file_remove() fixed the
issue.
Any thoughts?  Thanks.
,
Josh.
 
 
apr_status_t util_ldap_cache_module_kill(void *data)
{
util_ldap_state_t *st = (util_ldap_state_t *)data;
 
util_ald_destroy_cache(st-util_ldap_cache);
#if APR_HAS_SHARED_MEMORY
if (st-cache_rmm != NULL) {
apr_rmm_destroy (st-cache_rmm);
st-cache_rmm = NULL;
}
if (st-cache_shm != NULL) {
apr_status_t result = apr_shm_destroy(st-cache_shm);
st-cache_shm = NULL;
  if ( st-cache_file != NULL ) // ADDED THIS LINE
   apr_file_remove(st-cache_file, st-pool);
return result;
}
#endif
return APR_SUCCESS;
}

Re: Multiple AAA providers

[Brad Nicholes]

I believe that we are talking about coding at the provider layer (ldap,
file, etc.).  The problem here is that I am not sure what the following
means:

 [ ] Implement globally across schemes and providers
 Single AuthConfig xxx directive, but as it's not in the
scheme
 which iterates the providers, control isn't as fine-grained.

But I do know what this means:

  [ ] Implement across providers
  Single AuthProviderAlias real-provider-name alias directive.

If they are saying the same thing then we might all be on the same
page.  Now would be a great time to have one of those white board
discussions like we have at ApacheCon :).  I would like to see us
implement a syntax that can be reused as I suggested earlier.  An
AuthProviderAlias ... tag would allow for that.  I am -1 to Bill's
original proposal mainly because each use of an auth module requires
that it be reconfigured within it's Location even if the
configurations across Locations are identical.   If Bill's original
proposal was reworked to pull the AuthConfig out of the Location
scope and allow it to be reused as an alias, then I am +1.

Brad

 [EMAIL PROTECTED] Sunday, March 06, 2005 11:16 PM 
At 12:03 PM 3/6/2005, Justin Erenkrantz wrote:
On Sat, Mar 05, 2005 at 10:59:30PM -0600, William A. Rowe, Jr. wrote:
 Ok, as Justin and I are in significant disagreement ... to
summarize;
 
 we (collectively) would like to see some mechanism for multiple
 configurations of the same 'provider' (defined above).  There are
 logically three places this can happen, so as a straw poll, would
 those interested in *coding* auth schemas please vote (end users,
 our choice will be transparent enough to you that we prefer the
 developers to indicate their preferences.)
 
 [ ] Implement in each provider (e.g. mod_authnz_ldap,
mod_authn_file)
 Different AuthLdapConfig xxx AuthFileConfig zzz sections
 
 [ ] Implement in each scheme (e.g. basic, digest)
 Different AuthBasicConfig xxx AuthDigestConfig zzz sections
 
 [ ] Implement globally across schemes and providers
 Single AuthConfig xxx directive, but as it's not in the
scheme
 which iterates the providers, control isn't as fine-grained.

These choices overlook Brad's suggestion, which I still think is the
best:

  [ ] Implement across providers
  Single AuthProviderAlias real-provider-name alias directive.

I did not overlook it.

What layer do you propose to code it at?

Re: Multiple AAA providers

[Brad Nicholes]

I believe that we are talking about coding at the provider layer
(ldap,
file, etc.).

Absolutely not my intention.  Again, I do not want to have each
provider have to reimplement the same code and parsing.  I want
a single module to do so, and the providers to be oblivious
(but still work.)

Let me clarify, we are talking about coding at the provider framework,
not each provider itself.  In other words, the authconfig module would
do basically what you have proposed as far as merging config options
outside of the actual provider module.  The only difference would be
allowing the authconfig configuration to be aliased so that it can be
reused.  

   I think we are close to the same page but I will wait to review the
code that you come up with.  Also the reason for the syntax authconfig
ldap alt-ldap is so that the authconfig module knows what the base
provider is.  Otherwise how will it know which provider to call once the
configuration merge is done?  Then there would be no need for this
syntax:

VirtualHost xxx
Location /private
AuthConfig alt-ldap
AuthLdap additional or overridden directives
/AuthConfig

It could be replaced with:

VirtualHost xxx
Location /private
AuthProvider alt-ldap
AuthLdap additional or overridden directives...

Which more closely maps to the configuration syntax today.

Brad

 William A. Rowe, Jr. [EMAIL PROTECTED] Monday, March 07, 2005
4:47:15 PM 
At 10:11 AM 3/7/2005, Brad Nicholes wrote:
I believe that we are talking about coding at the provider layer
(ldap,
file, etc.).

Absolutely not my intention.  Again, I do not want to have each
provider have to reimplement the same code and parsing.  I want
a single module to do so, and the providers to be oblivious
(but still work.)

  [ ] Implement across providers
  Single AuthProviderAlias real-provider-name alias directive.

If they are saying the same thing then we might all be on the same
page.  Now would be a great time to have one of those white board
discussions like we have at ApacheCon :).  

Agreed :)

I would like to see us implement a syntax that can be reused as 
I suggested earlier.  An AuthProviderAlias ... tag would allow 
for that.  I am -1 to Bill's original proposal mainly because each 
use of an auth module requires that it be reconfigured within it's 
Location even if the configurations across Locations are
identical.

That's not accurate.  It's allowed, but remember inheritance applies,
In the module I already hacked, it's possible to

VirtualHost xxx
AuthConfig
AuthDirectives
/AuthConfig

and that will also be inherited.

But I didn't propose named aliases, which could be a very cool idea.

If Bill's original proposal was reworked to pull the AuthConfig 
out of the Location scope and allow it to be reused as an alias, 
then I am +1.

I'd be even more partial to allowing them in location scope, with
alias names, and merging up the aliases.  My concern is names
clashing, on servers with massive VHOST lists.  Allowing you to
'refine' a given alias... e.g.

AuthConfig alt-ldap
AuthLdapDirectives
/AuthConfig

VirtualHost xxx
Location /private
AuthConfig alt-ldap
AuthLdap additional or overridden directives
/AuthConfig
...

then I think your preference for named sections, and my 
preference for scoped sections could both be satisfied.

I'll give some thought to binding AuthConfig  to a specific
provider 'alias', v.s. allowing more complex control.

Re: Multiple AAA providers

[Brad Nicholes]

Actually I think the better syntax would be:

AuthProviderAlias ldap Myldap1
   ...config options for mod_authnz_ldap...
/AuthProviderAlias

AuthProviderAlias ldap Myldap2
   ...config options for mod_authnz_ldap...
/AuthProviderAlias

AuthProviderAlias file Myfile1
   ...config options for mod_auth...
/AuthProviderAlias

Location /foo1
   AuthProvider Myldap1 Myfile1
   ...Other config options...
/Location
Location /foo2
   AuthProvider Myldap2 Myfile1
   ...Other config options...
/Location
Location /foo3
   AuthProvider Myldap1 Myldap2
   ...Other config options...
/Location

This would allow you to mix-match-reuse-redefine auth configurations
anywhere you like.  I haven't thought this through completely from an
implementation standpoint, but by moving the provider definitions into
mod_auth_basic and then extending the framework for handling multiple
provider definitions into the providers themselves, I think we can come
out with something very useful and reuseable.

Brad

 [EMAIL PROTECTED] Friday, March 04, 2005 1:06:47 AM 
Justin Erenkrantz said:

 I still maintain the better way to do this is to handle it in the
provider
 modules themselves by leveraging the provider API instead.

 To reiterate, in my mind, the ideal syntax is:

 Location /foo
   LDAPProvider ldap1
   ...config options for mod_authnz_ldap...
   /LDAPProvider
   LDAPProvider ldap2
   ...config options for mod_authnz_ldap...
   /LDAPProvider
   DBDProvider my_db
   ...config options for hypothetical mod_authn_dbd...
   /DBDProvider

   ...config options for mod_authnz_ldap...

   AuthUserFile conf/foo

   AuthBasicProvider ldap1 ldap2 ldap file my_db
 /Location

 This isolates the config directly to the module, and if we so desire,
we
 could
 add helper functions which promote re-use of this strategy by other
 provider
 modules as needed.  -- justin

This means that:

- Every auth module has to be independantly updated to use this method
(which won't happen)
- Every module will have it's own method of configuring multiple
providers.

Putting my end user hat on, doing it the way you suggest would irritate
me
no end, as it would make no logical sense to me why one auth provider
allows multiple configurations and another doesn't, or why one auth
provider uses one config mechanism and another auth provider uses a
different one.

I definitely think that getting the auth framework to understand this
syntax is the right way to go, we just need to figure out that magic
syntax that will work elegantly.

Regards,
Graham
--

Re: Multiple AAA providers

[Brad Nicholes]

Although I agree that this would probably be the best way to go, I don't
think it will be that simple.  Authnz_ldap stores the LDAPurl and other
information (bind user id, bind password, certs, etc) in a per-Dir
structure.  At the very least, authnz_ldap would have to be taught how
to store multiple configurations per-dir.  Other auth modules may have
the same structure.

Brad

 [EMAIL PROTECTED] Wednesday, March 02, 2005 11:14:33 AM 
Bleh.  Wouldn't it be easier not to rearchitect the whole thing?

What about the core or mod_auth respecting something like;

Location /protected

  AuthConfig
  AuthFile users1
  /AuthConfig

  AuthConfig
  AuthFile users2
  /AuthConfig

Simply use the existing scope, inheritance, and so on.  Whenever
multiple AuthConfigs apply to a given scope, iterate them until
satisfied.

I think we can accomplish this with minimal or no changes to any
existing auth module.

I'm concerned that the more complex each auth provider needs to
be, the more probability that there will be logic errors in the
provider.

Bill

At 09:45 AM 3/2/2005, Justin Erenkrantz wrote:
On Wed, Mar 02, 2005 at 08:24:25AM -0500, Geoffrey Young wrote:
 while I don't claim to have more than a cursory understanding of
ldap, I
 would think these cases could be handled by extending the current
situation
 a bit.  for instance, for the file provider something like
 
 AuthBasicProvider file
 AuthFileName file1 file2
 
 if AuthFileName were ITERATE mod_authn_file would know that it
should not
 return AUTH_USER_NOT_FOUND until it has checked all the files
present.  or
 somesuch off the top of my head.

Correct.  That is the approach that makes the most sense to me.  The
provider
itself can loop as long as it wants to using its own config syntax.  

However, there is nothing that prohibits one authn module from
registering
multiple providers dynamically.  Remember that the providers are only
looked
up at request-time.  So, if mod_auth_ldap were to have a syntax like:

AuthLDAPProvider foo-1 ldap://ldap.example.com/cn=?
AuthLDAPProvider foo-2 ldap://ldap2.example.com/cn=?

AuthBasicProvider foo-1 foo-2

That would work, as long as mod_auth_ldap calls ap_register_provider x
number
of times.  -- justin

Re: [VOTE] 2.1.3 as beta

[Brad Nicholes]

+1 on NetWare.  

 [EMAIL PROTECTED] Thursday, February 24, 2005 12:52:23 AM 
--On Wednesday, February 23, 2005 10:37 PM -0600 William A. Rowe, Jr.

[EMAIL PROTECTED] wrote:

 Uhm, no.  By that definition, all the pollution spewed from typical
 Linux libraries would be considered 'public api.'  Other platforms
 are using the construct to extract public symbol lists now, IIUC.

 APR_DECLARE (DAV_DECLARE, etc)is our shorthand of what has been
 publicizied and what is internal.

No, we never declared them, hence they weren't officially part of the
API. 
The fact that Unix-based OSes technically throw everything into the API
isn't 
part of our API contract.

Note that I'm not saying that making the mod_dav API change isn't good,
but 
I'm miffed at the claim that this is justification to -1 a release.

 Actually, it should (if it can be fixed in these few days) be
 part of the 2.1.4.

Good, then I hope that statement is backed with a willingness to be the
RM for 
2.1.4.  (As you may or may not know, I'm traveling in the next few days
and 
will have sporadic 'net/email access.)

 I'm a little curious - I understood we would tag an ALPHA, decide
 if it was 'good enough', then call it BETA.  I certainly don't think
 that the last tarballs were good enough for that.

My estimation of a beta is that it works for some folks but not
necessarily 
others.  Sure, it might have bugs.  In fact, from our release
guidelines:

Beta indicates that at least three committers have voted positively
for beta 
status and there were more positive than negative votes for beta
designation. 
This indicates that it is expected to compile and perform basic tasks.

However, there may be problems with this release that prohibit its
widespread 
adoption.

Perhaps we have a disagreement over what a beta release means?

My intention with 2.1.3 is to get us moving solidly in the direction of
a 
2.2.x release - not see more time lost because we can't agree on a
perfect 
'beta' release.  A beta release needs not to be perfect - that's what a

release stabilization branch is for - to fix up these issues in time
for a GA 
release.

We have yet to publicize outside of [EMAIL PROTECTED] *any* 2.1.x release and
that is 
really disturbing.  I want us to start making noise about the upcoming
2.2.x 
releases.  We ought to give our third-parties plenty of time to update
their 
modules - frankly, most won't need it, but we should give them time to
do that.

2.1.3 compiles and serves pages for me on Darwin.  So, my +1 for beta
still 
holds.  -- justin

Re: [PROPOSAL] How to treat release candidate branches

[Brad Nicholes]

+1

 [EMAIL PROTECTED] Wednesday, February 23, 2005 9:03:48 AM 
Assuming that we can get a beta approved to eventually become 2.2.x,
I'd like 
to propose the following policy that tries to balance the need for
review with 
the need for stability:

Any code changes can be backported to a release candidate branch from
trunk 
via lazy consensus (CTR) if it does not change binary compatibility. 
However, 
if a change impacts binary compatibility or the external API in anyway
(i.e. 
adds a new function or whatnot), it must receive 3 +1s before it can be

committed to the release candidate branch (RTC).

This way, we can add new features or binary-incompatible changes to a
beta if 
three committers are in agreement that it should be present before the
stable 
release.  And, bug fixes ported back from trunk can be brought back
with 
minimal hassle.

At the point that we issue the first GA release, everything in that
release 
candidate branch switches over to RTC (as we do right now for 2.0.x). 
Of 
course, this would not apply to trunk - which remains under CTR for all

changes.

For those who like concrete examples: If 2.1.3 is approved, we copy the

tags/2.1.3 to branches/2.2.x.  Trunk becomes 2.3.0.  branches/2.2.x is

immediately bumped to 2.1.4 (or perhaps 2.1.5 to identify those
snapshots that 
came from the trunk before we branched).  All changes must still hit
the trunk 
(2.3.0) first.  If you have a bug fix or a change that doesn't impact
the API, 
it can be immediately backported to branches/2.2.x under CTR.  If it
changes 
the API in any way, it must enter branches/2.2.x/STATUS to receive
votes for 
backport.

What do ya'll think?  -- justin

LDAP socket timeout patch (was:Re: [VOTE] Release httpd-2.0.53)

[Brad Nicholes]

   I have a 2.0 compatible patch just about ready to go.  Once I get it
cleaned up, I will post it as a 2.0.53 patch in the patches directory
off of the download page.

Brad

 [EMAIL PROTECTED] Monday, February 07, 2005 10:08:29 AM 
It appears that 2.0.53 does not include the LDAP socket timeout 
configuration patch.

Is this true?

If so, is there a 2.0.x-ready patch for this?

We'll be building 2.0.53 binaries shortly and I'm interested in this 
patch whether it made it into 2.0.53 or not.

--
Jess Holle

Re: LDAPTrustedMode has the wrong scope...

[Brad Nicholes]

+1, allowing mod_authnz_ldap to override the default makes a lot more
sense.  Unless you are already working on a patch, I will try to put
something together today.  But after today I will be offline for the
next two days.

Brad

 [EMAIL PROTECTED] Wednesday, February 02, 2005 1:23:51 AM 
Brad Nicholes said:

 The attached patches convert LDAPTrustedMode into a per-directory
 directive rather than a per-server.  This allows the configuration
to
 specify which mode should be applied for the associated AuthLDAPURL.

 Thoughts on whether this should be the way to go or if
LDAPTrustedMode
 should be moved up into mod_authnz_ldap as AuthLDAPTrustedMode?

Thinking about this some more - I'm not keen on the idea of adding
another
directive to mod_authnz_ldap, because when the configuration-via-LDAP
happens, and other potential LDAP modules happen, then we end up with
directive soup as each module has it's own variation of
AuthLDAPTrustedMode.

The idea that it be possible to set the SSL mode inside mod_authnz_ldap
is
still really useful - what we could do is this:

AuthLDAPURL ldap://etc
AuthLDAPURL ldaps://etc
AuthLDAPURL SSL ldap://etc
AuthLDAPURL STARTTLS ldap://etc

In other words, combine the SSL mode in a TAKE12 option, with an
optional
SSL mode prefix.

The LDAPTrustedMode directive could stay so as to define the default
(and
overriding the default if the user wanted).

Thoughts?

Regards,
Graham
--

Re: LDAPTrustedMode has the wrong scope...

[Brad Nicholes]

   I have got something that almost works now.  The problem that I am
running into is that util_ldap_connection_find() doesn't know the
difference between APR_LDAP_NONE(the secure mode was never set so use
the default) vs. APR_LDAP_NONE (NONE is what I really want).  Seems like
we need another flag meaning UNSET.

Brad

 [EMAIL PROTECTED] Wednesday, February 02, 2005 9:38:59 AM 
Brad Nicholes wrote:

 +1, allowing mod_authnz_ldap to override the default makes a lot
more
 sense.  Unless you are already working on a patch, I will try to put
 something together today.  But after today I will be offline for the
 next two days.

I will only have a chance to work on this tomorrow :(

Regards,
Graham
--

Re: LDAPTrustedMode has the wrong scope...

[Brad Nicholes]

You read my mind.  I'm all over it.  :)

Brad

 Graham Leggett [EMAIL PROTECTED] Wednesday, February 02, 2005
12:13:56 PM 
Brad Nicholes wrote:

I have got something that almost works now.  The problem that I
am
 running into is that util_ldap_connection_find() doesn't know the
 difference between APR_LDAP_NONE(the secure mode was never set so
use
 the default) vs. APR_LDAP_NONE (NONE is what I really want).  Seems
like
 we need another flag meaning UNSET.

Hmmm... maybe if we teach util_ldap_connection_find() to accept -1, 
which means none of NONE|SSL|TLS...?

The -1 can be passed if AuthLDAPURL had one parameter, and NONE|SSL|TLS

can be passed if AuthLDAPURL has two parameters?

Regards,
Graham
--

Re: Time for 2.0.53?

