>Number: 31133
>Category: pkg
>Synopsis: {Free,Net}BSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls[_s]()
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Sep 04 07:54:01 +0000 2005
>Originator: Brian A. Selecki
>Release: -current
>Organization:
Spiritual Machines
>Environment:
NetBSD deadset 2.99.9 NetBSD 2.99.9 (DEADSET) #4: Sun Nov 7 21:21:25 EST 2004 root@deadset:/mnt/disk0/obj/sys/arch/i386/compile/DEADSET i386
>Description:
For whatever reason, the php4 and php5 from FreeBSD ports refuses to properly configure SSL/TLS
support for the LDAP module.
This breaks the TLS/SSL functionality in net/phpldapadmin and sysutils/ldap-account-manager
(CC'ing maintainers)
I've got two current i386/RELENG_5_3 boxes. Both with Apache apache-2.0.54_2 and
openldap-client-2.2.27.
The ldap client binaries are linked to SSL fine and can talk both ldaps:// and Start_TLS over
ldap://. That's out of the question.
One with php4-4.4.0, one with php5-5.0.3_2 (see below). Both have the LDAP and SSL php
extension modules installed:
$ egrep -i "ldap|ssl" /usr/local/etc/php/extensions.ini
extension=openssl.so
extension=ldap.so
# ldd /usr/local/lib/php/20020429/ldap.so
/usr/local/lib/php/20020429/ldap.so:
libldap-2.2.so.7 => /usr/local/lib/libldap-2.2.so.7 (0x28174000)
liblber-2.2.so.7 => /usr/local/lib/liblber-2.2.so.7 (0x281a7000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x281b4000)
libssl.so.3 => /usr/lib/libssl.so.3 (0x282c8000)
The php5 box is as well:
$ ldd /usr/local/lib/php/20041030/ldap.so
/usr/local/lib/php/20041030/ldap.so:
libldap-2.2.so.7 => /usr/local/lib/libldap-2.2.so.7 (0x28173000)
liblber-2.2.so.7 => /usr/local/lib/liblber-2.2.so.7 (0x281a6000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x281b3000)
libssl.so.3 => /usr/lib/libssl.so.3 (0x282c7000)
The problem is that ldap_start_tls() is an unregistered/invalid function. When i run the functions.php at http://www.sitepoint.com/article/php-command-line-2
ldap_start_tls() isn't listed on either machine (see below).
# pkg_info |grep -i php
libmcrypt-2.5.7_1 Multi-cipher cryptographic library (used in PHP)
pear-XML_RPC-1.4.0 PHP implementation of the XML-RPC protocol
php4-4.4.0 PHP Scripting Language (Apache Module and CLI)
php4-ctype-4.4.0 The ctype shared extension for php
php4-dba-4.4.0 The dba shared extension for php
php4-extensions-1.0 A "meta-port" to install PHP extensions
php4-gettext-4.4.0 The gettext shared extension for php
php4-ldap-4.4.0 The ldap shared extension for php
php4-mcrypt-4.4.0 The mcrypt shared extension for php
php4-mysql-4.4.0 The mysql shared extension for php
php4-openssl-4.4.0 The openssl shared extension for php
php4-overload-4.4.0 The overload shared extension for php
php4-pcre-4.4.0 The pcre shared extension for php
php4-pear-4.4.0 PEAR framework for PHP
php4-pgsql-4.4.0 The pgsql shared extension for php
php4-posix-4.4.0 The posix shared extension for php
php4-session-4.4.0 The session shared extension for php
php4-tokenizer-4.4.0 The tokenizer shared extension for php
php4-xml-4.4.0 The xml shared extension for php
php4-zlib-4.4.0 The zlib shared extension for php
phpldapadmin-0.9.7.a6,1 A set of PHP-scripts to administer LDAP servers
$ pkg_info |grep -i php5
php5-5.0.4_1 PHP Scripting Language (Apache Module and CLI)
php5-bz2-5.0.3_2 The bz2 shared extension for php
php5-calendar-5.0.3_2 The calendar shared extension for php
php5-ctype-5.0.3_2 The ctype shared extension for php
php5-curl-5.0.4_2 The curl shared extension for php
