There is at least one reported case of LDAP authentication not working with OpenLDAP 2.2 -- see squid bug #1018 -- so abort the build if 2.2 is the version of OpenLDAP squid is to be built against (thanks to Oliver Eikemeier for telling me how to do this correctly). This issue does not seem to be related to the vendor patch against the LDAP authentication helpers as I originally thought (see ports/69465) but until this issue is sorted out upstream, keep leaving this patch alone since I cannot test LDAP authentication myself yet. No PORTREVISION bump since this is merely a clarification of the status quo and LDAP auth is not built and installed by default. Fix: Apply this patch:
Thomas-Martin Seck wrote: > [...] > This issue does not seem to be related to the vendor patch against the > LDAP authentication helpers as I originally thought (see ports/69465) > but > until this issue is sorted out upstream, keep leaving this patch alone > since I cannot test LDAP authentication myself yet. I believe this is caused by the vendor patch and does in no way releate to the OpenLDAP version used. The vendor patch breaks -H, -P and authentication. They changed checkLDAP from if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS) return 1; return 0; to if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS) ret = 1; return 0; which can't possibly work. I could show you some more examples of code that is obviously wrong after this patch. Besides, you can test this by yourself by repeating the steps given in <http://www.squid-cache.org/bugs/show_bug.cgi?id=1018> You shouldn't be able to authenticate or crash. Again: I can't see any signs that this relates to the OpenLDAP version used. -Oliver
* Oliver Eikemeier (eikemeier@fillmore-labs.com): > Thomas-Martin Seck wrote: > > >[...] > >This issue does not seem to be related to the vendor patch against the > >LDAP authentication helpers as I originally thought (see ports/69465) > >but > >until this issue is sorted out upstream, keep leaving this patch alone > >since I cannot test LDAP authentication myself yet. > > I believe this is caused by the vendor patch and does in no way releate > to the OpenLDAP version used. The vendor patch breaks -H, -P and > authentication. You are probably right, but... [...] > You shouldn't be able to authenticate or crash. > > Again: I can't see any signs that this relates to the OpenLDAP version > used. This sounds plausible, too, unfortunately I do not have an LDAP server to test against and squid bug #1018 says "with OpenLDAP 2.1 it works" and when I asked Edwin Groothuis for feedback he said the vendor patch would make no difference, the problem depended on the OpenLDAP version. So for me the problem /seems/ to be OpenLDAP 2.2. I have to believe what I am told so until I get a clear statement about the cause of the problem I like to revert the port to a known good state ASAP. /Should work/ has bitten me too often, so I am bit reluctant to believe this (no offence meant!). I am a bit at a loss now, because I want to avoid to break user's setups when they upgrade squid and OpenLDAP at the same time, mostly because I do not have any positive feedback wrt OpenLDAP 2.2, that's all. If I had, things were easier for me, so everyone using the OpenLDAP 2.2 client libraries for squid authentication is invited to mail success stories to me :) Anyway: if you have not done so already please connect Henrik Nordström <hno@squid-cache.org> and try to sort this out with him. I am convinced both of you can collaborate on this and come to a solution really quickly.
* Oliver Eikemeier (eikemeier@fillmore-labs.com): > Thomas-Martin Seck wrote: > > >This sounds plausible, too, unfortunately I do not have an LDAP server > >to test against and squid bug #1018 says "with OpenLDAP 2.1 it works" > >and when I asked Edwin Groothuis for feedback he said the vendor patch > >would make no difference, the problem depended on the OpenLDAP version. > > squid bug #1018 also tells you to do > > /usr/local/libexec/squid/squid_ldap_auth -b o=BarNet,c=AU -f uid=%s -h > ldap.barnet.com.au Thanks, I overlooked that. I assumed that the test scenario was a local one and did not look closer. > I'm CC'ed on the squid bug, which he will hopefully grab soon. The > latest patch should break LDAP authentication, on all platforms no > matter which OpenLDAP version used, so you can expect to see messages on > the Squid lists soon. Ok. I guess we can leave the port as is for now and close this PR. I'd like to see the patch's information removed from distinfo, though. Would you mind committing this part? Thanks!
State Changed From-To: open->closed Remove ldap_helpers.patch. Closed on submitter request.
Thomas-Martin Seck wrote: > Ok. I guess we can leave the port as is for now and close this PR. I'd > like to see the patch's information removed from distinfo, though. Would > you mind committing this part? Thanks! Eh, yes. If I only were not this lazy, and Sem not this damn fast... -Oliver