[Brad Nicholes]

   I have already added a new directive to util_ldap called
LDAPConnectionTimeout (
http://httpd.apache.org/docs-2.1/mod/mod_ldap.html#ldapconnectiontimeout
) which allows util_ldap to set the network timeout through

rc = apr_ldap_set_option(p, NULL, LDAP_OPT_NETWORK_TIMEOUT,
 (void *)timeOut, (result_err));

The default is 10 seconds, but this directive will allow the
administrator to set it to whatever they want.  See the STATUS file
backport entry (svn rev 126565).  This should be a much cleaner way to
handle connection timeouts although I think that the whole connection
pool itself should be converted to using apr_reslist_*.   

I have also considered adding a similar directive to set the search
timelimit (LDAP_OPT_TIMELIMIT), but I haven't decided if just setting a
global time limit is a good thing or not.  It seems like this should be
more of a per-request type of setting and also really depends on the
size of the LDAP context that is being searched.

thoughts?

Brad



 [EMAIL PROTECTED] Tuesday, February 01, 2005 8:55:24 AM 
Jess Holle said:

 I don't have a vote, but I believe the socket timeout configuration
is
 necessary to address issues seen with firewall timeouts and the LDAP
 connections held open by Apache.

Is there an outstanding patch for this yet?

The right way to solve this problem is to allocate the LDAP connection
pool using apr_reslist_*, which handles things like connection
timeouts
for us.

If this code exists already, then I'm keen to get it in ASAP, and if
the
code doesn't exist I should have time to fix it after tomorrow.

Regards,
Graham
--

Re: Time for 2.0.53?

[Brad Nicholes]

  I was hoping that this wouldn't be the case.  But since it is, take a
look at SVN r149419

Brad

 [EMAIL PROTECTED] Tuesday, February 01, 2005 9:39:20 AM 
Brad Nicholes wrote:
I have already added a new directive to util_ldap called
 LDAPConnectionTimeout (

http://httpd.apache.org/docs-2.1/mod/mod_ldap.html#ldapconnectiontimeout

 ) which allows util_ldap to set the network timeout through
 
 rc = apr_ldap_set_option(p, NULL, LDAP_OPT_NETWORK_TIMEOUT,
  (void *)timeOut, (result_err));
 

IMO this does not exists on WIN32 (at least PSDK does not
declare that), thus mod_ldap breaks on build.

The code should be enclosed inside:
#if defined(LDAP_OPT_NETWORK_TIMEOUT)

#endif

Regards,
Mladen

Re: Time for 2.0.53?

[Brad Nicholes]

I hate it when I get bit by copy and paste.  Try r149421.

Brad

 [EMAIL PROTECTED] Tuesday, February 01, 2005 10:23:01 AM 
Brad Nicholes wrote:
   I was hoping that this wouldn't be the case.  But since it is, take
a
 look at SVN r149419
 

util_ldap.c
util_ldap.c(1615) : error C2065: 's' : undeclared identifier
util_ldap.c(1615) : warning C4047: 'function' : 'const server_rec *' 
differs in levels of indirection from 'int'

Seems you have typo using wrong server_rec for logging.
It helps if you change line 1615 to use cmd-server instead s ;).

Regards,
Mladen.

LDAP connection timeout option (was:Re: Time for 2.0.53?)

[Brad Nicholes]

   The LDAP_OPT_SEND_TIMEOUT option appears to be a Microsoft LDAP SDK
only option.  As I see it we can go in a couple of different ways here.

1) Implement the connection pool as an apr_reslist and let it handle
the connection timeouts as Graham suggested.
2) Add another #ifdef to the existing code to use LDAP_OPT_SEND_TIMEOUT
if supported.

Maybe for the short term we just add the #ifdef and then see what
Graham comes up with for the apr_reslist implementation.

Brad

 [EMAIL PROTECTED] Tuesday, February 01, 2005 10:14:10 AM 
Jess Holle wrote:
 Ouch!
 
 Does the MS LDAP SDK define anything equivalent?


Perhaps LDAP_OPT_SEND_TIMEOUT:
The limit on the number of seconds that the local LDAP client will wait

while attempting to send data to a remote computer. If the send 
operation is not completed before the timeout period expires, the LDAP

call will fail with an LDAP_TIMEOUT error code.


 Fixing this on some platforms is better than on none, though.


Regards,
Mladen.

Re: LDAP connection timeout option (was:Re: Time for 2.0.53?)

[Brad Nicholes]

  The Novell SDK has the same options but they all perform different
functions

LDAP_OPT_TIMELIMIT - Searching timeout
LDAP_OPT_TIMEOUT - default timeout value
LDAP_OPT_NETWORK_TIMEOUT - Socket level timeout

Brad

 [EMAIL PROTECTED] Tuesday, February 01, 2005 10:41:04 AM 
--On Tuesday, February 1, 2005 10:33 AM -0700 Brad Nicholes 
[EMAIL PROTECTED] wrote:

The LDAP_OPT_SEND_TIMEOUT option appears to be a Microsoft LDAP
SDK
 only option.  As I see it we can go in a couple of different ways
here.

OpenLDAP has LDAP_OPT_TIMELIMIT, LDAP_OPT_TIMEOUT, and 
LDAP_OPT_NETWORK_TIMEOUT.  -- justin

LDAPTrustedMode has the wrong scope...

[Brad Nicholes]

After testing mod_authnz_ldap and util_ldap some more, it appears
that the directive LDAPTrustedMode should be pushed up into
mod_authnz_ldap rather than util_ldap and become AuthLDAPTrustedMode. 
The reason why is because the connection type (ie. NONE, SSL, STARTTLS)
is tied to the AuthLDAPUrl rather than the global connection or
certificate directives that are set in util_ldap.  As it stands today,
the following configuration will fail: 

Alias /secure /webpages/secure
Directory /webpages/secure
Order deny,allow
Allow from all
AuthType Basic
AuthName LDAP_Protected_Place
AuthBasicProvider ldap
AuthLDAPURL ldap://foo.ldapserver.com/o=ctx;
AuthzLDAPAuthoritative off
require valid-user
/Directory

Alias /othersecuredir /webpages/othersecuredir
Directory /webpages/othersecuredir
Order deny,allow
Allow from all
AuthType Basic
AuthName LDAP_Secure_Test
AuthBasicProvider ldap
AuthzLDAPAuthoritative off

LDAPTrustedMode STARTTLS
AuthLDAPURL ldap://other.ldapserver.com/o=ctx;
require valid-user
/Directory


The above configuration assumes that all connections to
foo.ldapserver.com will be non-secure on port 389 and that all
connections to other.ldapserver.com will be TLS connections on port
389.  The problem is that the directive LDAPTrustedMode is global not
per-directory.  Therefore even though the configuration intended to
connect to foo.ldapserver.com non-secure, since the global trusted
mode has been set to STARTTLS, util_ldap will attempt to start tls on
all connections.  

Since the type of connection is already determined partially by the
AuthLDAPURL (ie. ldaps:// vs ldap://), changing the type to STARTTLS
also needs to be in the same scope as AuthLDAPURL.  There are two
options, change LDAPTrustedMode to a per-directory directive within
util_ldap or move LDAPTrustedMode up into mod_authnz_ldap as
AuthLDAPTrustedMode.

Brad

Re: LDAPTrustedMode has the wrong scope...

[Brad Nicholes]

The attached patches convert LDAPTrustedMode into a per-directory
directive rather than a per-server.  This allows the configuration to
specify which mode should be applied for the associated AuthLDAPURL.  

Thoughts on whether this should be the way to go or if LDAPTrustedMode
should be moved up into mod_authnz_ldap as AuthLDAPTrustedMode?

Brad

 [EMAIL PROTECTED] Tuesday, February 01, 2005 3:33:19 PM 
After testing mod_authnz_ldap and util_ldap some more, it appears
that the directive LDAPTrustedMode should be pushed up into
mod_authnz_ldap rather than util_ldap and become AuthLDAPTrustedMode. 
The reason why is because the connection type (ie. NONE, SSL,
STARTTLS)
is tied to the AuthLDAPUrl rather than the global connection or
certificate directives that are set in util_ldap.  As it stands today,
the following configuration will fail: 

Alias /secure /webpages/secure
Directory /webpages/secure
Order deny,allow
Allow from all
AuthType Basic
AuthName LDAP_Protected_Place
AuthBasicProvider ldap
AuthLDAPURL ldap://foo.ldapserver.com/o=ctx;
AuthzLDAPAuthoritative off
require valid-user
/Directory

Alias /othersecuredir /webpages/othersecuredir
Directory /webpages/othersecuredir
Order deny,allow
Allow from all
AuthType Basic
AuthName LDAP_Secure_Test
AuthBasicProvider ldap
AuthzLDAPAuthoritative off

LDAPTrustedMode STARTTLS
AuthLDAPURL ldap://other.ldapserver.com/o=ctx;
require valid-user
/Directory


The above configuration assumes that all connections to
foo.ldapserver.com will be non-secure on port 389 and that all
connections to other.ldapserver.com will be TLS connections on port
389.  The problem is that the directive LDAPTrustedMode is global not
per-directory.  Therefore even though the configuration intended to
connect to foo.ldapserver.com non-secure, since the global trusted
mode has been set to STARTTLS, util_ldap will attempt to start tls on
all connections.  

Since the type of connection is already determined partially by the
AuthLDAPURL (ie. ldaps:// vs ldap://), changing the type to STARTTLS
also needs to be in the same scope as AuthLDAPURL.  There are two
options, change LDAPTrustedMode to a per-directory directive within
util_ldap or move LDAPTrustedMode up into mod_authnz_ldap as
AuthLDAPTrustedMode.

Brad

Index: util_ldap.h
===
--- util_ldap.h (revision 126565)
+++ util_ldap.h (working copy)
@@ -117,8 +117,6 @@
 int   ssl_supported;
 apr_array_header_t *global_certs;  /* Global CA certificates */
 apr_array_header_t *client_certs;  /* Client certificates */
-int   secure;
-int   secure_set;
 
 #if APR_HAS_SHARED_MEMORY
 apr_shm_t *cache_shm;
Index: util_ldap.c
===
--- util_ldap.c (revision 149421)
+++ util_ldap.c (working copy)
@@ -57,7 +57,14 @@
 int util_ldap_handler(request_rec *r);
 void *util_ldap_create_config(apr_pool_t *p, server_rec *s);
 
+typedef struct {
+apr_pool_t *pool;   /* Pool */
+int secure; /* APR_LDAP_NONE, APR_LDAP_SSL, APR_LDAP_STARTTLS 
*/
+int secure_set;
+} util_ldap_dir_config_t;
 
+
+
 /*
  * Some definitions to help between various versions of apache.
  */
@@ -416,6 +423,8 @@
 util_ldap_state_t *st = 
 (util_ldap_state_t *)ap_get_module_config(r-server-module_config,
 ldap_module);
+util_ldap_dir_config_t *dc =
+(util_ldap_dir_config_t *)ap_get_module_config(r-per_dir_config, 
ldap_module);
 
 
 #if APR_HAS_THREADS
@@ -514,7 +523,7 @@
  * setting optionally supplied by the admin using LDAPTrustedMode
  */
 l-secure = (APR_LDAP_NONE == secure) ?
- st-secure :
+ dc-secure :
  secure;
 
 /* save away a copy of the client cert list that is presently valid */
@@ -1566,31 +1575,29 @@
  * - SSL (SSL encryption)
  * - STARTTLS (TLS encryption)
  */ 
-static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy, 
const char *mode)
+static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *config, 
const char *mode)
 {
-util_ldap_state_t *st =
-(util_ldap_state_t *)ap_get_module_config(cmd-server-module_config,
-  ldap_module);
+util_ldap_dir_config_t *dc = config;
 
 ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd-server,
   LDAP: SSL trusted mode - %s,
mode);
 
 if (0 == strcasecmp(NONE, mode)) {
-st-secure = APR_LDAP_NONE;
+dc-secure = APR_LDAP_NONE;
 }
 else if (0 == strcasecmp(SSL, mode)) {
-st-secure = APR_LDAP_SSL;
+dc-secure = APR_LDAP_SSL;
 }
 else if (0 == strcasecmp(TLS, mode) || 0 == strcasecmp(STARTTLS, 
mode)) {
-st-secure = APR_LDAP_STARTTLS;
+dc-secure = APR_LDAP_STARTTLS;
 }

Re: Time for 2.0.53?

[Brad Nicholes]

 [EMAIL PROTECTED] Monday, January 31, 2005 2:26:09 PM 
I'd love to see the LDAP socket timeout configuration stuff make it in

for 2.0.53!

--
Jess Holle

Justin Erenkrantz wrote:

 Any opposition to doing a tag and roll of 2.0.53 soon?  (Yes, I 
 volunteer to be RM.)  How about targetting next Tuesday (2/8) for 
 2.0.53?  I can lay down the candidate tarball on Friday morning, so

 whatever backports are merged by then make it.  =)

 Do we want closure on Jeff's proxy chunking patch for 2.0.53?  --
justin


Me too ;)  Any voters out there?  I've already cast my vote
(Obviously)

From the looks of the STATUS file, there appears to be a number of
backports with 3 +1's that just need to be backported.

Brad

Re: Auth LDAP ssl/tls differences

[Brad Nicholes]

   I guess I am still a little unclear on what the advantage is to using
ldap:// + start_tls  vs.  ldaps://.  The end result is the same except
that you have a secure connection to the LDAP server on 389 rather than
636.  Is that the only reason?  Administrators don't want to open a
dedicated SSL port to their LDAP server?  I thought that the advantage
of start_tls was to be able to initiate an unsecure long-lived
connection and then when required, converting it to a secure connection
for a period time and then possible back to unsecure again.  In other
words, the ability to bounce back and forward from an unsecure
connection to a secure connection.  

Since the ldap communication between the httpd server and the ldap
server is basically a single authorization request and response, there
is no point in which an initial unsecure connection can be converted to
a secure connection except when the connection is established initially.
 The connection is either entirely secure or not.  As far as util_ldap
is concerned, it seems like just another way of doing the same thing. 
If you want a secure connection to the LDAP server, just use ldaps://. 
Unless I am missing something, ldap:// + start_tls isn't really buying
you anything.

Something to think about - what about ldap connection caching?  Are the
ldap://+start_tls connections cached separately from ldap://  and
ldaps:// connections?   Or do they keep flip-flopping back and forth as
required by the http request?  If they keep flip-flopping, it seems like
a lot of overhead just to get a secure connection.  If they are cached
separately then we are just implementing another secure connection cache
when we already have one.

If I am completely missing the point, then please correct me.

Brad

 [EMAIL PROTECTED] Tuesday, January 04, 2005 12:40 PM 
It seems that our support for ssl/tls with mod_ldap is considerably
confusing and frustrating for users.  The recent interest in fixing
support for the Solaris/Netscape/Mozilla library reminded me of the
fact that we need to finish thinking this through.

Fast summary for those less familiar; there are two SSL schemas
for LDAP communications.

 . Solaris/Netscape/Mozilla support is based on explicit SSLv3
   connection to the ldaps:// port, 636.

 . OpenLDAP supports ldaps://, it also supports STARTTLS
   protocol over port 389.  STARTTLS should not be invoked by
   the scheme ldaps:// (it's a semantic error - ldaps:// should
   not refer to an upgraded SSL connection, and would imply
   port 636 which is not correct for this protocol.)

The correct scheme/port for STARTTLS LDAP connections is
ldap:// with port 389 implicit.  We need a mechanism to clarify
to mod_ldap that TLS security is desired.

Incident http://issues.apache.org/bugzilla/show_bug.cgi?id=31443 
offers a solution which we should consider adopting.  As I was
asking for some offline feedback - Graham mentioned that some
implementations use the URL to specify that STARTTLS is desired.
But without some references the proposal seems to be a better
option - we shouldn't be redefining the ldap:// URI space.

Does anyone have any references to specifying STARTTLS as part
of the URI to the ldap server?  Any other comments on this patch
before I integrate into httpd-2.1?

Bill

Re: Auth LDAP ssl/tls differences

[Brad Nicholes]

I personally feel more comfortable having LDAP on an SSL port only,
then 
I know there is no way my server can be accessed accidently without 
encryption in place. 

Call me paranoid, but I completely agree.  Especially since the primary
purpose of auth_ldap is authentication, ie. userid's and passwords and
constantly being passed on the wire.

This doesn't mean that APR-util doesn't support the concept of
starting 
and stopping tls, it only means that util_ldap doesn't choose to use 
this option.

So we should probably split start_tls out from apr_ldap_ssl_init() into
it's own API.  This way some other module or application built on top of
apr-util will have the ability to start and stop TLS at will.

Brad

 [EMAIL PROTECTED] Thursday, January 06, 2005 2:18 PM 
Brad Nicholes wrote:

I guess I am still a little unclear on what the advantage is to
using
 ldap:// + start_tls  vs.  ldaps://.  The end result is the same
except
 that you have a secure connection to the LDAP server on 389 rather
than
 636.  Is that the only reason?

Apparently ldap:// + STARTTLS is a standard, and ldaps:// is not a 
standard (although it's universally supported). The end result of both

methods is the same - a secure connection.

I personally feel more comfortable having LDAP on an SSL port only,
then 
I know there is no way my server can be accessed accidently without 
encryption in place. But others want to use STARTTLS, and if it's 
technically possible, I see no reason to stop them.

 Something to think about - what about ldap connection caching?  Are
the
 ldap://+start_tls connections cached separately from ldap://  and
 ldaps:// connections?

No - there is just one cache of connections. SSL/TLS is negotiated when

the connection is first established, and remains that way until the 
connection is closed. Whether the initial negotiation was SSL or 
STARTTLS makes no difference, once util_ldap has said STARTTLS it 
doesn't stop TLS again until the connection is disposed of.

This doesn't mean that APR-util doesn't support the concept of starting

and stopping tls, it only means that util_ldap doesn't choose to use 
this option.

Regards,
Graham
--

Re: Auth LDAP ssl/tls differences

[Brad Nicholes]

  Off the top of my head, performance.  Maybe you really only need a
secure connection during the bind but after that switching back to an
unsecure connection would perform better.  Maybe you want to hold a
connection pool of LDAP connections that can be used to transfer
sensitive information or clear information that is only determined at
the time of the request.  Maybe you want to allow for connections that
start out as anonymous binds to access public information and then can
be rebound using the user credentials over a secure connection.  Who
knows, but it seems like it would have the same type of application that
TLS upgrade would have in mod_ssl.

Brad 

 [EMAIL PROTECTED] Thursday, January 06, 2005 4:44 PM 
At 05:19 PM 1/6/2005, Brad Nicholes wrote:

This doesn't mean that APR-util doesn't support the concept of
starting 
and stopping tls, it only means that util_ldap doesn't choose to use

this option.

So we should probably split start_tls out from apr_ldap_ssl_init()
into
it's own API.  This way some other module or application built on top
of
apr-util will have the ability to start and stop TLS at will.