php5-dom-5.0.3_2 The dom shared extension for php
php5-exif-5.0.3_2 The exif shared extension for php
php5-extensions-1.0 A "meta-port" to install PHP extensions
php5-ftp-5.0.3_2 The ftp shared extension for php
php5-gd-5.0.3_2 The gd shared extension for php
php5-gettext-5.0.3_2 The gettext shared extension for php
php5-iconv-5.0.3_2 The iconv shared extension for php
php5-imap-5.0.3_2 The imap shared extension for php
php5-ldap-5.0.4_2 The ldap shared extension for php
php5-mcrypt-5.0.3_2 The mcrypt shared extension for php
php5-mhash-5.0.3_2 The mhash shared extension for php
php5-mysql-5.0.3_2 The mysql shared extension for php
php5-odbc-5.0.4_2 The odbc shared extension for php
php5-openssl-5.0.3_2 The openssl shared extension for php
php5-pcre-5.0.3_2 The pcre shared extension for php
php5-pear-5.0.3_2 PEAR framework for PHP
php5-pgsql-5.0.3_2 The pgsql shared extension for php
php5-posix-5.0.3_2 The posix shared extension for php
php5-session-5.0.3_2 The session shared extension for php
php5-simplexml-5.0.3_2 The simplexml shared extension for php
php5-soap-5.0.3_2 The soap shared extension for php
php5-sqlite-5.0.3_2 The sqlite shared extension for php
php5-sysvmsg-5.0.3_2 The sysvmsg shared extension for php
php5-sysvsem-5.0.3_2 The sysvsem shared extension for php
php5-sysvshm-5.0.3_2 The sysvshm shared extension for php
php5-tokenizer-5.0.3_2 The tokenizer shared extension for php
php5-xml-5.0.3_2 The xml shared extension for php
php5-zlib-5.0.3_2 The zlib shared extension for php
php4box# php public_html/functions.php -e ldap
ldap_connect
ldap_close
ldap_bind
ldap_unbind
ldap_read
ldap_list
ldap_search
ldap_free_result
ldap_count_entries
ldap_first_entry
ldap_next_entry
ldap_get_entries
ldap_first_attribute
ldap_next_attribute
ldap_get_attributes
ldap_get_values
ldap_get_values_len
ldap_get_dn
ldap_explode_dn
ldap_dn2ufn
ldap_add
ldap_delete
ldap_modify
ldap_mod_add
ldap_mod_replace
ldap_mod_del
ldap_errno
ldap_err2str
ldap_error
ldap_compare
ldap_sort
ldap_rename
ldap_get_option
ldap_set_option
ldap_first_reference
ldap_next_reference
ldap_set_rebind_proc
php5 box$ php functions.php -e ldap ldap_connect
ldap_close
ldap_bind
ldap_unbind
ldap_read
ldap_list
ldap_search
ldap_free_result
ldap_count_entries
ldap_first_entry
ldap_next_entry
ldap_get_entries
ldap_first_attribute
ldap_next_attribute
ldap_get_attributes
ldap_get_values
ldap_get_values_len
ldap_get_dn
ldap_explode_dn
ldap_dn2ufn
ldap_add
ldap_delete
ldap_modify
ldap_mod_add
ldap_mod_replace
ldap_mod_del
ldap_errno
ldap_err2str
ldap_error
ldap_compare
ldap_sort
ldap_get_option
ldap_set_option
ldap_parse_result
ldap_first_reference
ldap_next_reference
ldap_rename
ldap_set_rebind_proc
>How-To-Repeat:
I traced it down:
in /usr/ports/net/php5-ldap/work/php-5.0.4/ext/ldap/configure ->
conftest -> ldap_start_tls_s();
ldap_start_tls_s return false -> ac_cv_func_ldap_start_tls_s=no in config.log
config.log -> ldap.h -> #undef HAVE_LDAP_START_TLS_S
config.c -> HAVE_LDAP_START_TLS_S -> PHP_FE(ldap_start_tls, NULL)
...therefore ldap_start_tls isn't registered. The question is why the conftest.c in GNU
autoconf is failing with:
configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'
...Which is odd since:
php4$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches
Binary file lib/pam_ldap.so matches
php4$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s function. */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s
and...
