The squid LDAP helpers do not yet work with OpenLDAP 2.2, see squid bug #1018. Use OpenLDAP 2.1 instead until this issue is resolved. Fix: Apply this patch:
Responsible Changed From-To: freebsd-ports-bugs->krion Take.
Thomas-Martin Seck wrote: > --- Makefile (revision 126) > +++ Makefile (working copy) > @@ -161,6 +161,7 @@ > MAN8+= pam_auth.8 squid_unix_group.8 > .if defined(WITH_SQUID_LDAP_AUTH) > USE_OPENLDAP= yes > +WANT_OPENLDAP_VER= 21 > CFLAGS+= -I${LOCALBASE}/include > LDFLAGS+= -L${LOCALBASE}/lib > MAN8+= squid_ldap_auth.8 squid_ldap_group.8 IMHO this is not the right fix. I would do .if ${WANT_OPENLDAP_VER}==22 IGNORE= Bugs in squid_ldap_auth with OpenLDAP 2.2 <http://www.squid-cache.org/bugs/show_bug.cgi?id=1018> .endif because a) This does not need a PORTREVISION bump (ok, OpenLDAP support is not the default, so this might be unnecessary) b) Users with OpenLDAP 2.2 installed get an informative error message, instead of `openldap-client-2.1.30 conflicts with installed package(s): openldap-client-2.2.14' c) It doesn't force the installation of an OpenLDAP version incompatible with other ports. Btw, has anyone tested the code with OpenLDAP 2.1? I seem to get the same crashes in the -P case, -H doesn't work as advertised, and, what's even worse that crashing is that I'm able to authorize with *every* password. So the proper `fix' would be IGNORE= Bugs in squid_ldap_auth <http://www.squid- cache.org/bugs/show_bug.cgi?id=1018> -Oliver
For the record: the following patch (the same as in <http://www.squid- cache.org/bugs/show_bug.cgi?id=1018>), added as files/patch- helpers::basic_auth::LDAP::squid_ldap_auth.c, will fix the `authenticate everyone' bug and the crashes in the non-persistent case (without -P), so the module is at least barely usable. -H and -P still don't work, neither with OpenLDAP 2.2 nor with OpenLDAP 2.1. -Oliver --- helpers/basic_auth/LDAP/squid_ldap_auth.c.orig Thu Jul 22 19:53:20 2004 +++ helpers/basic_auth/LDAP/squid_ldap_auth.c Thu Jul 22 19:53:20 2004 @@ -486,7 +486,8 @@ if (checkLDAP(ld, user, passwd, ldapServer, port) != 0) { if (tryagain && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS) { tryagain = 0; - ldap_unbind(ld); + if (ld) + ldap_unbind(ld); ld = NULL; goto recover; } @@ -637,7 +638,7 @@ ldap_unbind(bind_ld); bind_ld = NULL; } - return 0; + return ret; } int
* Oliver Eikemeier (eikemeier@fillmore-labs.com): > Thomas-Martin Seck wrote: > > >--- Makefile (revision 126) > >+++ Makefile (working copy) > >@@ -161,6 +161,7 @@ > > MAN8+= pam_auth.8 squid_unix_group.8 > > .if defined(WITH_SQUID_LDAP_AUTH) > > USE_OPENLDAP= yes > >+WANT_OPENLDAP_VER= 21 > > CFLAGS+= -I${LOCALBASE}/include > > LDFLAGS+= -L${LOCALBASE}/lib > > MAN8+= squid_ldap_auth.8 squid_ldap_group.8 > > IMHO this is not the right fix. I would do > > .if ${WANT_OPENLDAP_VER}==22 > IGNORE= Bugs in squid_ldap_auth with OpenLDAP 2.2 > <http://www.squid-cache.org/bugs/show_bug.cgi?id=1018> > .endif > This is fine with me. > because > > a) This does not need a PORTREVISION bump (ok, OpenLDAP support is not > the default, so this might be unnecessary) This was my intention -- my rule of thumb is: does the content of the pointyhat package change? If so, bump PORTREVISION. I do not think this change justifies this; I don't think LDAP auth is in widespread use. > > b) Users with OpenLDAP 2.2 installed get an informative error message, > instead of > `openldap-client-2.1.30 conflicts with installed package(s): > openldap-client-2.2.14' Yep. > > c) It doesn't force the installation of an OpenLDAP version incompatible > with other ports. Hm -- is WANT_LDAP_VER only to be used as a general variable and should not be used by a port? That's what you get from trying to find a quick workaround... > Btw, has anyone tested the code with OpenLDAP 2.1? I seem to get the > same crashes in the -P case, -H doesn't work as advertised, and, what's > even worse that crashing is that I'm able to authorize with *every* > password. So the proper `fix' would be > > IGNORE= Bugs in squid_ldap_auth <http://www.squid- > cache.org/bugs/show_bug.cgi?id=1018> It seems the LDAP-update patch is the root of all evil. Could you back it out and test the "old" ldap_auth helpers against OpenLDAP 2.2? If it works, I simply remove it from the list of patches and wait until the dust settles.
Thomas-Martin Seck wrote: > * Oliver Eikemeier (eikemeier@fillmore-labs.com): > [...] >> c) It doesn't force the installation of an OpenLDAP version >> incompatible >> with other ports. > > Hm -- is WANT_LDAP_VER only to be used as a general variable and should > not be used by a port? That's what you get from trying to find a quick > workaround... It's though for ports that generally need OpenLDAP 2.1. I do not expect them to exists, but it's there just in case. In this case it's just a temporary breakage, which I would treat differently. It's a matter of style, your approach isn't wrong, but points users in the wrong direction (IMHO). >> Btw, has anyone tested the code with OpenLDAP 2.1? I seem to get the >> same crashes in the -P case, -H doesn't work as advertised, and, what's >> even worse that crashing is that I'm able to authorize with *every* >> password. So the proper `fix' would be >> >> IGNORE= Bugs in squid_ldap_auth <http://www.squid- >> cache.org/bugs/show_bug.cgi?id=1018> > > It seems the LDAP-update patch is the root of all evil. Could you back > it out and test the "old" ldap_auth helpers against OpenLDAP 2.2? If it > works, I simply remove it from the list of patches and wait until the > dust settles. Jup, lets try this. -Oliver
State Changed From-To: open->closed Patch removed until the problems are resolved upstream.