Can anyone provide an example of why this would be useful?  Otherwise
it makes sense just to have one API, and let the user choose the
flavor based on their server config (https://, or AuthLDAPClientTLS
on).

Our job in apr-util is to make developers lives easier, not more
complicated, for the typical situations.

Bill

Re: RELEASE directory change

[Brad Nicholes]

  Yes, a new module directory called debug  was added as a
subdirectory of modules.  This conflicted with the debug output
directory that was being created during the build process.  The result
was that everytime you did a gmake -f NWGNUMakefile clean it wiped out
the source code found in the new modules/debug directory.  So both the
build debug and release directories were renamed to debug.o and
release.o.

Brad

 [EMAIL PROTECTED] Friday, December 17, 2004 2:58 PM 
Greetings All,
Doing a build of httpd-2.1-dev for NetWare on Win and find the Release

directories are now /release.o ... is this intended behaviour?

Norm

Re: Apache HTTP Server 2.1.2 tagged...

[Brad Nicholes]

+1, lets get something out there for the community to test.  If we have
to go through a bunch of 2.1.x-betas before we feel comfortable with
branching, so be it.

Brad

 [EMAIL PROTECTED] Monday, December 13, 2004 4:30:29 PM 
--On Monday, December 13, 2004 2:40 PM -0700 Paul Querna 
[EMAIL PROTECTED] wrote:

 This would be 2.1.2-beta right? Not 2.2.0-beta1?

Correct.

Our first 'beta' release doesn't necessarily mean that it'd be
2.2.0-beta1. 
We can have as many 2.1.x betas as we want.  However, I think it was
said 
that the 2.2.0 branch will start with some 2.1.x beta - I just don't
think 
we're quite at the branch point yet, but, IMHO, we should try to get
some 
folks pounding on 2.1.x...  -- justin

Re: Apache HTTP Server 2.1.2 tagged...

[Brad Nicholes]

httpd builds on NetWare but we are having problems with the version of
APR that was included in the tarball.  APR 1.0.1 is failing to build on
the latest LibC SDK on NetWare due to a couple of minor type mismatches.
 It requires the following patch from the APR 1.0.x branch:

threadproc\netware\proc.c locks\netware\thread_mutex.c -r106967

Is a new revision of APR 1.0.x going to be released anytime soon?

Brad

 [EMAIL PROTECTED] Thursday, December 09, 2004 1:29:37 AM 
In the continuing string of 2.1.x releases, Apache HTTP Server 2.1.2 is
now 
available at:

http://httpd.apache.org/dev/dist/

Currently, this is only an alpha-quality release and is only meant for

developers to provide feedback for the upcoming 2.2 series.

New features with the 2.1/2.2 series are listed here:

http://httpd.apache.org/docs-2.1/new_features_2_2.html

Changes are here:

http://httpd.apache.org/dev/dist/CHANGES_2.1

Please provide feedback, votes, etc.  If you have any problems, as
always, 
please bring them up on [EMAIL PROTECTED]

Thanks!  -- justin

Re: Patch for bug 18757 breaks TLS upgrade - [Content-Length is removed from HEAD requests]

[Brad Nicholes]

  It may be a bit of a hack, but it seems reasonable to me.  The best
part is that it works.

+1

Brad

 [EMAIL PROTECTED] Wednesday, December 08, 2004 2:33:48 AM 
On Tue, Dec 07, 2004 at 05:14:40PM -0700, Brad Nicholes wrote:
OK, now that you have enabled upgrades for anything other than
 OPTIONS, I see the problem.  Even though there is a content-length
 included in the header, you are saying that the header is being sent
 encrypted but the content is not, correct?  And the reason for this
is
 because there is more than one filter stack that needs to be
modified?

Yes.  I think this fixes it, it's a bit of a hack though:

Index: modules/ssl/ssl_engine_io.c
===
--- modules/ssl/ssl_engine_io.c (revision 59)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -1184,22 +1184,26 @@
 apr_bucket *b;
 SSL *ssl;
 
-/* Just remove the filter, if it doesn't work the first time, it
won't
- * work at all for this request.
- */
-ap_remove_output_filter(f);
+/* f-ctx is non-NULL after the first call to this filter: it's
+ * necessary to pass through directly to the connection
output_filters
+ * for the remainder of this request, since the SSL output filter
has
+ * not been added to r-output_filters for this request. */
+if (f-ctx) {
+return ap_pass_brigade(f-c-output_filters, bb);
+}
 
-/* No need to ensure that this is a server with optional SSL, the
filter
- * is only inserted if that is true.
- */
-
+/* No need to ensure that this is a server with optional SSL, the
+ * filter is only inserted if that is true. */
 upgrade = apr_table_get(r-headers_in, Upgrade);
 if (upgrade == NULL
 || strcmp(ap_getword(r-pool, upgrade, ','), TLS/1.0)) {
 /* Upgrade: TLS/1.0, ... header not found, don't do Upgrade
*/
+ap_remove_output_filter(f);
 return ap_pass_brigade(f-next, bb);
 }
 
+f-ctx = f; /* flag as non-NULL for subsequent passes */
+
 apr_table_unset(r-headers_out, Upgrade);
 
 /* Send the interim 101 response. */
@@ -1245,7 +1249,6 @@
pass the brigade off to the connection based output filters so
that the 
request can complete encrypted */
 return ap_pass_brigade(f-c-output_filters, bb);
-
 }
 
 static apr_status_t ssl_io_filter_input(ap_filter_t *f,

Testing TLS Upgrade (was: Re: Patch for bug 18757 breaks TLS upgrade)

[Brad Nicholes]

  FYI, if anybody else is interesting is testing the TLS upgrade
functionality, there is a small test utility
(http://www.apache.org/~bnicholes/tlsupgrade.c) that can be used to send
an upgradeable GET or POST request.

Brad

 [EMAIL PROTECTED] Wednesday, December 08, 2004 9:01:22 AM 
  It may be a bit of a hack, but it seems reasonable to me.  The best
part is that it works.

+1

Brad

 [EMAIL PROTECTED] Wednesday, December 08, 2004 2:33:48 AM 
On Tue, Dec 07, 2004 at 05:14:40PM -0700, Brad Nicholes wrote:
OK, now that you have enabled upgrades for anything other than
 OPTIONS, I see the problem.  Even though there is a content-length
 included in the header, you are saying that the header is being sent
 encrypted but the content is not, correct?  And the reason for this
is
 because there is more than one filter stack that needs to be
modified?

Yes.  I think this fixes it, it's a bit of a hack though:

Index: modules/ssl/ssl_engine_io.c
===
--- modules/ssl/ssl_engine_io.c (revision 59)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -1184,22 +1184,26 @@
 apr_bucket *b;
 SSL *ssl;
 
-/* Just remove the filter, if it doesn't work the first time, it
won't
- * work at all for this request.
- */
-ap_remove_output_filter(f);
+/* f-ctx is non-NULL after the first call to this filter: it's
+ * necessary to pass through directly to the connection
output_filters
+ * for the remainder of this request, since the SSL output filter
has
+ * not been added to r-output_filters for this request. */
+if (f-ctx) {
+return ap_pass_brigade(f-c-output_filters, bb);
+}
 
-/* No need to ensure that this is a server with optional SSL, the
filter
- * is only inserted if that is true.
- */
-
+/* No need to ensure that this is a server with optional SSL, the
+ * filter is only inserted if that is true. */
 upgrade = apr_table_get(r-headers_in, Upgrade);
 if (upgrade == NULL
 || strcmp(ap_getword(r-pool, upgrade, ','), TLS/1.0)) {
 /* Upgrade: TLS/1.0, ... header not found, don't do Upgrade
*/
+ap_remove_output_filter(f);
 return ap_pass_brigade(f-next, bb);
 }
 
+f-ctx = f; /* flag as non-NULL for subsequent passes */
+
 apr_table_unset(r-headers_out, Upgrade);
 
 /* Send the interim 101 response. */
@@ -1245,7 +1249,6 @@
pass the brigade off to the connection based output filters so
that the 
request can complete encrypted */
 return ap_pass_brigade(f-c-output_filters, bb);
-
 }
 
 static apr_status_t ssl_io_filter_input(ap_filter_t *f,

Re: Testing TLS Upgrade (was: Re: Patch for bug 18757 breaks TLS upgrade)

[Brad Nicholes]

   Seems reasonable.  I would have to take a closer look at it though.

Brad

 [EMAIL PROTECTED] Wednesday, December 08, 2004 10:56:10 AM 
At 10:10 AM 12/8/2004, Brad Nicholes wrote:
  FYI, if anybody else is interesting is testing the TLS upgrade
functionality, there is a small test utility
(http://www.apache.org/~bnicholes/tlsupgrade.c) that can be used to
send
an upgradeable GET or POST request.

It seems to me we can make ab.c TLS upgrade-aware by;

  1. recognizing the -s flag in conjunction with http: - that
 would set the ssl preference client-side.  (This would not
 alter the behavior of https:, or of -s without a scheme.)

  2. recognize upgrade-required and promote an http: connection
 to SSL when the server-side demands it.

Sane?

Bill

Patch for bug 18757 breaks TLS upgrade - [Content-Length is removed from HEAD requests]

[Brad Nicholes]

  It appears that the patch for bug 18757 which disallows a
content-length header for all requests with a content-length of 0 is too
broad.  

Index: D:/Projects/2.x/httpd-trunk/server/protocol.c
===
--- D:/Projects/2.x/httpd-trunk/server/protocol.c   (revision
104639)
+++ D:/Projects/2.x/httpd-trunk/server/protocol.c   (revision
104923)
@@ -1244,8 +1244,11 @@
  *
  * We can only set a C-L in the response header if we haven't
already
  * sent any buckets on to the next output filter for this
request.
+ *
+ * Also check against cases of zero bytes sent, to avoid a bogus
+ * C-L on HEAD requests, or no-body GETs like 204s.
  */
-if (ctx-data_sent == 0  eos) {
+if (ctx-data_sent == 0  eos  r-bytes_sent  0 ) {
 ap_set_content_length(r, r-bytes_sent);
 }
 

Property changes on: D:/Projects/2.x/httpd-trunk/server/protocol.c
___
Name: cvs2svn:cvs-rev
   - 1.150
   + 1.151


The bug simply says that the content-length should be removed just for
HEAD requests.  By removing it for all requests including an OPTIONS
requests, causes the SSL handshake to fail after a TLS upgrade (somebody
with more knowledge of SSL would have to explain why).  According to the
bugzilla report, this patch didn't completely resolve the issue anyway. 
I will be reverting the patch shortly unless somebody has a better fix.

Brad

Re: Patch for bug 18757 breaks TLS upgrade - [Content-Length is removed from HEAD requests]

[Brad Nicholes]

   So what are you suggesting that the appropriate fix should be?  Even
though the protocol.c patch was bogus, it sounds like might have exposed
something else.  In fact I am still not seeing where the problem is. 
The protocol.c patch was just allowing a bad response to happen that
should never have happened in the first place.  It seems like the
appropriate OPTIONS response should include C-L:0.  Anything else that
actually has content would also contain the appropriate C-L: header.

Brad

 [EMAIL PROTECTED] Tuesday, December 07, 2004 12:51:15 PM 
On Tue, Dec 07, 2004 at 11:01:13AM -0700, Brad Nicholes wrote:
 I tested the TLS upgrade stuff last week and it failed because the
 zero-length chunk to terminate the OPTIONS response was not sent
 through
 the mod_ssl output filter; is that the same problem you see?
 
 I don't think so.  I can make everything work again by simply
allowing
 the Content-Length: 0 header to be sent through.  I'm not sure
what
 impact that header has on the rest of mod_ssl.  Obviously by
removing
 it, it causes mod_ssl to *not* do something it was suppose to.  My
guess
 is that if the zero-length chunk that terminates the OPTIONS response
is
 not being sent, it is probably a result of mod_ssl not seeing a
 content-length header.

I think we are seeing the same problem.  Before, a zero-length OPTIONS
response would be sent with t-e: chunked and a single
zero-terminator-chunk. The 0\r\n\r\n packet was being sent
unencrypted
and breaking the SSL connection.  After you reverted the protocol.c
change, a zero-length OPTIONS response is sent with C-L: 0 and hence
terminates after the headers.  Subsequent requests on the connection
get
the right filter stack.

So you have successfully hidden the mod_ssl bug for upgrades with
zero-length responses.  The fact that mod_ssl (incorrectly) refuses to
upgrade anything other than an OPTIONS request makes the bug less
obvious since OPTIONS responses are rarely anything but zero-length,
but
I'll fix that.

For an upgrade on GET the strace now looks like:

send(3, GET / HTTP/1.1\r\nHost..., 173, 0) = 173
recv(3, HTTP/1.1 101 Switchi..., 4096, 0) = 85
read(4, *J\204\17\342g l\327U\323/\271..., 32) = 32
write(3, \200|\1\3\1\0c\0\0\0\20\0\0009..., 126) = 126
SSL negotiation and response headers
read(3, \26\3\1\, 5)  = 5
read(3, a\20\363\37{\372\347\205\350\36..., 48) = 48
read(3, html, 5) = 5

 ^ uh-oh!

 BTW, what are you using to test TLS Upgrade with?

A hacked up version of neon.

Re: Patch for bug 18757 breaks TLS upgrade - [Content-Length is removed from HEAD requests]

[Brad Nicholes]

   OK, now that you have enabled upgrades for anything other than
OPTIONS, I see the problem.  Even though there is a content-length
included in the header, you are saying that the header is being sent
encrypted but the content is not, correct?  And the reason for this is
because there is more than one filter stack that needs to be modified?

Brad


 [EMAIL PROTECTED] Tuesday, December 07, 2004 4:18:13 PM 
On Tue, Dec 07, 2004 at 03:00:52PM -0700, Brad Nicholes wrote:
So what are you suggesting that the appropriate fix should be? 
Even
 though the protocol.c patch was bogus, it sounds like might have
exposed
 something else.  In fact I am still not seeing where the problem is.


Try doing an upgrade on any request where the response includes an
entity.

I originally tried modifying ssl_io_filter_init and upwards to take an
optional request_rec * and pass that to ap_add_output_filter but this
broke everything horribly.  Possibly I just missed some subtlety but
if
that's fatally flawed I have no better ideas.

joe

Re: mod_auth_ldap and mod_auth interaction

[Brad Nicholes]

  The short answer is that it is already fixed in Apache 2.1/2.2. 
Unfortunately you have hit on one of the limitations of the Apache 2.0
authentication module structure.  The problem is that authorization
types are replicated through multiple authentication modules. 
Fortunately this has all been taken care of in Apache 2.1/2.2.  For
example, in the Apache 2.1/2.2 version of mod_authnz_ldap, the
authorization types are no longer user, group, etc., they are ldap-user,
ldap-group, etc.  You can also mix and match different types of
authorization with authentication.  The quick fix for Apache 2.0 is to
set AuthAuthoritative off so that if the mod_auth authorization fails,
it will defer to mod_auth_ldap which will work.

Brad

 [EMAIL PROTECTED] Tuesday, November 30, 2004 5:35:29 AM 

Sorry if this belongs in the users group, it's a query, but a query
about 
the working of the code.

I've filed a bug (32426) but am trying to fix it myself.

What I've found is that if user_is_dn is set (AuthLDAPRemoteUserIsDN in
an 
.htaccess file) then
mod_auth_ldap sets r-user to be the users dn, not the user uid 
authenticated as.

util_script.c uses this value to set REMOTE_USER (Good, all is well :)
but..

mod_auth.c users this value to check the require(d) user and of course

fails as the list of users
is a list of uid's

mod_auth_ldap has it's own require ( user | group | valid-user) 
checks.  These are used for require group
successfully but not require user.

Is there a way to get information such as req-user or user_is_dn back
into 
mod_auth?  I'm guessing not
easily  you don't really want to mess with mod_auth.  Or get mod_auth
to 
use mod_auth_ldaps'  auth_checker
for require user as is does for require group which I think is the
correct 
solution.


Hoping someone familiar with the code can save me some time.


Cheers,
Duncan

Re: A zLib Update....?

[Brad Nicholes]

   NetWare builds against either 1.1.x or 1.2.x.  It just depends on
where you point the ZLIBSDK environment variable at compile time.

Brad

 [EMAIL PROTECTED] Tuesday, November 30, 2004 6:52:58 AM 
At 01:57 AM 11/30/2004, Justin Erenkrantz wrote:
--On Tuesday, November 30, 2004 6:53 PM +1100 NormW
[EMAIL PROTECTED] wrote:

With the recent upgrade of PCRE for Apache 2.1.x, I was curious if
zLib
(required for mod_deflate) is mandated at 1.1.4 or could it also be
'updated' to the 1.2.1 release (available since Nov'03). A 2.1 build
on
Windows for NetWare shows it glues together without issue; are there
any
test scripts that one might use to see if it works as expected?

We don't bundle zlib.  So, there's nothing for us to do.  Or, do the
Win32 folks perhaps bundle it?  But, Unix only works off an external
zlib.  -- 

And win32 httpd-2.0 builds only with 1.1.x sources.  httpd-2.1
builds against the zdll1.lib (and requires zlib1.dll), e.g. 1.2.2.

Since zlib1.dll is an 'official format' now - when httpd 2.2 is
released and a hole is found, the user can obtain zlib1.dll right
from their web site rather than waiting for the 'next' httpd rel.

Bill

Re: PCRE in 2.1/2.2

[Brad Nicholes]

   While trying to get NetWare to build with the new PCRE update, I
noticed that there is a duplicate of pcreposix.h in both include/ and
srclib/pcre/ directories.  Currently they don't match which is causing
the NetWare build to break.  I can sync them up, but the real question
is should this file be duplicated in include/ or moved from srclib/pcre/
to include/ ?

Brad

 [EMAIL PROTECTED] Saturday, November 27, 2004 12:24:06 PM 
Joe Orton wrote:

On Fri, Nov 26, 2004 at 11:55:35PM -0800, Brian Pane wrote:
  

Yep.  I just did that, and it worked as expected.  I ended up with a

clean merge: the only files that needed merge conflict resolution
were 
those that had been modified in the srclib/pcre copy:



Looks good, thanks Brian.  Do you think it's worth keeping all ~1Mb
of
the doc/ directory in srclib/pcre?  I think it might as well be
removed,
they won't get installed and developers can refer to the vendor/pcre
copies if necessary. svn merge will happily ignore the removed files
when merging to future versions so there's no issue there.
  


+1, I'll remove docs/* from srclib/pcre and add a README pointing to 
vendor/pcre.

Brian

Re: NWGNUmakefiles - Update or prod.

[Brad Nicholes]

  Checked in

thanks,
Brad

 [EMAIL PROTECTED] Wednesday, November 24, 2004 9:12:06 PM 
Greetings All,
Attached and listed below are two NWGNUmakefiles plus diff's to add
them 
into to the httpd build processdisavow being a wiz at this stuff
and 
if someone doesn't like the names chosen, etc here's the chance to 
supply something better (the prod)... :-)

Re: Apache 2.1 Builds...