php5$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches
php5$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s function. */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s
..from 'make configure' in ports/net/php5-ldap/
checking for LDAP support... yes, shared
checking for LDAP Cyrus SASL support... no
checking for 3 arg ldap_set_rebind_proc... yes
checking for ldap_parse_reference... no
checking for ldap_start_tls_s... no
checking for ldap_bind_s... yes
...from config.log:
configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'
configure:5051: $? = 1
configure: failed program was:
>Fix:
I don't dabble in GNU Autoconf, and I recommend everyone else do the same, but if someone actually wants to fix the autoconf aspect of this so that a patch on the Free/NetBSD side isn't required forever, then God speed.
My temporary solution is:
1) cd /usr/{ports,pkgsrc}/{net/php5-ldap,databases/php-ldap} on {Free,Net}BSD respectively
2) sudo make configure
3) sudo vim
On FreeBSD
work/php-5.0.4/ext/ldap/config.h or..
work/php-4.4.0/ext/ldap/config.h
on NetBSD:
work/php-5.0.4/ext/ldap/config.h
4) Change:
/* Define to 1 if you have the `ldap_start_tls_s' function. */
/* #undef HAVE_LDAP_START_TLS_S */
To:
#define HAVE_LDAP_START_TLS_S 1
5) sudo make install
6) carry on pretending that your employee data is secure
$ cat ~/public_html/testtls.php
<?
if (function_exists('ldap_start_tls'))
echo "I see it!\n";
?>
[0] seklecki@blah:/$ php ~/public_html/testtls.php
I see it!
7) ...sit around on your day off and try to determine how the following piece of code from
configure.sh was [ever] supposed to determine if ldap_start_tls_s() was a valid function w/o
including arguments -I/usr/local/include, -L/usr/local/lib to gcc(1) or #including ldap.h or
lber.h, and wonder who is responsible >:}
*cough*
http://chora.php.net/diff.php/php-src/ext/ldap/config.m4?php=3c934ff67902f7c5ce419c901b82c77e&r
1=1.23&r2=1.24&ty=h&num=10
*cough* ... 8-) ...i dunno, maybe it "just works(r)" on Linux >:}
| /* confdefs.h. */
|
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define COMPILE_DL_LDAP 1
| #define HAVE_LDAP 1
| #define HAVE_3ARG_SETREBINDPROC 1
| /* end confdefs.h. */
| /* Define ldap_start_tls_s to an innocuous variant, in case <limits.h> declares ldap_start_tls_s.
| For example, HP-UX 11i <limits.h> declares gettimeofday. */
| #define ldap_start_tls_s innocuous_ldap_start_tls_s
| /* System header to define __stub macros and hopefully few prototypes,
| which can conflict with char ldap_start_tls_s (); below.
| Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
| <limits.h> exists even on freestanding compilers. */
|
| #ifdef __STDC__
| # include <limits.h>
| #else
| # include <assert.h>
| #endif
|
| #undef ldap_start_tls_s
|
| /* Override any gcc2 internal prototype to avoid an error. */
| #ifdef __cplusplus
| extern "C"
| {
| #endif
| /* We use char because int might match the return type of a gcc2
| builtin and then its argument prototype would still apply. */
| char ldap_start_tls_s ();
| /* The GNU C library defines this for functions which it implements
| to always fail with ENOSYS. Some functions are actually named
| something starting with __ and the normal name is an alias. */
| #if defined (__stub_ldap_start_tls_s) || defined (__stub___ldap_start_tls_s)
| choke me
| #else
| char (*f) () = ldap_start_tls_s;
| #endif
| #ifdef __cplusplus
| }
| #endif
|
| int
| main ()
| {
| return f != ldap_start_tls_s;
| ;
| return 0;
| }