[Brad Nicholes]

  It looks like some changes in the LibC SDK exposed some type
mismatches in some of the NetWare code.  These have been fixed and
checked in.

Brad

 [EMAIL PROTECTED] Saturday, November 27, 2004 2:04:41 PM 
Greetings All,
Thanks to all the recent updates the 2.1 (.2?) now builds cleanly using

the June LibC from go to whoa

However the issue mentioned previously with the Oct LibC persists...
the 
LibC docs show no change in the function definition...

Regards,
Norm

Re: 2.1.1 tarballs posted...

[Brad Nicholes]

   Since this is alpha level, should the server signature contain
-alpha so that users don't get this confused with an actual release? 
Once I build binaries for NetWare, the only thing that will indicate
that this is an alpha is the name of the .zip file.  It would be less
confusing if the binaries also showed that it is an alpha.

Index: ap_release.h
===
--- ap_release.h(revision 105990)
+++ ap_release.h(working copy)
@@ -36,7 +36,7 @@
 #define AP_SERVER_MAJORVERSION_NUMBER 2
 #define AP_SERVER_MINORVERSION_NUMBER 1
 #define AP_SERVER_PATCHLEVEL_NUMBER   1
-#define AP_SERVER_ADD_STRING  
+#define AP_SERVER_ADD_STRING  -alpha
 
 /* keep old macros as well */
 #define AP_SERVER_MAJORVERSION
APR_STRINGIFY(AP_SERVER_MAJORVERSION_NUMBER)


Brad


 [EMAIL PROTECTED] Friday, November 19, 2004 11:14:19 PM 
http://httpd.apache.org/dev/dist/

Grab the 2.1.1 tarballs while they're fresh.  Please start testing
these 
releases - they should have the intent of becoming the beginning of the
2.2.x 
series modulo all of the cleanup work we'll have to do after we branch.
 For 
now, 2.1.1 includes APR/APR-util 1.0.1 - we can adjust this later, if
need be.

2.1.1 is currently at alpha level - if we get enough +1s (i.e. 3 or
more), it 
can then be promoted to beta.  -- justin

Re: 2.1.1 tarballs posted...

[Brad Nicholes]

   The netware build is not copying the charset.conv file to the /conf
directory during the make install stage.  I just committed a patch for
NWgnumakefile.

Brad

 [EMAIL PROTECTED] Friday, November 19, 2004 11:14:19 PM 
http://httpd.apache.org/dev/dist/

Grab the 2.1.1 tarballs while they're fresh.  Please start testing
these 
releases - they should have the intent of becoming the beginning of the
2.2.x 
series modulo all of the cleanup work we'll have to do after we branch.
 For 
now, 2.1.1 includes APR/APR-util 1.0.1 - we can adjust this later, if
need be.

2.1.1 is currently at alpha level - if we get enough +1s (i.e. 3 or
more), it 
can then be promoted to beta.  -- justin

More informative SVN subject line (Re: svn commit: r76284 - apr/apr/trunk)

[Brad Nicholes]

   I'm sure that last thing that you want to hear is another complaint
after all of the work you have gone to, but I'm not sure just listing
directories is a better compromise.  At least before I could see the
difference between CHANGES and STATUS, now I just see trunk which
could be any one of a number of files.  Not all of which I am interested
in.  Personally I would opt for file listings rather than directory
listings to keep the subject line shorter and more informative.  I also
don't need to see svn commit: r at the front of every message.  I
already know it is an SVN commit based on the mailing list it came from.
 And if I am really interested in the revision number, I'm sure I can
get that from the message content.

Thanks again for all of your hard work.

Brad

 Justin Erenkrantz [EMAIL PROTECTED] Friday, November 19, 2004
12:12:39 PM 
--On Friday, November 19, 2004 11:11 AM -0700 Brad Nicholes 
[EMAIL PROTECTED] wrote:

Now that we have converted to SVN, why doesn't the subject line
 include the file that is being changed in the commit message?  This
 makes it harder to prioritize patches that need to be reviewed.

Our CVS mailer only showed the last directory (with files) that was 
committed - so subject lines were *always* inaccurate when touching 
multiple directories.  The SVN mailer always shows all directories that

were modified.  I think that's a far better compromise.  Plus, we've 
received a number of complaints that the subject lines were too long to
be 
useful: hence just the directory names.  *shrug*  -- justin

Re: More informative SVN subject line (Re: svn commit: r76284 - apr/apr/trunk)

[Brad Nicholes]

  I understand about the revision numbers and I agree that it is an
important piece of information, but unnecessary on the subject line. 
The subject line needs to include information that allows one to quickly
sort and prioritize the commits.  IMHO, the revision number isn't a
piece of information that helps do that.  Once I have determined that
the commit is important enough for me to review, I will certainly open
and view the contents of the message.  After I have reviewed the commit
via the message contents and determined that further review is
necessary, that is the point when the revision number becomes *very*
important.  As far as the svn commit: prefix is concerned, it was
redundant information before and I believe that it is still redundant
information.  Perhaps svn: is all that would be required so that when
a commit message is replied to on the dev@ lists, it is distinguished
from other posts.

Brad

 [EMAIL PROTECTED] Friday, November 19, 2004 2:47:17 PM 
--On Friday, November 19, 2004 2:41 PM -0700 Brad Nicholes 
[EMAIL PROTECTED] wrote:

 listings to keep the subject line shorter and more informative.  I
also
 don't need to see svn commit: r at the front of every message. 
I
 already know it is an SVN commit based on the mailing list it came
from.
  And if I am really interested in the revision number, I'm sure I
can
 get that from the message content.

IMHO, the revision number is the *most* important attribute of the
commit. 
Subversion uses global revision numbers: there is no per-file revisions

like CVS.  If you know the revision number, you can get everything
else. 
And, we already had a 'cvs commit: ' prefix on our previous CVS emails.
 -- 
justin

Re: Fwd: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

[Brad Nicholes]

   Taking a snapshot look at the STATUS file at any given point in time
does not show the actual problem.  The problem is the delay in getting
from point A (submitting a proposal) to point B (approval for backport).
 For a hot issue with many interested parties (who actually hold voting
rights), getting a backport proposed and accepted is rather quick.  In
such cases I would even suggest that the backport proposal policy is
simply a formality and overhead because those voting on a hot issue have
already reviewed the issue even before it hit the STATUS file.  So
rather than just checking in a patch that has already been reviewed by
the dev@ list, it is delayed simply on formality.  But that is a
different discussion on a minor point.

   The main evidence is the trend that is happening before each
release.  A release is proposed, an RM is selected, the RM sets a
deadline and everybody emails the list with their favorite backport
issue.  Now the RM has to deal not only with the release but whether or
not a backport has been accepted, can the tree be tagged yet, does a tag
need to be moved, etc.  Oh Oops a backport didn't make it and now we
need to issue a release patch for a
segfault(http://www.apache.org/dist/httpd/patches/apply_to_2.0.52/). 
Not only that but IMO, this in itself is a major contributor to
destabilization.  The best way to make sure that the branch is stable is
to get it out in front of those that are testing and using it.  Not
throw a bunch of patches in right before we release just because they
got three +1's.  Implementing lazy consensus would make others aware of
proposed backports, allow them to review the issue if interested and
allow the backport to move smoothly and quickly through the process
without having to beg the list for reviewers at the last minute.

The opposite question is what evidence do we have that RTC isn't
doing more harm than good once the branch is stable?  And please don't
point to the mess that happened between 2.0.35 and 2.0.4x.  IMO, that
mess was due to the fact that it was a first GA release and we just flat
out got it wrong.  It then took a few more rather quick releases to get
it finally right.  RTC for that period of stabilization may have been
valuable, but since stabilization was achieved, it is just getting in
the way of community involvement and ennovation.

Brad

 [EMAIL PROTECTED] Wednesday, November 17, 2004 12:42:08 PM 
On Tue, Nov 16, 2004 at 06:10:17PM -0700, Brad Nicholes wrote:
During ApacheCon several httpd PMC members got together to
discuss
 current issues with the httpd project and to try to find better ways
 to manage the project.  One of the issues that was discussed heavily
 was the current policy of RTC vs CTR.  The feeling of some of the
PMC
 members is that the RTC policy as it is currently implemented on the
 2.0 branch, is causing unnecessary overhead which has resulted in
the
 slowdown of activity in the httpd project.  One proposal that was
made
 would be to adopt a lazy consensus rule.  Basically what this means
is
 that when a backport is proposed in the STATUS file, after a period
of
 time and if the proposal has not recieved any 0 or -1 votes, it
would
 automatically be approved for backport by lazy consensus.  The
purpose
 for this proposal is to avoid stagnation of backport proposals in
the
 STATUS file simply due to the lack of votes. 

Looking through the STATUS file, there doesn't actually appear to be
much backport stagnation at all.  The majority of stale backport
proposals are stale because they are pending updates from the
submitter
after review by others, or they have been vetoed by a reviewer.  Which
is all healthy.  So what's the evidence that there is a slowdown of
activity caused by the backport policy?

There have been four 2.0 releases already this year, including 179
individual user-visible changes listed in CHANGES according to grep. 
Sounds pretty healthy to me.

Regards,

joe

Fwd: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

[Brad Nicholes]

moving to the [EMAIL PROTECTED]

 [EMAIL PROTECTED] Tuesday, November 16, 2004 4:08:20 PM 
   During ApacheCon several httpd PMC members got together to discuss
current issues with the httpd project and to try to find better ways
to
manage the project.  One of the issues that was discussed heavily was
the current policy of RTC vs CTR.  The feeling of some of the PMC
members is that the RTC policy as it is currently implemented on the
2.0
branch, is causing unnecessary overhead which has resulted in the
slowdown of activity in the httpd project.  One proposal that was made
would be to adopt a lazy consensus rule.  Basically what this means is
that when a backport is proposed in the STATUS file, after a period of
time and if the proposal has not recieved any 0 or -1 votes, it would
automatically be approved for backport by lazy consensus.  The purpose
for this proposal is to avoid stagnation of backport proposals in the
STATUS file simply due to the lack of votes.  


Brad

Re: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

[Brad Nicholes]

 [EMAIL PROTECTED] Tuesday, November 16, 2004 4:28:38 PM 
On Tue, Nov 16, 2004 at 04:08:20PM -0700, Brad Nicholes wrote:
 slowdown of activity in the httpd project.  One proposal that was
made
 would be to adopt a lazy consensus rule.  Basically what this means
is
 that when a backport is proposed in the STATUS file, after a period
of
 time and if the proposal has not recieved any 0 or -1 votes, it
would
 automatically be approved for backport by lazy consensus.  The
purpose
 for this proposal is to avoid stagnation of backport proposals in
the
 STATUS file simply due to the lack of votes.  

-1 (vote, not veto).

I think this is a bad idea and would make stable turn into CTR.  And,
that, I
believe jeopardizes the overall quality of the code.  And, I'm not
willing to
take that risk.

If there are a lack of votes for backport, then I believe that is a
sign that
there is not a healthy enough community of people who are able to
review the
code.  I'd like to ensure that we don't create 'islands' of code that
do not
have sufficient people who understand it.  -- justin

Fwd: Re: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

[Brad Nicholes]

moving to dev@ list

 [EMAIL PROTECTED] Tuesday, November 16, 2004 4:46:45 PM 
On 17.11.2004, at 00:30, Cliff Woolley wrote:

 On Tue, 16 Nov 2004, Justin Erenkrantz wrote:

 I think this is a bad idea and would make stable turn into CTR. 
And, 
 that, I
 believe jeopardizes the overall quality of the code.  And, I'm not 
 willing to
 take that risk.

 I agree with Justin, but I recognize what a pain in the ass it is
for
 people working off in the corners of the codebase.  So -0 from me.

Exactly the same feelings here, so -0 from my side too.

Cheers,
Erik

Fwd: Re: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

[Brad Nicholes]

moving to dev@ list

 [EMAIL PROTECTED] Tuesday, November 16, 2004 5:21:28 PM 
+1

Lazy consensus applied in this way will help the less popular parts
of our codebase to continue to evolve and stabilize. Up to this point,
only the most popular patches have been getting enough attention
to receive the required three +1s. Going in this direction is
definitely
the right way to go.

p.s. why is this on the pmc list? we have committers who aren't
PMCers,
right?

-aaron


On Nov 16, 2004, at 3:08 PM, Brad Nicholes wrote:

During ApacheCon several httpd PMC members got together to
discuss
 current issues with the httpd project and to try to find better ways
to
 manage the project.  One of the issues that was discussed heavily
was
 the current policy of RTC vs CTR.  The feeling of some of the PMC
 members is that the RTC policy as it is currently implemented on the

 2.0
 branch, is causing unnecessary overhead which has resulted in the
 slowdown of activity in the httpd project.  One proposal that was
made
 would be to adopt a lazy consensus rule.  Basically what this means
is
 that when a backport is proposed in the STATUS file, after a period
of
 time and if the proposal has not recieved any 0 or -1 votes, it
would
 automatically be approved for backport by lazy consensus.  The
purpose
 for this proposal is to avoid stagnation of backport proposals in
the
 STATUS file simply due to the lack of votes.


 Brad

Fwd: Re: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

[Brad Nicholes]

moving to the dev@ list

 [EMAIL PROTECTED] Tuesday, November 16, 2004 5:48:15 PM 
If there are a lack of votes for backport, then I believe that is a
sign that
there is not a healthy enough community of people who are able to
review the
code.  I'd like to ensure that we don't create 'islands' of code that
do not
have sufficient people who understand it.  -- justin

This is the definition of the downward spiral that we are in.  If the
code doesn't get out there then the interest in the code drops off. 
The
more the interest in the code drops off, the less code there is to put
out there.  The whole idea behind Open Source is to get the code in
front of the user, allow them to test, supply feedback so that bugs
can
be fixed.  If the code gets hung up in the STATUS file, we don't get
any
feedback therefore the code never gets fixes.  I would personally
rather
see the code in front of the user so that it is reviewed by more than
just those with voting rights.  How else are we going to generate a
community.

Brad

 [EMAIL PROTECTED] Tuesday, November 16, 2004 4:28:38 PM 
On Tue, Nov 16, 2004 at 04:08:20PM -0700, Brad Nicholes wrote:
 slowdown of activity in the httpd project.  One proposal that was
made
 would be to adopt a lazy consensus rule.  Basically what this means
is
 that when a backport is proposed in the STATUS file, after a period
of
 time and if the proposal has not recieved any 0 or -1 votes, it
would
 automatically be approved for backport by lazy consensus.  The
purpose
 for this proposal is to avoid stagnation of backport proposals in
the
 STATUS file simply due to the lack of votes.  

-1 (vote, not veto).

I think this is a bad idea and would make stable turn into CTR.  And,
that, I
believe jeopardizes the overall quality of the code.  And, I'm not
willing to
take that risk.

If there are a lack of votes for backport, then I believe that is a
sign that
there is not a healthy enough community of people who are able to
review the
code.  I'd like to ensure that we don't create 'islands' of code that
do not
have sufficient people who understand it.  -- justin

Fwd: Re: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

[Brad Nicholes]

moving to dev@ list

 [EMAIL PROTECTED] Tuesday, November 16, 2004 6:00:16 PM 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

+1 it might open up a couple of bugs/regressions, but it will certainly

mean more fixes going in

On 17/11/2004, at 10:08 AM, Brad Nicholes wrote:

During ApacheCon several httpd PMC members got together to
discuss
 current issues with the httpd project and to try to find better ways
to
 manage the project.  One of the issues that was discussed heavily
was
 the current policy of RTC vs CTR.  The feeling of some of the PMC
 members is that the RTC policy as it is currently implemented on the

 2.0
 branch, is causing unnecessary overhead which has resulted in the
 slowdown of activity in the httpd project.  One proposal that was
made
 would be to adopt a lazy consensus rule.  Basically what this means
is
 that when a backport is proposed in the STATUS file, after a period
of
 time and if the proposal has not recieved any 0 or -1 votes, it
would
 automatically be approved for backport by lazy consensus.  The
purpose
 for this proposal is to avoid stagnation of backport proposals in
the
 STATUS file simply due to the lack of votes.


 Brad

- --
Ian Holsman
Director
Network Management Systems
CNET Networks
PH: 415-344-2608 (USA) /(++61) 3-9818-0132 (Australia)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBmqKgq3pgvCz4ZCcRAk6aAJ4pjGy170JuvPoq8fWgWtsf3Qw+kQCfXSe+
RmXGGKTaFWWTH6UeO/IQVZU=
=k5e/
-END PGP SIGNATURE-

Fwd: Re: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

[Brad Nicholes]

moving to dev@ list

 [EMAIL PROTECTED] Tuesday, November 16, 2004 6:04:08 PM 
   This proposal is in addition to the proposal on the dev list.  Once the code 
converts from CTR to RTC in a stable branch, then we need a way to make sure 
that overhead doesn't stifle ennovation.  The fact is that users and casual 
developers pay more attention to the stable branch rather than HEAD.  Why?? 
Because that is what matters to them.  If there is an itch that needs to be 
scratched, it's in the code that they are depending on to run their site.  That 
is usually not the bleeding edge.

Brad

 [EMAIL PROTECTED] Tuesday, November 16, 2004 4:29:31 PM 
* Brad Nicholes [EMAIL PROTECTED] wrote:

During ApacheCon several httpd PMC members got together to discuss
 current issues with the httpd project and to try to find better ways to
 manage the project.  One of the issues that was discussed heavily was
 the current policy of RTC vs CTR.  The feeling of some of the PMC
 members is that the RTC policy as it is currently implemented on the 2.0
 branch, is causing unnecessary overhead which has resulted in the
 slowdown of activity in the httpd project.  One proposal that was made
 would be to adopt a lazy consensus rule.  Basically what this means is
 that when a backport is proposed in the STATUS file, after a period of
 time and if the proposal has not recieved any 0 or -1 votes, it would
 automatically be approved for backport by lazy consensus.  The purpose
 for this proposal is to avoid stagnation of backport proposals in the
 STATUS file simply due to the lack of votes.  

I think, the RTC policy for 2.0 is a good thing. It *forces* reviews, which
actually often helped to prevent introducing new bugs (not always though, but
that's probably another issue).

IMHO a better way bring the development further is the suggestion on the dev
list. *absolute* feature freeze on stable branches (except 1.3?), bug fixes
only. Though it would need some time to establish the trust of the community
in so much more versions, I like that idea somehow.

nd
-- 
Das einzige, das einen Gebäudekollaps (oder auch einen
thermonuklearen Krieg) unbeschadet übersteht, sind Kakerlaken
und AOL-CDs.
  -- Bastian Lipp in dcsm

Re: Branching and release scheduling

[Brad Nicholes]

I have to agree with Jim.  Well put!

Brad

 [EMAIL PROTECTED] Tuesday, November 16, 2004 5:55:04 PM 

On Nov 16, 2004, at 3:16 PM, Manoj Kasichainula wrote:

 We had a good discussion over lunch today on our release processes
and 
 how to have stable releases while making new feature development as 
 fun and easy for the geeks as possible.


The is a purely personal POV, and I'm wishing I was at the lunch
because
this addresses something that I've been think and maybe others as
well,
considering a similar Email thread I see from Brad N, so take the
below
as my own opinions.

I find it somewhat hard to get excited by 2.x development because
2.1 almost seems like a black hole at times... You put the energy
into the development but have to wait for it to be folded into
an actual version that gets released and used. Now waiting is
good, but sometimes it seems that the backports are slow in getting
approved. I think most developers like, well, if not *immediate*
satisfaction, something more quick than the current 
develop-2.1-and-wait-
for-a-long-time-before-folded-into-2.0.

Stability is great, but we should be careful that we don't unduly
sacrifice developer energy. This may not be so clear, so feel free
to grab me :)

Re: Use threaded MPM by default was Re: cvs commit: httpd-2.0 STATUS

[Brad Nicholes]

   It's not Linux but here is a piece of information that should help. 
NetWare is a thread only environment which means that we have been
shipping and running all of the standard modules since day one with
really no report of any threading related issues.  I can't speak for any
third party modules out there that may not be thread safe and I
understand that Apache for NetWare has nowhere near the number of
installations as Linux or others, but our standard modules seem to be
doing well from a NetWare point of view.  Even on multi-proc machines. 
Granted we don't normally stress test mod_example ;).

Brad

 [EMAIL PROTECTED] Thursday, November 11, 2004 3:38:29 AM 
On Sat, Nov 06, 2004 at 12:48:50AM -0800, Justin Erenkrantz wrote:
 --On Saturday, November 6, 2004 8:28 AM + [EMAIL PROTECTED]
wrote:
 
   @@ -125,6 +125,8 @@
  +0:   BrianP, Aaron (mutex contention is looking better
with the
latest code, let's continue tuning and testing),
rederpj, 
jim
  -0:   Lars
   +
   +  pquerna: Do we want to change this for 2.2?
 
 Seems reasonable to do so.  2.0 was our first threaded release -
making a 
 threaded MPM by default (if available) for 2.2 seems fine by me.  --
justin

I don't really agree with this.  Many third-party modules still aren't
thread-safe (and probably quite a few shipped in httpd too e.g. 
mod_example!).  Making worker the default won't solve that, it'll just
create a stream of I upgraded to 2.2 and now everything segfaults
bug
reports and people will stick with 1.3/2.0. 

2.2 can be a compelling upgrade without making worker the default.

joe

RE: [PATCH]Re: Adding a new user DN cache to authnz_ldap...

[Brad Nicholes]

Good point.  I will get the patch committed

Brad

 Jari Ahonen [EMAIL PROTECTED] Thursday, November 04, 2004
7:39:01 AM 
Brad,

I think this patch should be applied to the current HEAD
util_ldap.c code. It prevents util_ldap_cache_getuserdn()
timestamping cache entries with bindpw.

- Jari

- cut here - cut here -
--- util_ldap.c.orig2004-11-02 00:43:24.0 +0100
+++ util_ldap.c 2004-11-04 15:34:23.0 +0100
@@ -1096,7 +1096,12 @@
 /* Nothing in cache, insert new entry */
 util_ald_cache_insert(curl-search_cache,
the_search_node);
 }
-else {
+/*
+ * Don't update lastbind on entries with bindpw because
+ * we haven't verified that password. It's OK to update
+ * the entry if there is no password in it.
+ */
+else if (!search_nodep-bindpw) {
 /* Cache entry is valid, update lastbind */
 search_nodep-lastbind = the_search_node.lastbind;
 }
- cut here - cut here -
 

Re: [PATCH]: LDAP Authz (was: Ldap Authorization)

[Brad Nicholes]

   I like the suggestion as well because I think that would be the right
way to implement complex LDAP expressions.  But it would probably take
adding at least a new util_ldap_filter_search() API to Util_ldap() in
order to accomodate this functionality.  The advantage of also having an
ldap-attribute directive is because if simplicity as well as
performance.  According to the LDAP docs, doing an ldap_compare_s() is
faster than an ldap_search_s().  I will go ahead an commit the patch
as-is and also propose a backport for it.  But I think that we should
look at adding a require ldap-filter directive as well for Apache
2.1/2.2.

Brad

 [EMAIL PROTECTED] Wednesday, November 03, 2004 8:09:35 AM 
Good suggestion. I am +1 for the patch as-is with the intent
of looking into adding the below

On Nov 3, 2004, at 5:04 AM, Graham Leggett wrote:

 Brad Nicholes wrote:

I took a quick look at this patch and it seems to work well as
long
 as all of the listed attributes are OR'ed together.  I don't have a

 good
 suggestion yet, but is there a way to implement the logic so that
 attributes could be also AND'ed together?  Or even a NOT-EQUAL
 operation?

 I think the best way to do this probably is instead of saying
require 
 ldap-attribute you say require LDAP filter.

 In other words, like this:

 require filter (objectclass=specialPerson)

 or

 require filter (host=somehost.com)

 This supports more complicated stuff, like this:

 require filter ((objectclass=specialPerson)(host=somehost.com))

 Regards,
 Graham
 --

--
===
  Jim Jagielski   [|]   [EMAIL PROTECTED]   [|]   http://www.jaguNET.com/

   There 10 types of people: those who read binary and everyone
else.

Re: cvs commit: httpd-2.0 STATUS

[Brad Nicholes]

  You are correct that a patch based on mod_authnz_ldap.c won't apply
cleanly to mod_auth_ldap.c because of various differences in the code
base.  But the patch is fairly self-contained meaning that the same
chunk of code can easily be copied from mod_authnz_ldap.c and pasted
into mod_auth_ldap.c without modification to the code snipet itself.  I
can certainly create and post an actual patch file that will apply
cleanly to mod_auth_ldap.c if required.  But it shouldn't be difficult
to review the patch as it stands in mod_authnz_ldap.c.

Brad

 [EMAIL PROTECTED] Wednesday, November 03, 2004 4:01:07 PM 
On Wed, Nov 03, 2004 at 10:16:55PM -, [EMAIL PROTECTED] wrote:
...
   +*) mod_authnz_ldap: Added the directive Requires
ldap-attribute that
   +   allows the module to only authorize a user if the attribute
value
   +   specified matches the value of the user object. PR 31913
   + modules/aaa/mod_authnz_ldap.c: r1.7
   +docs/manual/mod/mod_authnz_ldap.xml: r1.3
   +   +1: bnicholes

mod_authnz_ldap doesn't exist in 2.0; would this diff actually apply
to
mod_auth_ldap?  If not then a separate patch needs to be posted
somewhere for review.

joe

Re: [PATCH]: LDAP Authz (was: Ldap Authorization)

[Brad Nicholes]

   I took a quick look at this patch and it seems to work well as long
as all of the listed attributes are OR'ed together.  I don't have a good
suggestion yet, but is there a way to implement the logic so that
attributes could be also AND'ed together?  Or even a NOT-EQUAL
operation?

Brad

 [EMAIL PROTECTED] Sunday, October 31, 2004 2:03:53 PM 

I've opened an enhancement in bugzilla:

http://issues.apache.org/bugzilla/show_bug.cgi?id=31913 

I have attached the patch here for review.  I'd also like to get this
committed to the 2.0 tree so people can start taking advantage of the
feature without waiting for 2.2.

Thoughts?

Adding a new user DN cache to authnz_ldap...

[Brad Nicholes]

   I see your point about the req structure being tied to closely to
authentication phase so that authorization will not work without it. 
Now I understand the need for util_ldap_cache_getuserdn() which is the
real patch that needs to be added.  In other words, the relevant bug is
actually 28253 not 31898.  The question now is should the same search
cache used by util_ldap_cache_checkuserid() also be referenced in
util_ldap_cache_getuserdn().  I guess it could be, but I am thinking
that even though some user DN's might be stored in two different caches,
it would be safer to create a new cache just for user DN's.  This way,
util_ldap_cache_checkuserid() can continue to enforce the no NULL or
blank passwords as it was originally designed, as well as avoiding a
potential false positive if util_ldap_cache_getuserdn() were to insert a
NULL password entry thus allowing a user without a password to pass
authentication when the cache is checked by
util_ldap_cache_checkuserid().  

Brad

 Jari Ahonen [EMAIL PROTECTED] Friday, October 29, 2004 8:53:41 AM

Brad,

What I've written below might sound that I'm just arguing that
things should be done my way. Don't take it like that, I'm just
trying to make it easier for you to understand my viewpoint on
this issue.

Brad Nicholes wrote:
 So basically what you did was write a function that puts bad data 
 into the cache that the cache was never designed to handle or allow.

I'm not sure I would agree with that. But then, I haven't seen
the design specifications for the cache. I based my assumptions
on comments in util_ldap_cache.h which I thought implied that
NULL bindpw is allowed in a cache record.

 I would suggest closing the first bug that you wrote and opening 
 another one that states that you would like to add new functionality
  to util_ldap through a functioned call util_ldap_cache_getuserdn().

That's what I tried some time back with bug 28253 but it didn't
go very far...

 No, there are two other caches that are implemented by util_ldap. 
 They are the compare cache and the comparedn cache.  These caches
are
  primarily used during the authorization phase rather than the 
 authentication phase.

True. And I understand that these caches exist and what they
are used for. But what is missing in the current util_ldap
implementation is a function that allows you to get the user DN
out of the directory without having to supply the correct user
password. None of the functions defined in include/util_ldap.h
do that, yet this is what is needed in order to do LDAP group
authorizations.

Even the Apache 2.1 mod_authnz_ldap will not be able to authorize
a request if that request is authenticated with some other module.
This is because the user DN (In authn_ldap_request_t *req structure)
is attached to the request in authentication phase and recalled
later in authorization phase. If the request is not authenticated
with mod_authnz_ldap, the req structrure does not exist and with
current util_ldap there is no way to get the DN without knowing
the user password. The end result of all this is that it is
impossible to do authorization based on LDAP groups if you are
authenticating with some other module.

So we need some way of creating that authn_ldap_request_t structure
in the authorization phase of the request. I thought the easiest
way of doing this would be making a copy of
util_ldap_cache_checkuserid() without password checking that would
store the results in the cache with bindpw=NULL. But doing so
caused the problems I reported in bug 31898. Storing bindpw=
would cause slightly different problem because then the current
util_ldap_cache_checkuserid would allow anyone in with blank
password as long as the user had authenticated once and the cache
record hasn't expired.

Alternative fix for my problem is for myself to store the cache
entries with bindpw= and move the blank password check that
is now somewhere in the middle of util_ldap_cache_checkuserid()
into the beginning of the function, before the cache check. In
fact maybe that blank password check should be one of the first
checks anyway since it makes no sense to do all that cache and
LDAP searching if blank passwords aren't allowed at all.

- Jari

-- 
--
| Jari Ahonen   | Progress Software Europe   |
| [EMAIL PROTECTED]  | Schorpioenstraat 67|
| Tel: +31-10-2865 700  | 3067 GG Rotterdam  |
| Fax: +31-10-2865 225  | The Netherlands|
||
|   Once you've made the commitment to recreation,  |
| there is no turning back. |
--

Re: Adding a new user DN cache to authnz_ldap...

[Brad Nicholes]

  Since the checkuserid cache does not allow NULL or blank passwords
today and its purpose is for authentication, I'm just not completely
comfortable allowing another function whose purpose it is to simply
lookup user DN's to insert NULL or blank password entries.  It seems
like it would potentially open up holes where there wasn't a problem
before.  Adding a separate cache would just eliminate any potential
problems.

Brad

 Jari Ahonen [EMAIL PROTECTED] Friday, October 29, 2004 2:51:47 PM

Brad Nicholes wrote:
 I see your point about the req structure being tied to closely to 
 authentication phase so that authorization will not work without it.

 Now I understand the need for util_ldap_cache_getuserdn() which is 
 the real patch that needs to be added.  In other words, the relevant

 bug is actually 28253 not 31898.

In a way they are both relevant because applying the changes
needed for 28253 will cause the behaviour in 31898.

 The question now is should the same search cache used by
 util_ldap_cache_checkuserid() also be referenced in
 util_ldap_cache_getuserdn().  I guess it could be, but I am thinking
 that even though some user DN's might be stored in two different
 caches, it would be safer to create a new cache just for user DN's.

I think the same search cache should be used. To me it makes no
sense to have two caches with more or less the same data in them.
Having a record in search cache with bindpw=NULL should be a
good enough indicator that the particular record has not
been through password verification (In fact the commets in
util_ldap_cache.h suggest this might have been planned at some
point). It is easy enough to check if bindpw exists in a cache
record in util_ldap_cache_checkuserid() to prevent access with
blank passwords. And a cache record created by
util_ldap_cache_checkuserid() can be used with
util_ldap_cache_getuserdn() since that function does not need
to care about passwords.

I have had a server running with this kind of setup for quite
a while now, it was just that the shared cache changes done
in 2.0.52 added the extra check that started to crash my server
when util_ldap_cache_checkuserid() tries to strcmp() that NULL
password.

- Jari

-- 
--
| Jari Ahonen   | Progress Software Europe   |
| [EMAIL PROTECTED]  | Schorpioenstraat 67|
| Tel: +31-10-2865 700  | 3067 GG Rotterdam  |
| Fax: +31-10-2865 225  | The Netherlands|
||
|   Once you've made the commitment to recreation,  |
| there is no turning back. |
--

Re: cvs commit: httpd-2.0/server core.c protocol.c request.c scoreboard.c util.c util_script.c

[Brad Nicholes]

   mod_cache is a different issue.  The compiler used to build the
netware NLMs is very sensitive to type mismatches.  

   @@ -3793,7 +3794,7 @@
core_net_rec *net = f-ctx;
core_ctx_t *ctx = net-in_ctx;
const char *str;
   -apr_size_t len;
   +apr_ssize_t len;


Changing the type from apr_size_t to apr_ssize_t introduced a type
mismatch in the call to apr_bucket_read() which expects an apr_size_t. 
Type casting it back to an apr_size_t to fix the problem seems like it
would have defeated the whole purpose of doing it in the first place. 
Besides the fact that apr_bucket_read() can't give you back anything
bigger than an apr_size_t anyway.

Brad 

 [EMAIL PROTECTED] Monday, October 25, 2004 10:01:53 AM 
Brad Nicholes wrote:
 -1 as well.  This is now causing compiler errors on NetWare.  Please
 revert this patch!

Can you provide an indication of exactly what broke so we
will know what to avoid in future. Or was the breakage
actually due to the the mod_cache problem reported
last night?

Thanks, Allan

Re: Apache HTTP Server 1.3.32 RC Tarballs available for test

[Brad Nicholes]

+1 NetWare


 [EMAIL PROTECTED] Monday, October 18, 2004 8:15:16 PM 
The RC tarballs for 1.3.32 are available for review and feedback:

http://httpd.apache.org/dev/dist/ 

1.3.32 is *not* yet released; these are simply the release
candidate tarballs.
-- 
===
   Jim Jagielski   [|]   [EMAIL PROTECTED]   [|]  
http://www.jaguNET.com/ 
There 10 types of people: those who read binary and everyone
else.

Re: Bye bye welcome page

[Brad Nicholes]

From what I can see, the reason for providing a short and simple
welcome page is to avoid confusing people by giving them too much
information.  The question I would ask is, are you just trading one set
of problems for another?  How many people are we going to confuse by not
giving enough information?  You may be climbing out of one boat full of
problems, just to climb into another.

   Translation issues aside, personally the only thing that I see wrong
with the welcome page is the fact that it keeps referring to this
system.  Cut the first paragraph and the rest is fine.

  I guess the point is, too much information might be a problem in this
case, but then so is too little.

Just my 1 of 1000 opinions.

Brad

 [EMAIL PROTECTED] Wednesday, October 06, 2004 11:12:33 AM 

On Tue, 5 Oct 2004, Graham Leggett wrote:

 Joshua Slive wrote:

 No, because this is a very confusing and ambiguous statement from
the 
 perspective of a random web surfer who stumbles on the page.  Their

 response is Why are you saying I installed a webserver on my
computer? 
 This must be some kind of security breach.  Call in the marines! 
(And I'm 
 hardly exagerating!)

 Point... How about The website you have accessed has not yet been 
 configured. Please try to access this website again later.? It's
directed at 
 end users, and does not imply anywhere that the server might be
running on 
 their local machine.

My opinion is that the shorter message is better because, by the fact
that 
it gives no information at all, it is less likely to be misinterpreted
to 
mean something that the website owner doesn't intend.

I won't object if someone wants to put another piece of text there, as

long as it doesn't start us back on the same road we left 5+ years ago

with this page.

Joshua.

segfault patch for util_ldap (was:Re: cvs commit: httpd-2.0 STATUS)

[Brad Nicholes]

   Since this patch was the last of three fixes for util_ldap and didn't
make it into 2.0.52 because of lack of votes and since it fixes a
segfault in util_ldap, now that it has the required votes, I would
suggest we backport the fix and post the patch in /dist/httpd/patches. 
Any objections?

Brad

 [EMAIL PROTECTED] Tuesday, September 28, 2004 10:20:11 AM 
clar2004/09/28 09:20:11

  Modified:.Tag: APACHE_2_0_BRANCH STATUS
  Log:
  added vote for ldap cache purge fix
  
  Revision  ChangesPath
  No   revision
  No   revision
  1.751.2.1089 +2 -2  httpd-2.0/STATUS
  
  Index: STATUS
  ===
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.1088
  retrieving revision 1.751.2.1089
  diff -u -r1.751.2.1088 -r1.751.2.1089
  --- STATUS24 Sep 2004 14:29:26 -  1.751.2.1088
  +++ STATUS28 Sep 2004 16:20:10 -  1.751.2.1089
  @@ -81,7 +81,7 @@
   
   *) Fix a segfault in the LDAP cache purge. PR 24801
modules/ldap/util_ldap_cache_mgr.c: 1.9, 1.10
  -   +1: minfrin, bnicholes
  +   +1: minfrin, bnicholes, clar
  bnicholes - backporting modules/ldap/util_ldap_cache_mgr.c:
r1.7 below
should eliminate the need to backport the else condition
included
in this patch.
  
  
  

Re: segfault patch for util_ldap (was:Re: cvs commit: httpd-2.0 STATUS)

[Brad Nicholes]

   I wouldn't consider posting the patch if there was going to be
another release in a week and a half, but that usually isn't the case
and a patch for an experimental module usually isn't reason enough to
roll another release.  Past history shows that it usually takes a
serious vulnerability to warrant the turnaround we saw with 2.0.52. 
There have been a number of users reporting this segfault not only on
the httpd email lists but on our own Novell news groups as well.  We
have been making a lot of progress towards stabilizing auth_ldap and
util_ldap and as a result, I believe that the popularity of these
modules has increased.  I would really hate to put a damper on this
forward progress just because we missed a segfault patch by one vote. 
Simply posting this patch seems like a quick and easy fix until the next
release.

Brad

 [EMAIL PROTECTED] Tuesday, September 28, 2004 4:28:25 PM 
At 04:59 PM 9/28/2004, Brad Nicholes wrote:
   Since this patch was the last of three fixes for util_ldap and
didn't
make it into 2.0.52 because of lack of votes and since it fixes a
segfault in util_ldap, now that it has the required votes, I would
suggest we backport the fix and post the patch in /dist/httpd/patches.

Any objections?

No objection to backporting.  Why not simply keep moving towards
another
release starting in a week and a half?  The project as a whole is
making huge progress on many fronts - the concept of release early,
release often comes to mind.

We fix dozens of things per week, why would this merit special
placement in patches?  Seems like the sort of thing contrib was
made for.

And if you are asking if a special build of Netware + patch in
binaries is appropriate, I would vote Nay.  But if you want to
push for a release the day this patch is committed, that's the
right of every project member.

Bill

Re: segfault patch for util_ldap (was:Re: cvs commit: httpd-2.0 STATUS)

[Brad Nicholes]

 [EMAIL PROTECTED] Tuesday, September 28, 2004 5:31:47 PM 
At 06:12 PM 9/28/2004, Brad Nicholes wrote:
   I wouldn't consider posting the patch if there was going to be
another release in a week and a half, but that usually isn't the
case
and a patch for an experimental module usually isn't reason enough
to
roll another release.  Past history shows that it usually takes a
serious vulnerability to warrant the turnaround we saw with 2.0.52. 

No, it just takes someone motivated.  I hated the thought of 2.0.51
sitting around so I did something about it :)

It takes a little more than just motivation, it also takes a need and
consensus.  To all those using auth_ldap and util_ldap, this patch is
very import.  To the rest, they don't really care so another release
within 3 weeks is just a pain.  All I really want to do is release a
patch to make life easier for those that care and want to move forward
with ldap, not cause a headache for the majority that don't.  I really
doubt I am going to get 3 +1's in favor of rolling a release all for a
patch to an experimental module.

Quoting the download page:

Official Patches
When we have patches to a minor bug or two, or features which we
haven't yet included in a new release, we will put them in the patches
subdirectory so people can get access to it before we roll another
complete release.


All this is, is a patch to fix a bug which hasn't been included in a
new release yet so people can get access to it, it doesn't warrant a new
release.  It's not that big of an issue.

Brad

Re: new config organization for 2.1

[Brad Nicholes]

Therefore I think there are certainly valid reasons to split up the
conf
file, and from a usability perspective, it may be a bit more
confusing
upon an initial install, but the benefits down the road were immense
for
me. Mind you, being in an organization where 12 people of varying
degree of expertise have access to the conf file and can restart the
web
server in not common. Any downtime is not tolerated and has to be
followed
up with a post mortem.

I am in total agreement in fact my guess would be that most
organizations will eventually split up the httpd.conf file to fit
whatever needs they have.  But I would imagine that no two organizations
split up the .conf file in the same way.  So splitting it up and
installing it in the way that the ASF likes it, just seems more
confusing than helpful.  But like Joshua said, If you can suggest a
better compromise solution, I am very interested,  I don't have a
better suggestion yet so I will have to think about it some more.

Brad



Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

Re: new config organization for 2.1

[Brad Nicholes]

   Maybe I am jumping in here out of turn, but let me ask the obvious
question.  Why would we want to split the standard base httpd.conf file
up into multiple files?  Doesn't this end up just confusing the average
user?  One thing that I always tell new users of Apache is that rather
than trying to understand the entire alpabetical list of directives in
the httpd docs, go read the comments in the standard httpd.conf file. 
This gives them a good idea of what the base set of directives are and
how they are used in a working context.  For newbies reading a single
.conf file seems easier to understand than trying to trace through
multiple .conf files just to figure out the big picture.  For those that
are Apache experts, they have already rewritten and rearchitected the
the httpd.conf file to fit their needs so they don't care.  I can
understand splitting dead or rarely used directives out, but it seems
much easier to read as a single file.  Maybe just some additional
formatting and comments to distinguish MPM directives from Language from
Vhosts, etc. is needed.

Brad




Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

Re: Apache 2.0.51 util_ldap

[Brad Nicholes]

I'm still wondering if we shouldn't just stick with the local
read/write 
lock on Windows and other single child MPMs (NetWare?) as this should

allow better throughput in such cases and yet be safe, right?  In
fact, 

Actually on NetWare this is a non-issue.  On NetWare everything is
global (memory, locks, etc.), so there is no difference between a global
mutex and a local one (other than previously we were using reader/writer
locks rather than mutexes).  I would like to use reader/writer locks
rather than global mutexes simply for performance reasons, but I'm not
sure how we would go about switching between global and local locks
anyway.  This would require #ifdef'ing the code for particular platforms
or MPM's which isn't a good thing.

Brad


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Sunday, September 19, 2004 3:43:20 PM 
Sorry for the chattiness of my solution process.  I've tested and these

fixes do apply with the global mutex changes *except* when one disables

caches by sizing them all to 0, Apache will crash on the first 
authentication request when the global mutexes are used!  This needs to

be fixed!

I've attached a unified diff containing the purge fix and the
unassigned 
variable fix (which as Graham pointed out is already in the 2.1
branch).

I'm still wondering if we shouldn't just stick with the local
read/write 
lock on Windows and other single child MPMs (NetWare?) as this should 
allow better throughput in such cases and yet be safe, right?  In fact,

why do we use shared memory on these platforms for the cache?  [If I'm

just daft here, I apologize.]

--
Jess Holle

Jess Holle wrote:

 Here's a fixed LDAP purge routine which works great in my testing 
 (with cache sizes of 8, 100, 1000, and 2150 and 2500 unique user 
 logins repeated 3 times each).  [No, I haven't produced a diff as I 
 have pieces of util_ldap from various CVS levels at this point.]

 Essentially I added all the logic surrounding 'pp', which is the 
 address of the previous node's 'next' field or of cache-nodes[i] in

 the case of the first node.  [Cleary my C is getting rusty -- this 
 took me a few attempts to get right...]

 This fixes the biggest LDAP module issue I'm aware of: hangs and 
 crashes after one or more cache purges.

Re: cvs commit: httpd-2.0/modules/ldap util_ldap_cache_mgr.c

[Brad Nicholes]

   Even though it isn't a big deal, the point is that newcurl is not
undefined.  It was initialized to NULL when it was declared at the
beginning of the function.  This is a mismatch between HEAD and
APACHE_2_0_BRANCH.  util_ldap has been moved out of experimental in HEAD
and now exists in modules/ldap.  jorton is refering to the r1.7 revision
of modules/ldap/util_ldap_cache_mgr.c rather than
modules/experimental/util_ldap_cache_mgr.c.  The backport should include
the initialization of newcurl as was committed in 
modules/ldap/util_ldap_cache_mgr.c r1.7 rather than the else code
submitted in the patch file so that the backport matches the current
state of the code.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Monday, September 20, 2004 7:15:27 AM 
See my util_ldap.c patch.

Whether or not this patch is absolutely necessary, leaving code paths 
that leave function return results undefined is never good!

Also, see the bigger patch to util_ldap_cache_mgr.c that I passed along

yesterday.

I've attached both here for convenience.

--
Jess Holle

Joe Orton wrote:

On Sun, Sep 19, 2004 at 11:00:25PM -, [EMAIL PROTECTED] wrote:
  

  --- util_ldap_cache_mgr.c   13 Sep 2004 11:11:32 -  1.8
  +++ util_ldap_cache_mgr.c   19 Sep 2004 23:00:25 -  1.9


...
  

  @@ -252,6 +254,8 @@
   newcurl = util_ald_cache_insert(st-util_ldap_cache,
curl);
   
   }
  +else
  +  newcurl = NULL;
   
   return newcurl;
   }



This is not necessary after the r1.7 fix last week, so there's no
point
in asking for r1.7 to be back-ported as well as this.

Also it looks as if the _child_init hook in util_ldap.c will still
segfault with a NULL _cache_lock?
  

Re: Time for 2.0.51 and 2.1.0

[Brad Nicholes]

  Same here.  I need another vote for the util_ldap.c backport

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Thursday, August 26, 2004 11:21:22 AM 
Sander Striker wrote:
 Hi,
 
 I'm going to start a TR cycle for both 2.0 and 2.1 monday.
 Objections?
 
 Sander
 

Got a few 2.0 backports from 2.1 I need to drum up support for but
otherwise +1

Bill

Re: cvs commit: httpd-2.0/docs/manual/style/xsl common.xsl

[Brad Nicholes]

  Oops, my mistake.  This wasn't suppose to be checked in.  Reverting now.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Wednesday, August 25, 2004 2:15:25 PM 
bnicholes2004/08/25 13:15:25

  Modified:docs/manual/style build.properties lang-targets.xml
   docs/manual/style/css manual-zip.css
   docs/manual/style/lang de.xml en.xml fr.xml ja.xml ko.xml
ru.xml
   docs/manual/style/xsl common.xsl
  Log:
  Update 8/25/04
  
  Revision  ChangesPath
  1.3   +2 -1  httpd-2.0/docs/manual/style/build.properties
  
  Index: build.properties
  ===
  RCS file: /home/cvs/httpd-2.0/docs/manual/style/build.properties,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- build.properties  1 Aug 2004 12:41:55 -   1.2
  +++ build.properties  25 Aug 2004 20:15:24 -  1.3
  @@ -1,7 +1,8 @@
   # This file contains version specific properties
   
   # No xml files yet
  +noxml.ja=howto/auth.html.ja.euc-jp developer/modules.html.ja.euc-jp
   noxml.fr=new_features_2_0.html.fr upgrading.html.fr
   
   # (pending) httpd version
  -httpd.version=2.1.0-dev
  +httpd.version=2.0.51
  
  
  
  1.4   +2 -15 httpd-2.0/docs/manual/style/lang-targets.xml
  
  Index: lang-targets.xml
  ===
  RCS file: /home/cvs/httpd-2.0/docs/manual/style/lang-targets.xml,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- lang-targets.xml  29 Jul 2004 17:58:55 -  1.3
  +++ lang-targets.xml  25 Aug 2004 20:15:24 -  1.4
  @@ -21,8 +21,8 @@
   !--  --
   project name=lang-targets
   
  -target description=- builds all HTML files and nroff man pages name=all 
depends=de, en, es, fr, ja, ko, ru/
  -target description=- builds all zip download packages name=zip-all 
depends=zip-de, zip-en, zip-es, zip-fr, zip-ja, zip-ko, zip-ru/
  +target description=- builds all HTML files and nroff man pages name=all 
depends=de, en, es, ja, ko, ru/
  +target description=- builds all zip download packages name=zip-all 
depends=zip-de, zip-en, zip-es, zip-ja, zip-ko, zip-ru/
   
   !-- German   --
   !--  --
  @@ -76,18 +76,6 @@
   chm.generic lang=es/
   /target
   
  -!-- French   --
  -!--  --
  -property value=.xml.fr name=inputext.fr/
  -property value=.html.fr name=outputext.fr/
  -
  -target description=- builds French HTML files name=fr
  -html.generic lang=fr/
  -/target
  -target description=- builds the French zipped download package name=zip-fr
  -zip.generic lang=fr/
  -/target
  -
   !-- Japanese --
   !--  --
   property value=.xml.ja name=inputext.ja/
  @@ -141,7 +129,6 @@
   include name=**/*.xml.de/
   include name=**/*.xml/
   include name=**/*.xml.es/
  -include name=**/*.xml.fr/
   include name=**/*.xml.ja/
   include name=**/*.xml.ko/
   include name=**/*.xml.ru/
  
  
  
  1.4   +0 -1  httpd-2.0/docs/manual/style/css/manual-zip.css
  
  Index: manual-zip.css
  ===
  RCS file: /home/cvs/httpd-2.0/docs/manual/style/css/manual-zip.css,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- manual-zip.css9 Feb 2004 20:22:53 -   1.3
  +++ manual-zip.css25 Aug 2004 20:15:24 -  1.4
  @@ -15,7 +15,6 @@
* limitations under the License.
*/
   
  -
   h1 {
   margin: 0 0 0.5em 0;
   }
  
  
  
  1.20  +5 -7  httpd-2.0/docs/manual/style/lang/de.xml
  
  Index: de.xml
  ===
  RCS file: /home/cvs/httpd-2.0/docs/manual/style/lang/de.xml,v
  retrieving revision 1.19
  retrieving revision 1.20
  diff -u -r1.19 -r1.20
  --- de.xml2 May 2004 22:53:22 -   1.19
  +++ de.xml25 Aug 2004 20:15:24 -  1.20
  @@ -1,6 +1,6 @@
   ?xml version=1.0 encoding=ISO-8859-1?
  -!DOCTYPE language [ !ENTITY nbsp #160; ]
  -!-- English Revision: 1.9 --
  +!DOCTYPE messages [ !ENTITY nbsp #160; ]
  +!-- English revision: 1.6.2.4 --
   
   !--
Copyright 2002-2004 The Apache Software Foundation
  @@ -84,8 +84,7 @@
in directivesynopsis headings will be replaced by the given string.
(see de.xml

Re: cvs commit: httpd-2.0/modules/aaa NWGNUauthnzldap mod_authnz_ldap.c NWGNUmakefile

[Brad Nicholes]

If you have time to move it before I do, by all mean, go for it.  I
probably won't get around to it until this afternoon anyway.  Thanks for
taking care of the build scripts.  I'm pretty sure that I can handle the
util_ldap netware build files once it is moved :)  
Experimental/Mod_auth_ldap should probably be thrown into the attic so
we can at least preserve the history.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Wednesday, August 18, 2004 7:24:13 AM 
Brad Nicholes wrote:

BTW, since I am not a Linux makefile guru, the new authnz_ldap
module
 has not been added to the Linux build scripts.  Can somebody make
the
 appropriate changes to the makefiles?

Done.

Are you going to move util_ldap to the ldap directory, or should I do 
it? I am not a netware guru, so you would have to do the build scripts
:)

Can we cvs rm mod_auth_ldap from it's old location?

Regards,
Graham
--

Re: cvs commit: httpd-2.0/modules/aaa NWGNUauthnzldap mod_authnz_ldap.c NWGNUmakefile

[Brad Nicholes]

   This is the first attempt to restructure mod_auth_ldap to fit the new
authentication model.  There are a couple of things to note that I would
like some feedback on.  

1. The ldap_authn provider and ldap_authz handler exist in the same
module.  The reason for this is because both handlers depend on the same
set of directive values to provide the necessary information for
establishing a connection to the ldap server.  Rather than having to
redefine the AuthLDAPUrl, AuthLDAPBindDN and AuthLDAPBindPassword for
two different modules, it seemed to make more sense both from a module
perspective and a user interface perspective, to allow them to share the
directives.  

2. As a result of #1, this leaves the ldap_authz hook registered
whether it is ultimately being used or not.  Therefore simply
reimplementing the require  types user and group within the
ldap_authz handler would conflict with the same types in other authz
modules if loaded and configured in the same directory at the same time.
 Therefore it seemed to make more since to implement ldap-user and
ldap-group which more closely identifies what is happening during the
authorization phase anyway.  authnz_ldap is still capable of using
valid-user, group or user if desired.

3. The directive AuthLDAPFrontPageHack has been removed.  The reason
for this hack was to allow authorization for frontpage to fallback on a
groupfile rather than the LDAP directory.  Now that authnz_ldap can be
configured to authorize via a authz_groupfile rather than forced to use
the directory, this directive didn't seem necessary anymore.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Tuesday, August 17, 2004 5:33:08 PM 
bnicholes2004/08/17 16:33:07

  Modified:modules/aaa NWGNUmakefile
  Added:   modules/aaa NWGNUauthnzldap mod_authnz_ldap.c
  Log:
  Re-structure the auth_ldap module to fit the new authentication
model.  The authnz_ldap module provides an ldap authentication provider
and an authorization handler.  It implements the authorization require
values ldap-user, ldap-dn and ldap-group.  This restructure also moves
auth_ldap out of the experimental directory.
  
  Revision  ChangesPath
  1.3   +2 -0  httpd-2.0/modules/aaa/NWGNUmakefile
  
  Index: NWGNUmakefile
  ===
  RCS file: /home/cvs/httpd-2.0/modules/aaa/NWGNUmakefile,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- NWGNUmakefile 13 Sep 2002 21:34:27 -  1.2
  +++ NWGNUmakefile 17 Aug 2004 23:33:07 -  1.3
  @@ -158,9 +158,11 @@
$(OBJDIR)/authndbm.nlm \
$(OBJDIR)/authndef.nlm \
$(OBJDIR)/authnfil.nlm \
  + $(OBJDIR)/authnzldap.nlm \
$(OBJDIR)/authzdbm.nlm \
$(OBJDIR)/authzdef.nlm \
$(OBJDIR)/authzgrp.nlm \
  + $(OBJDIR)/authzusr.nlm \
$(OBJDIR)/authzusr.nlm \
$(EOLIST)
   
  
  
  
  1.1  httpd-2.0/modules/aaa/NWGNUauthnzldap
  
  Index: NWGNUauthnzldap
  ===
  #
  # Make sure all needed macro's are defined
  #
  
  #
  # Get the 'head' of the build environment if necessary.  This
includes default
  # targets and paths to tools
  #
  
  ifndef EnvironmentDefined
  include $(AP_WORK)\build\NWGNUhead.inc
  endif
  
  #
  # These directories will be at the beginning of the include list,
followed by
  # INCDIRS
  #
  XINCDIRS  += \
$(AP_WORK)/include \
$(NWOS) \
$(AP_WORK)/srclib/apr/include \
$(AP_WORK)/srclib/apr-util/include \
$(AP_WORK)/srclib/apr \
$(EOLIST)
  
  #
  # These flags will come after CFLAGS
  #
  XCFLAGS   += \
$(EOLIST)
  
  #
  # These defines will come after DEFINES
  #
  XDEFINES  += \
$(EOLIST)
  
  #
  # These flags will be added to the link.opt file
  #
  XLFLAGS   += \
$(EOLIST)
  
  #
  # These values will be appended to the correct variables based on the
value of
  # RELEASE
  #
  ifeq $(RELEASE) debug
  XINCDIRS  += \
$(EOLIST)
  
  XCFLAGS   += \
$(EOLIST)
  
  XDEFINES  += \
$(EOLIST)
  
  XLFLAGS   += \
$(EOLIST)
  endif
  
  ifeq $(RELEASE) noopt
  XINCDIRS  += \
$(EOLIST)
  
  XCFLAGS   += \
$(EOLIST)
  
  XDEFINES  += \
$(EOLIST)
  
  XLFLAGS   += \
$(EOLIST)
  endif
  
  ifeq $(RELEASE) release
  XINCDIRS  += \
$(EOLIST)
  
  XCFLAGS

Re: cvs commit: httpd-2.0/modules/aaa NWGNUauthnzldap mod_authnz_ldap.c NWGNUmakefile

[Brad Nicholes]

The util_ldap module also needs to be moved out of the experimental 
directory (mod_auth*_ldap depends on mod_ldap).

This is my next task.  Where should it be moved to?  I was thinking of
creating an ldap directory under modules and putting it there.  Or does
it make sense for one of the existing module directories to be the new
home of util_ldap?

Brad



Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Tuesday, August 17, 2004 5:41:12 PM 
[EMAIL PROTECTED] wrote:

   Re-structure the auth_ldap module to fit the new authentication
model.  The authnz_ldap module provides an ldap authentication provider
and an authorization handler.  It implements the authorization require
values ldap-user, ldap-dn and ldap-group.

Extremely cool.

 This restructure also moves auth_ldap out of the experimental
directory.

Viva to that and an eclaire for both of us!

The util_ldap module also needs to be moved out of the experimental 
directory (mod_auth*_ldap depends on mod_ldap).

Regards,
Graham
--

Re: cvs commit: httpd-2.0/modules/aaa NWGNUauthnzldap mod_authnz_ldap.c NWGNUmakefile

[Brad Nicholes]

   BTW, since I am not a Linux makefile guru, the new authnz_ldap module
has not been added to the Linux build scripts.  Can somebody make the
appropriate changes to the makefiles?

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Tuesday, August 17, 2004 5:41:12 PM 
[EMAIL PROTECTED] wrote:

   Re-structure the auth_ldap module to fit the new authentication
model.  The authnz_ldap module provides an ldap authentication provider
and an authorization handler.  It implements the authorization require
values ldap-user, ldap-dn and ldap-group.

Extremely cool.

 This restructure also moves auth_ldap out of the experimental
directory.

Viva to that and an eclaire for both of us!

The util_ldap module also needs to be moved out of the experimental 
directory (mod_auth*_ldap depends on mod_ldap).

Regards,
Graham
--

Where is the AJP code...

[Brad Nicholes]

   The addition of the proxy_ajp module to the httpd project presents a
build problem.  The AJP module code exists in httpd/modules/proxy in the
httpd project but the AJP lib code still sits in the
jakarta-tomcat-connectors\ajp\ajplib\test in the jakarta project.  Is
the AJPLIB code going to be migrated to the httpd project?  Why is the
AJPLIB code in a test directory?

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

Re: New Mod_Proxy - some testing/looking

[Brad Nicholes]

   From what I can see, there seems to be a parameter mismatch for the
scheme_handler hook.  For example, the scheme_handler
ap_proxy_connect_handler() is defined as:

int ap_proxy_connect_handler(request_rec *r, proxy_server_conf *conf, 
 char *url, const char *proxyname, 
 apr_port_t proxyport)

but the scheme_handler hook is defined as:

APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, scheme_handler,
(request_rec *r, 
  proxy_worker *worker, proxy_server_conf
*conf, char *url, 
  const char *proxyhost, apr_port_t
proxyport))

notice the difference in the parameter lists.  The declaration has  6
parameters and the actual handler only has 5.  The handler is missing
proxy_worker * as the second parameter.  How does this compile or even
work on any platform? 

Brad


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Friday, August 13, 2004 1:37:16 PM 
At 04:58 AM 8/13/2004, NormW wrote:
Good evening Bill, All...

 Please direct these comments to [EMAIL PROTECTED] - b.t.w., you
 can check out the latest httpd-2.0 HEAD and pick up the entire
proxy
 solution (you must explicitly --enable-proxy-ajp and have the
ajplib
 sources there too.)

 Someone want to take a wack at NormW's observations?
Bill, thanks for the interest...
I can say that the 'problem' noted in proxy_ftp.c has been attended
with a
recent update from Mladen.
A build on the current 2.1 CVS shows (for NetWare):
- mod_proxy.c having trouble finding mod_status.h   (in
../modules/generators),
- the same problem mentioned previously with proxy_connect.c, (Errors
at 375
see 26, 80)
Bypassing these I now get:
Calling NWGNUproxyftp
Generating Release\proxyftp_cc.opt
Compiling proxy_ftp.c 
Compiling proxy_util.c
Compiling ../arch/netware/libprews.c
Generating Release\proxyftp_link.opt
Linking Release/proxyftp.nlm
### mwldnlm Linker Error:
#   Undefined symbol: 'ap_proxy_ssl_enable'
#   referenced from 'ap_proxy_connection_create' in proxy_util.o
### mwldnlm Linker Error:
#   Undefined symbol: 'ap_proxy_ssl_disable'
#   referenced from 'ap_proxy_connection_create' in proxy_util.o

As noted above, this is on a NetWare build...

It's expected because the netware gurus haven't had a chance to
catch up.  Please quit using tomcat-dev already - final warning;
ignoring future posts to there in order to enforce posting future
proxy patches/comments to [EMAIL PROTECTED] ;-)

I suspect Netware didn't grok that those symbols were local/global
as required?

Bill

Re: httpd-2.2 release roadmap v0.1

[Brad Nicholes]

I would hope that 2.0 is EOLed as soon as possible after 2.2 ships. 
Being basically the NetWare platform maintainer of two versions of
Apache (1.3, 2.0) with a development version on top of that, has been
bad enough.  Three would be a nightmare and when would it stop?  Even
for all but the most serious security fixes, the story would be upgrade
to 2.2.x because that is where the fix is. 

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Thursday, August 12, 2004 2:53:05 PM 
At 03:15 PM 8/12/2004, Jim Jagielski wrote:
Geoffrey Young wrote:
 
 so, can someone comment on what 2.2 (and the subsequent 2.3) mean
for 2.0?
 that is, if everyday hacking is against 2.3 and we propose a new
feature to
 backport, do we backport to both 2.2 and 2.0?  or does it mean that
2.0 has
 reached end-of-life and we backport only to 2.2?
 
 just so I (and others) know what to expect... :)

I would foresee only 1.3 and 2.2 being around and 2.0 being EOLed.

I expect the same, although providing the occasional 2.0 release for
security bug fixes.

Bill  

Re: cvs commit: httpd-2.0 STATUS

[Brad Nicholes]

Do we care about backporting the overhaul into the 2.0 tree?  I
don't see that it really buys us anything unless you think that it is
necessary in order to get auth_ldap out of experimental.  After I get
the latest util-ldap fixes backported, that should get mod_auth_ldap
working in 2.0.  Once it actually works, I think we can then propose
that it is moved out of experimental.  
The next thing that needs to be done would be to rework
mod_auth_ldap so that it complies with the rest of the 2.1 auth module
structure.The util-ldap overhaul could be considered part of that
work and only be available in 2.1.  Thoughts?

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Tuesday, August 03, 2004 7:09:01 PM 
minfrin 2004/08/03 18:09:01

  Modified:.Tag: APACHE_2_0_BRANCH STATUS
  Log:
  Propose a backport.
  
  Revision  ChangesPath
  No   revision
  No   revision
  1.751.2.965 +7 -1  httpd-2.0/STATUS
  
  Index: STATUS
  ===
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.964
  retrieving revision 1.751.2.965
  diff -u -r1.751.2.964 -r1.751.2.965
  --- STATUS3 Aug 2004 19:07:03 -   1.751.2.964
  +++ STATUS4 Aug 2004 01:09:00 -   1.751.2.965
  @@ -73,6 +73,12 @@
 [ please place file names and revisions from HEAD here, so it is
easy to
   identify exactly what the proposed changes are! ]
   
  +*) Remove LDAP toolkit specific code from util_ldap and
mod_auth_ldap.
  + modules/experimental/mod_auth_ldap.c: 1.28
  + modules/experimental/util_ldap.c: 1.36
  +   +1: minfrin (this requires the apr-util LDAP overhaul to be
ported to
  +apr-util v0.9 first)
  +
   *) Add load balancer support to the scoreboard in preparation
for
  load balancing support in mod_proxy.
include/scoreboard.h: 1.52
  
  
  

Re: FW: Bug in AuthLDAPURL?

[Brad Nicholes]

  This does work according to what the documentation says but you must
surround the LDAP URL with double quote as Graham suggested

 AuthLDAPURL ldap://ldap1.airius.com
ldap2.airius.com/ou=People,o=Airius

Otherwise Apache will interpret the space between the host names to be
two different parameters.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Friday, July 16, 2004 11:15:32 AM 
[Forwarding on behalf of Tair-Shian Chou who has problems getting his
mail through to [EMAIL PROTECTED] list]

-Madhu

-Original Message-
From: Tair-Shian Chou [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 15, 2004 3:10 PM
To: '[EMAIL PROTECTED]'
Subject: FW: Bug in AuthLDAPURL?


Hi Graham,

I did try that and it did not work. 

Thanks,

Chou

 -Original Message-
 From: Graham Leggett [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, July 14, 2004 4:51 PM
 To: [EMAIL PROTECTED] 
 Subject: Re: Bug in AuthLDAPURL?
 
 
 CHOU,TAIR-SHIAN (HP-Cupertino,ex1) wrote:
 
  AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, 
  o=Airius require valid-user
  
  When I try  the above AuthLDAPURL example given in Apache Module 
  mod_auth_ldap document with 2.0.50, I get the following error:
  
  Syntax error on line 19 of /opt/hpws/apache/conf/ldap.conf: 
  AuthLDAPURL takes one argument, URL to define LDAP connection.
 
 Can you try surrounding the ldap url with quotes and see if it fixes

 this? (If so, the docs are wrong).
 
 Regards,
 Graham
 --
 

Re: cvs commit: httpd-2.0/docs/manual/platform netware.xml

[Brad Nicholes]

   Basically because the same semantics don't fit for mod_nw_ssl. 
mod_nw_ssl is a much simpler module than mod_ssl.  It really only has
one significant directive which is SecureListen port certname.  All
the NWSSLUpgradeable directive is doing is associating a certificate
name with an existing listen addr:port so that if the request to
upgrade is made, Winsock has the information it needs to upgrade the
socket.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Wednesday, July 14, 2004 11:17:06 AM 
Brad,

is this the same functionality as 'SSLEngine upgrade' for the _nw_
module?

If so, why not reuse the same semantic?

  SSLEngine on negotation crypt - dismiss non-crypt requests
  SSLEngine upgradebegin uncrypted - allow upgrade
  SSLEngine off  begin, and stay, uncrypted

Bill

At 11:29 AM 7/14/2004, [EMAIL PROTECTED] wrote:
bnicholes2004/07/14 09:29:56

  Modified:docs/manual/mod Tag: APACHE_2_0_BRANCH mod_nw_ssl.xml
   docs/manual/platform Tag: APACHE_2_0_BRANCH
netware.xml
  Log:
  Add the new directive NWSSLUpgradeable to mod_nw_ssl to allow a
non-secure connection to be upgraded to secure connections
  
  Revision  ChangesPath
  No   revision
  No   revision
  1.1.2.7   +16 -1 httpd-2.0/docs/manual/mod/mod_nw_ssl.xml
  
  Index: mod_nw_ssl.xml
  ===
  RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_nw_ssl.xml,v
  retrieving revision 1.1.2.6
  retrieving revision 1.1.2.7
  diff -u -r1.1.2.6 -r1.1.2.7
  --- mod_nw_ssl.xml17 Apr 2004 18:43:37 -  1.1.2.6
  +++ mod_nw_ssl.xml14 Jul 2004 16:29:56 -  1.1.2.7
  @@ -62,4 +62,19 @@
   /usage
   /directivesynopsis
   
  +directivesynopsis
  +nameNWSSLUpgradeable/name
  +descriptionAllows a connection to be upgraded to an SSL
connection upon request/description
  +syntaxNWSSLUpgradeable
[varIP-address/var:]varportnumber/var/syntax
  +contextlistcontextserver config/context/contextlist
  +
  +usage
  +pAllow a connection that was created on the specified address

  +and/or port to be upgraded to an SSL connection upon request
from
  +the client. The address and/or port must have already be
defined 
  +previously with a directive
module=mpm_commonListen/directive 
  +directive./p
  +/usage
  +/directivesynopsis
  +
   /modulesynopsis
  
  
  
  No   revision
  No   revision
  1.3.2.8   +5 -1  httpd-2.0/docs/manual/platform/netware.xml
  
  Index: netware.xml
  ===
  RCS file: /home/cvs/httpd-2.0/docs/manual/platform/netware.xml,v
  retrieving revision 1.3.2.7
  retrieving revision 1.3.2.8
  diff -u -r1.3.2.7 -r1.3.2.8
  --- netware.xml   17 Apr 2004 19:10:48 -  1.3.2.7
  +++ netware.xml   14 Jul 2004 16:29:56 -  1.3.2.8
  @@ -413,6 +413,10 @@
   lidirective
module=mod_nw_sslNWSSLTrustedCerts/directive -
   Adds trusted certificates that are used to create secure
connections to proxied servers./li
 /ul
  +  ul
  +lidirective
module=mod_nw_sslNWSSLUpgradeable/directive -
  +Allow a connection created on the specified address/port to
be upgraded to an SSL connection./li
  +  /ul
   
   /section
   
  
  
  

Re: cvs commit: httpd-2.0/modules/experimental util_ldap.c

[Brad Nicholes]

Modules (right now, only mod_auth_ldap) depend on util_ldap, and 
changing the header would mean a break in binary compatibility (in 
theory). I think we should probably stick with an MMN bump for this to

be consistent, even though only the mod_auth_ldap module uses it (to
my 
knowledge).

I was hoping to avoid the MMN bump mainly because that means we can't
backport the changes to the 2.0 branch.  If the httpd 2.2 includes a
caching_util module then the only reason for these stabilization patches
is the 2.0 branch.  Also, if there are any other modules that do depend
on util_ldap, wouldn't they be just as broken as mod_auth_ldap was and
probably want to update anyway?  I don't know, I was hoping to get some
other feedback from the list.

As for the header being in /include, I think it should be there so
that 
external modules can be built against util_ldap. If the header was in

/experiemental, the full httpd source would be needed to build an
Apache 
module that used util_ldap (unless I am misunderstanding something).

True.  It just seems a little strange.

Brad



Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

Re: cvs commit: httpd-2.0/modules/experimental util_ldap.c

[Brad Nicholes]

Agreed, and interested in other thoughts as well.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 Graham Leggett [EMAIL PROTECTED] Monday, June 28, 2004 11:23:57 AM

Brad Nicholes wrote:

 I was hoping to avoid the MMN bump mainly because that means we
can't
 backport the changes to the 2.0 branch.  If the httpd 2.2 includes a
 caching_util module then the only reason for these stabilization
patches
 is the 2.0 branch.  Also, if there are any other modules that do
depend
 on util_ldap, wouldn't they be just as broken as mod_auth_ldap was
and
 probably want to update anyway?  I don't know, I was hoping to get
some
 other feedback from the list.

Well... the question is are there modules out there that use util_ldap

right now?

I think being experimental, the module is subject to incompatible
change 
anyway, and there seems to be a catch 22 situation here - the module is

currently broken, but the fix cannot be applied without an MMN bump (if

it was a fully fledged module). I think to break this catch 22 
situation, it seems reasonable to apply the changes to v2.0 without an

MMN bump as the code is experimental. Any other thoughts?

Regards,
Graham
--

Re: cvs commit: httpd-2.0/modules/experimental util_ldap.c util_ldap_cache.c util_ldap_cache.h

[Brad Nicholes]

  No, I didn't change anything that would allow for anonymous shared
memory.  This should probably check for a NULL before calling
apr_file_remove().

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Saturday, June 26, 2004 9:30:42 AM 
[EMAIL PROTECTED] wrote:

   +#if APR_HAS_SHARED_MEMORY
   +/* If the cache file already exists then delete it. 
Otherwise we are
   + * going to run into problems creating the shared memory.
*/
   +apr_file_remove(st-cache_file, ptemp);
   +if (st-cache_file) {
   +char *lck_file = apr_pstrcat (st-pool,
st-cache_file, .lck, NULL);
   +apr_file_remove(lck_file, ptemp);
   +}
   +#endif

Does this patch support the idea of the cache file being NULL (ie 
anonymous shared memory?).

The previous code insisted on specifying a cache file, which didn't
work 
properly under Linux. Now, not specifying a cache filename means use 
anonymous shared memory, I'd just like to check that this NULL
filename 
is case is still handled properly.

Regards,
Graham
--

Re: cvs commit: httpd-2.0/modules/experimental util_ldap.c util_ldap_cache.c util_ldap_cache.h

[Brad Nicholes]

   ptemp shouldn't ever be NULL on a post_config, right?  I just fixed
the code so that it checks for a NULL file name before calling
apr_file_remove().

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Saturday, June 26, 2004 10:01:07 AM 
Brad Nicholes wrote:

   No, I didn't change anything that would allow for anonymous shared
 memory.  This should probably check for a NULL before calling
 apr_file_remove().

  +apr_file_remove(st-cache_file, ptemp);

Will this line segfault if ptempt is NULL? If not, then it should be 
fine. If so, we should probably test for NULLness first (as you 
recommend above).

Regards,
Graham
--

NetWare and protected address space (was: Re: cvs commit: httpd-2.0 STATUS)

[Brad Nicholes]

   Just to provide a little background on NetWare (and if you don't
care, don't read any further).  NetWare is not your standard general
purpose operating system.  NetWare was origninally designed and built to
be a high performance, highly scalable and very secure file and print
server.  Over the years it has evolved into something that sits
somewhere between its original design purpose and a general purpose OS. 
In order to achieve the performance levels that it does, as much
overhead as possible was eliminated which includes the concept of
processes and what most people understand to be address spaces. 
Everything that runs on NetWare runs as a thread in Kernel address
space.  The idea of a separate address space or Protected Address
Space (as it is called around here) didn't show up in NetWare until
NetWare 5 (I think that was the first version).  Basically a protected
address space is just that.  NetWare allocates a separate address space
in which it is able to run an application.  In order for an application
to run in this address space, everything that it depends on has to be
loaded in that address space.  This mean code as well as data.  A
protected address space on NetWare could probably be thought of more as
a virtual machine than a process.  This is why it is so expensive to
spin up a CGI in a separate address space on Netware.
But running everything in kernel address space is not as scary as
it sounds on NetWare.  If you have a wild module that causes the Apache
instance to abend (another old time term that is still widely used when
refering to NetWare), it will bring Apache down, but the OS is smart
enough to isolate the offending application and still allow the server
to continue running.  The downside is that the only way to clear an
abend in kernel address space is to restart the server. While an abend
in a protected address space can simply be unloaded and cleared.  Some
NetWare administrators will choose to run applications like Apache in a
protected address space simply for the ability to easily clean it up if
something goes wrong.  But by doing so they sacrifice some level of
performance of the web server as well as system resources.  Others may
consider applications like Apache to be so stable and the performance
hit so great, that they are comfortable in running them in kernel
address space.  For the most part, this is the case.  But Apache is a
long lived application.  Once it is spun up and running, the overhead is
gone.  CGIs, as we all know, can come and go at anytime.  Because of the
same performance reason, other platforms have been able to increase
performance by using mod_cgid rather than mod_cgi to avoid the same type
of process creation overhead.  But on NetWare, not only is starting up a
CGI in protected address space much more expensive than forking a
process on other platforms, we don't have fork/exec on NetWare.
   The bottom line is that because of the nature of the NetWare OS, it
is much more efficient and much easier to run things in kernel address
space.  It is just the nature of the OS.  What's the benefit?
Performance, scalability and yes, security. (OK, that sounds a lot like
a marketing line, but its true)

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Tuesday, June 22, 2004 8:34:54 PM 
Uh, then may I follow up with another stupid, obvious question, if
using
another address space insulates the parent application and, in some
cases, the server from a crash resulting from an unstable module, why
do
they all use the same address space on novell?  Does this compromise a
security measure in the case of a module fail or crash?

-- 

Wayne S. Frazee
Any sufficiently developed bug is indistinguishable from a feature.


On Tue, 2004-06-22 at 16:49, Jean-Jacques Clar wrote:
 Can I ask the obvious, then?  When would a separate address space
 be desirable for an apr-based app to invoke a child/forked process? 

 
 
 It is a desirable option mainly for developers using unstable modules

 
 to ensure the child process will not kill the parent application, or
 the server, 
 
 in case a major problem happens inside the child.
 
 By default on NetWare, the http server and all of its child
processes
 are 
 
 started in the same address space.
 
 
  
  

Re: cvs commit: httpd-2.0 STATUS

[Brad Nicholes]

What if the default in APR is to run in a separate address space*, and
in 
places in Apache where on NetWare the child process should run in the
same 
address space there is a call to the proper procattr manipulator to
override 
the default so that the child runs in the same address space?  (and
ignore any 
APR_ENOTIMPL retcode from that procattr manipulator so that no ifdef
NETWARE is 
needed around the call)

   The is actually the behavior that we don't want on NetWare.  Running
CGI's or utilities like RotateLogs in a separate address space is very
painful and requires overhead and a performance hit that we don't want. 
On NetWare we need to default to the current address space.  BTW, an
address space on NetWare is, for the most part, very different than on
other platforms.  90% of what is running on the box, is running in the
same address space.
   When we implemented the CGIMapExtension directive to associate a CGI
extension with an executible (NetWare doesn't have a shell like BASH to
handle the associations) there is an optional parameter called detach
which allows the user to specify wheither the associated executible
should be run in the current address space or a separate address space. 
The default is the current address space.  

Brad


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Tuesday, June 22, 2004 5:45:58 AM 
[EMAIL PROTECTED] wrote:
 clar2004/06/21 12:11:56
 
   Modified:.Tag: APACHE_2_0_BRANCH STATUS
   Log:
   Removing bb proposal since it will require a major number bump
   
   Revision  ChangesPath
   No   revision
   No   revision
   1.751.2.932 +1 -12 httpd-2.0/STATUS
   
   Index: STATUS
  
===
   RCS file: /home/cvs/httpd-2.0/STATUS,v
   retrieving revision 1.751.2.931
   retrieving revision 1.751.2.932
   diff -u -r1.751.2.931 -r1.751.2.932
   --- STATUS  20 Jun 2004 13:12:26 -  1.751.2.931
   +++ STATUS  21 Jun 2004 19:11:56 -  1.751.2.932
   @@ -77,17 +77,6 @@
   hooks just like DSO modules can [Philippe M. Chiasson
gozer cpan.org]
   +1: geoff

   -*) mod_cgi: Added API call and new field in apr_procattr_t and
cgi_exec_info_t 
   -   structures to support loading in current or new address
space for CGIs.
   -   It fixes NetWare that is currently broken after changes
done to log.c r1.145.
   -   modules/generators/mod_cgi.c r1.164
   -   modules/generators/mod_cgi.h r1.14
   -   modules/arch/netware/mod_netware r1.18
   -   +1: jjclar, bnicholes
   -   -0: nd
   -   trawick: is minor mmn bump needed to reflect that API
structure was extended?
   -   nd: same as mod_ssl.h issues. It's actually a major bump.

Jeff eventually needs to backport the use of a different cmdtype for
piped 
loggers in order to fix an outstanding PR and NetWare still needs to
create 
piped logger processes as expected and recover from a historical lack
of 
information provided to APR about whether or not the child process
should run 
within the same address space of the parent.

Surely there is some way to make this happen?

What if the default in APR is to run in a separate address space*, and
in 
places in Apache where on NetWare the child process should run in the
same 
address space there is a call to the proper procattr manipulator to
override 
the default so that the child runs in the same address space?  (and
ignore any 
APR_ENOTIMPL retcode from that procattr manipulator so that no ifdef
NETWARE is 
needed around the call)

This at least avoids adding a field to the end of the cgi structure
allocated 
by Apache and passed to modules implementing the optional function,
which (at 
the moment) a minority of people think requires a major bump.

*sounds natural to me; that also means that the default is the same on
all 
platforms -- run child in different address space

Re: cvs commit: httpd-2.0/modules/experimental util_ldap.c

[Brad Nicholes]

  Do the docs need to be updated for this change?  Allowing relative
paths to be resolved against ServerRoot seemed like fairly standard
procedure.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Tuesday, June 15, 2004 3:42:25 AM 
[EMAIL PROTECTED] wrote:

 bnicholes2004/06/11 09:15:43
 
   Modified:.Tag: APACHE_2_0_BRANCH CHANGES STATUS
modules/experimental Tag: APACHE_2_0_BRANCH
util_ldap.c
   Log:
   Allow relative paths for LDAPTrustedCA to be resolved against
ServerRoot PR#26602

Have the docs been updated to reflect this?

Just to confirm - are docs changes subject to RTC?

Regards,
Graham
--

Re: huge memory leak in 2.0.x

[Brad Nicholes]

   Actually I think this was addressed quite a while ago with the
introduction of the MaxMemFree directive.  This problem sounds a lot
like the bucket issue where memory allocated for the bucket brigade that
pushes the data through from the CGI app to the wire, simply held on to
the memory assuming that it would be needed later.  The MaxMemFree
directive allowed the memory pool manager to release excess memory
rather than allowing it to hang around.

Brad  

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Monday, June 14, 2004 11:55:29 AM 
Hi,

[I'm writing to the dev list because it seems that not enough apache
developers have noticed or taken interest into the original PR's
on this bug]

This is a real and easy to reproduce bug that has been agonizing me
for a quite a while. It's been reported since at least October '03.
1.3.x does not show this behaviour. Please see the original report at
http://issues.apache.org/bugzilla/show_bug.cgi?id=23567 

and my report at
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29528 

I've tried looking into the problem, but unfortunatly, I have no
knowledge/background of the apache source.

I'll test any patches.

Cheers,

-m

Re: util_ldap [Bug 29217] - Remove references to calloc() and free()

[Brad Nicholes]

After speaking many times about this problem on #apache-modules, Paul 
Querna said that it would be better to port mod_auth_ldap to 
mod_authn_ldap, and do module caching auth, for all authentication 
method. I am sure this way is really better and i agree with him. I
know 
he started this cache module, maybe it could be good to continue this

effort and on another hand, port mod_auth_ldap to 2.1.

I agree that a generic caching module would be of benefit here even
before we port mod_auth_ldap to the 2.1 auth structure.  Either way, I
also think there is a lot of work to do on the caching code.  I am sure
that we can take advantage of what has been done in mod_ssl and other
places that have to mutex protect shared memory.  It is actually working
great on NetWare at the moment but then we don't use shared memory and
we are multi-threaded only.

Brad


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Friday, June 11, 2004 4:04:22 PM 
mod_ssl mutex are totally different. global mutex are used.

Actually, the mutex is in the module_conf, so i think when apache fork

childs, this mutex is no more valid, and each child will have a value 
for it.
There is also in util_ldap.c, apr_thread_mutex_create(st-mutex, 
APR_THREAD_MUTEX_DEFAULT, st-pool);
This will alloc data for the mutex with apr_pcalloc, and i think it
will 
be only in the current child.
I think there is a lot of work to make it work with global mutex.

After speaking many times about this problem on #apache-modules, Paul 
Querna said that it would be better to port mod_auth_ldap to 
mod_authn_ldap, and do module caching auth, for all authentication 
method. I am sure this way is really better and i agree with him. I
know 
he started this cache module, maybe it could be good to continue this 
effort and on another hand, port mod_auth_ldap to 2.1.

Regards,

Matthieu

Re: util_ldap [Bug 29217] - Remove references to calloc() and free()

[Brad Nicholes]

   I agree that the LDAP code needs to do more error checking and
between the work that you did, along with the holes that I plugged
previously and the shared memory fixes that Mathieu Estrade did, I think
the code is much more robust than it has ever been.  Many of our NetWare
customers use auth_ldap as the primary means of authentication because
it is the easiest way to authenticate against eDirectory.  Outside of
the shared memory problems, since NetWare doesn't use it, we have run
into the same issues that you have seen.  But since these latest patches
that have gone into 2.0.50-dev, those problems have gone away.
   At least on NetWare, switching to pools would make the code much
more complex.  Rather than simply calling calloc and free in the same
way that we are calling apr_rmm_calloc() and apr_rmm_free(), we would
have to implement essentially the same model using pools and reslists. 
It seems to me like using a sledge hammer to drive a finishing nail in
this instance.  Also in the end, it all boils down to malloc and free
anyway.  As far as debugging goes, I can understand why it might be
easier using the pool debug code, but we have never been successful in
making the pool debug code work on NetWare.  Granted we probably haven't
tried real hard mainly because NetWare already has some good memory
debugging capabilities built into the OS.  If debugging is a problem, I
think it might be easier to implement some memory debugging code
specifically for the LDAP_cache rather than trying to retrofit it with
pools and reslists.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Thursday, June 10, 2004 4:59:30 AM 
Brad Nicholes wrote:

I guess that is a possibility but I still don't understand what
the
 problem is with using calloc() and free() for the ldap caching code.

 This seems to be a common thing to do when global memory needs to be
 allocated and deallocated constantly.  To avoid having the memory
grow
 uncontrolably, you have to be able to control it at a much finer
level
 than apr_pool allows you.

What I've found in the LDAP code is that it isn't very defensive, most

of the code simply assumes the rest of the code worked - it has
resulted 
in me finding all sorts of side problems in the code, but not the real

problem - the false negatives the code reports after it has been idle 
for a long time.

Changing malloc and free into something more bulletproof (or at least 
more robust), like pools and/or the reslist stuff would make the code 
more resilient, and for me, easier to debug :)

Regards,
Graham
--

Re: util_ldap [Bug 29217] - Remove references to calloc() and free()

[Brad Nicholes]

   I have considered using a pool per entry in other caching code that I
have written just so that I could have much finer control over
allocating and freeing the memory.  But in the end what it really comes
down to is malloc and free and if that is what you really want, then why
not just use malloc and free.  Pools just add a layer of memory
management between your application and the actual allocation that may
be of no use.  You have simply replaced malloc() with apr_pool_create()
and free() with apr_pool_destroy().  If you forget to call
apr_pool_destroy(), you have a memory leak in the same way as you would
if you forget to call free().  When the application shuts down, the pool
management will clean up the memory but then so will the process
management of the OS.  Outside of some debugging help during
development, converting to pools and reslists is just adding a lot of
unneeded overhead.  The advantage to using memory pools is in situations
where you need a pool of memory that can created, pieced out during a
specific operation and then completely cleared once the operation is
complete and reused without having to recreate it.  Global caches just
don't lend themselves to this model.  The pieces can come can go, but
you can never really clear the whole thing out and reuse it because the
operation never actually ends.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 Graham Leggett [EMAIL PROTECTED] Thursday, June 10, 2004 9:46:16
AM 
Brad Nicholes wrote:

At least on NetWare, switching to pools would make the code much
 more complex.  Rather than simply calling calloc and free in the
same
 way that we are calling apr_rmm_calloc() and apr_rmm_free(), we
would
 have to implement essentially the same model using pools and
reslists. 
 It seems to me like using a sledge hammer to drive a finishing nail
in
 this instance.  Also in the end, it all boils down to malloc and
free
 anyway.  As far as debugging goes, I can understand why it might be
 easier using the pool debug code, but we have never been successful
in
 making the pool debug code work on NetWare.  Granted we probably
haven't
 tried real hard mainly because NetWare already has some good memory
 debugging capabilities built into the OS.  If debugging is a problem,
I
 think it might be easier to implement some memory debugging code
 specifically for the LDAP_cache rather than trying to retrofit it
with
 pools and reslists.

The theory is that the pools code is already hopefully been 
pre-debugged, you can allocate memory from a pool, and be reasonably 
sure that the problems of freeing the memory is handled for you. (If 
this is not the case, it won't be an LDAP bug, but an Apache wide bug).

The only real issue really is worrying about the scope of the pool.

Thinking further about this, we could use one pool per cache entry. To

delete that cache entry just means to destroy the pool. No more need to

walk the cache entry and delete each buffer one by one, and no room to

make mistakes. No more chance that somebody adds a field to the cache 
entry, and then forgets the code to free the cache entry.

Creation of the pool would only be done on creation of the cache entry,

which in turn is done only on the first time this user is
authenticated, 
all further requests being cached, so it doesn't seem to be expensive 
either, unless someone with a better understanding of the internals of

pools would be able to say whether this idea is good or bad.

Regards,
Graham
--

Re: util_ldap [Bug 29217] - Remove references to calloc() and free()

[Brad Nicholes]

   It appears to me that if it doesn't handle low memory situations or
it is giving false positives, those are separate issues from pools vs.
calloc/free.  I still think we need to implement some better monitoring
or logging code in the cache_mgr and enhance the cache-status pages so
that we can track things like false positives.  Maybe tracking the
entries by user name and authentication state rather than just the
number entries and how often the cache was hit.

   Maybe the real problem is with the locking.  In fact just taking a
quick scan through the code again, I am seeing something that bothers me
in util_ldap_cache_comparedn()

if (curl) {
/* compare successful - add to the compare cache */
LDAP_CACHE_RDLOCK();
newnode.reqdn = (char *)reqdn;
newnode.dn = (char *)dn;
util_ald_cache_insert(curl-dn_compare_cache, newnode);
LDAP_CACHE_UNLOCK();
}

It appears to be acquiring a read lock but then inserts a new node into
the cache.  Shouldn't it be acquiring a write lock before doing an
insert?


Brad


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 Graham Leggett [EMAIL PROTECTED] Thursday, June 10, 2004 4:24:54
PM 
Brad Nicholes wrote:

 Do we even know that there is a problem with this code?  I haven't
seen
 any memory leaks so far.  I would hate to go to all of the work to
 redesign and rewrite the ldap_cache manager for little to no gain.

It does not seem to handle the we ran out of memory while trying to
add 
to the cache case very gracefully. It doesn't crash any more, but I'm

experiencing false negatives still, which is the problem I was trying
to 
fix when I started trying to fix the code.

Regards,
Graham
--

Re: util_ldap [Bug 29217] - Remove references to calloc() and free()

[Brad Nicholes]

  In fact, I don't think that these are shared locks at all 

#define LDAP_CACHE_LOCK_CREATE(p) \
if (!st-util_ldap_cache_lock)
apr_thread_rwlock_create(st-util_ldap_cache_lock, st-pool)

which means that in the shared memory cache, it is highly likely that
multiple processes could be altering the cache at the same time.  True? 
Since NetWare is multi-threaded only, we never see this problem.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Thursday, June 10, 2004 5:07:52 PM 
   It appears to me that if it doesn't handle low memory situations or
it is giving false positives, those are separate issues from pools vs.
calloc/free.  I still think we need to implement some better
monitoring
or logging code in the cache_mgr and enhance the cache-status pages so
that we can track things like false positives.  Maybe tracking the
entries by user name and authentication state rather than just the
number entries and how often the cache was hit.

   Maybe the real problem is with the locking.  In fact just taking a
quick scan through the code again, I am seeing something that bothers
me
in util_ldap_cache_comparedn()

if (curl) {
/* compare successful - add to the compare cache */
LDAP_CACHE_RDLOCK();
newnode.reqdn = (char *)reqdn;
newnode.dn = (char *)dn;
util_ald_cache_insert(curl-dn_compare_cache, newnode);
LDAP_CACHE_UNLOCK();
}

It appears to be acquiring a read lock but then inserts a new node
into
the cache.  Shouldn't it be acquiring a write lock before doing an
insert?


Brad


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 Graham Leggett [EMAIL PROTECTED] Thursday, June 10, 2004 4:24:54
PM 
Brad Nicholes wrote:

 Do we even know that there is a problem with this code?  I haven't
seen
 any memory leaks so far.  I would hate to go to all of the work to
 redesign and rewrite the ldap_cache manager for little to no gain.

It does not seem to handle the we ran out of memory while trying to
add 
to the cache case very gracefully. It doesn't crash any more, but I'm

experiencing false negatives still, which is the problem I was trying
to 
fix when I started trying to fix the code.

Regards,
Graham
--

Re:util_ldap [Bug 29217] - Remove references to calloc() and free()

[Brad Nicholes]

   But if you are allocating memory for cache entries that are
constantly expiring and being purged, the pool will continue to grow
until the server is restarted.  The pool would end up with stale memory
that the system has no way of reclaiming outside of restarting the
server.  NetWare doesn't have the concept of a child config pool since
there are no child processes and therefore no need to use shared memory.
 Simply restarting a child process is not an option.  On NetWare it is
all or nothing.  Apache is either up and running or not.  If you tried
to shutdown the process to reclaim memory, you lose the web server.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

 [EMAIL PROTECTED] Wednesday, June 09, 2004 4:43:22 PM 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=29217.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29217 

Remove references to calloc() and free()





--- Additional Comments From [EMAIL PROTECTED]  2004-06-09 22:43
---
The idea is to use apr_rmm_calloc() for the shared memory case, and
memory from
the child config pool in the non shared memory case. When the server
is
restarted, the pool is cleaned up and the cache started from scratch.

The purpose of this proposal is the fix the memory leak you mentioned.

-
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED]