Date: Sat, 3 Sep 2005 16:19:15 -0400 (EDT)
From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: Stig Venaas <venaas@php.net>, php-general@lists.php.net, freebsd-questions@freebsd.org, ale@FreeBSD.org
Subject: Re: [PHP] FreeBSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls()
Message-ID: <20050903160401.W33721@arbitor.digitalfreaks.org>
In-Reply-To: <20050903151453.E33721@arbitor.digitalfreaks.org>
References: <20050902214813.Q52162@arbitor.digitalfreaks.org> <43193747.3050805@lerdorf.com> <20050903151453.E33721@arbitor.digitalfreaks.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Okay, problem fixed:
1) cd /usr/{ports,pkgsrc}/{net/php5-ldap,databases/php-ldap} on
{Free,Net}BSD respectively
2) sudo make configure
3) sudo vim
On FreeBSD
work/php-5.0.4/ext/ldap/config.h or..
work/php-4.4.0/ext/ldap/config.h
on NetBSD:
work/php-5.0.4/ext/ldap/config.h
4) Change:
/* Define to 1 if you have the `ldap_start_tls_s' function. */
/* #undef HAVE_LDAP_START_TLS_S */
To:
#define HAVE_LDAP_START_TLS_S 1
5) sudo make install
6) carry on pretending that your employee data is secure
$ cat ~/public_html/testtls.php
<?
if (function_exists('ldap_start_tls'))
echo "I see it!\n";
?>
[0] seklecki@blah:/$ php ~/public_html/testtls.php
I see it!
7) ...sit around on your day off and try to determine how the following
piece of code from configure.sh was [ever] supposed to determine if
ldap_start_tls_s() was a valid function w/o including arguments
-I/usr/local/include, -L/usr/local/lib to gcc(1) or #including ldap.h or
lber.h, and wonder who is responsible >:}
*cough*
http://chora.php.net/diff.php/php-src/ext/ldap/config.m4?php=3c934ff67902f7c5ce419c901b82c77e&r1=1.23&r2=1.24&ty=h&num=10
*cough* ... 8-) ...i dunno, maybe it "just works(r)" on Linux >:}
| /* confdefs.h. */
|
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define COMPILE_DL_LDAP 1
| #define HAVE_LDAP 1
| #define HAVE_3ARG_SETREBINDPROC 1
| /* end confdefs.h. */
| /* Define ldap_start_tls_s to an innocuous variant, in case <limits.h>
declares ldap_start_tls_s.
| For example, HP-UX 11i <limits.h> declares gettimeofday. */
| #define ldap_start_tls_s innocuous_ldap_start_tls_s
| /* System header to define __stub macros and hopefully few prototypes,
| which can conflict with char ldap_start_tls_s (); below.
| Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
| <limits.h> exists even on freestanding compilers. */
|
| #ifdef __STDC__
| # include <limits.h>
| #else
| # include <assert.h>
| #endif
|
| #undef ldap_start_tls_s
|
| /* Override any gcc2 internal prototype to avoid an error. */
| #ifdef __cplusplus
| extern "C"
| {
| #endif
| /* We use char because int might match the return type of a gcc2
| builtin and then its argument prototype would still apply. */
| char ldap_start_tls_s ();
| /* The GNU C library defines this for functions which it implements
| to always fail with ENOSYS. Some functions are actually named
| something starting with __ and the normal name is an alias. */
| #if defined (__stub_ldap_start_tls_s) || defined
(__stub___ldap_start_tls_s)
| choke me
| #else
| char (*f) () = ldap_start_tls_s;
| #endif
| #ifdef __cplusplus
| }
| #endif
|
| int
| main ()
| {
| return f != ldap_start_tls_s;
| ;
| return 0;
| }
~BAS
On Sat, 3 Sep 2005, Brian A. Seklecki wrote:
>
> Rasmus / all:
>
> I'll revert to that as path of last resort. The FreeBSD port mechanism for
> installing php extensions is administratively superior to maintaining source
> installations manually. Apache/PHP/LDAP/SSL/SQL cocktails on anything other
> than Linux are way too convuluted to not be using Ports, especially with the
> number of security advisories that come out. Without the XML vulnerability
> checklist from 'portaudit', you might as well grab your ankles.
>
> Anyway, It's not FreeBSD ports. The damn configure script in
> php{4,5}???/ext/ldap/ per the following:
>
> Update: The problem persists elsewhere than FreeBSD 5.3/i386. It's also
> happening on a NetBSD/i386 host with a -current (cvs -rHEAD)
> pkgsrc/databases/{,php-ldap-}openldap/
>
> Okay, I traced it down:
>
> in /usr/ports/net/php5-ldap/work/php-5.0.4/ext/ldap/configure ->
> conftest -> ldap_start_tls_s();
> ldap_start_tls_s return false -> ac_cv_func_ldap_start_tls_s=no in config.log
> config.log -> ldap.h -> #undef HAVE_LDAP_START_TLS_S
> config.c -> HAVE_LDAP_START_TLS_S -> PHP_FE(ldap_start_tls, NULL)
>
> ...therefore ldap_start_tls isn't registered. The question is why the
> conftest.c in GNU autoconf is failing with:
>
> configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
> /var/tmp//cc63HySI.o(.text+0x12): In function `main':
> : undefined reference to `ldap_start_tls_s'
>
> ...Which is odd since:
>
>
> php4$ grep -ir ldap_start_tls_s lib/*
> Binary file lib/libldap-2.2.so matches
> Binary file lib/libldap-2.2.so.7 matches
> Binary file lib/libldap.a matches
> Binary file lib/libldap.so matches
> Binary file lib/libldap_r-2.2.so matches
> Binary file lib/libldap_r-2.2.so.7 matches
> Binary file lib/libldap_r.a matches
> Binary file lib/libldap_r.so matches
> Binary file lib/pam_ldap.so matches
>
> php4$ grep -ir ldap_start_tls_s include/*
> include/ldap.h:ldap_start_tls_s LDAP_P((
> include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s
> function. */
> include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
>
>
> $ nm lib/libldap-2.2.so.7|grep -i start_tls
> 0002b770 T ldap_start_tls_s
>
> and...
>
> php5$ grep -ir ldap_start_tls_s lib/*
> Binary file lib/libldap-2.2.so matches
> Binary file lib/libldap-2.2.so.7 matches
> Binary file lib/libldap.a matches
> Binary file lib/libldap.so matches
> Binary file lib/libldap_r-2.2.so matches
> Binary file lib/libldap_r-2.2.so.7 matches
> Binary file lib/libldap_r.a matches
> Binary file lib/libldap_r.so matches
>
> php5$ grep -ir ldap_start_tls_s include/*
> include/ldap.h:ldap_start_tls_s LDAP_P((
> include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s
> function. */
> include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
>
> $ nm lib/libldap-2.2.so.7|grep -i start_tls
> 0002b770 T ldap_start_tls_s
>
> ..from 'make configure' in ports/net/php5-ldap/
>
> checking for LDAP support... yes, shared
> checking for LDAP Cyrus SASL support... no
> checking for 3 arg ldap_set_rebind_proc... yes
> checking for ldap_parse_reference... no
> checking for ldap_start_tls_s... no
> checking for ldap_bind_s... yes
>
>
> ...from config.log:
>
> configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
> /var/tmp//cc63HySI.o(.text+0x12): In function `main':
> : undefined reference to `ldap_start_tls_s'
> configure:5051: $? = 1
> configure: failed program was:
> #line 5011 "configure"
> #include "confdefs.h"
> /* System header to define __stub macros and hopefully few prototypes,
> which can conflict with char ldap_start_tls_s (); below. */
> #include <assert.h>
> /* Override any gcc2 internal prototype to avoid an error. */
> #ifdef __cplusplus
> extern "C"
> #endif
> /* We use char because int might match the return type of a gcc2
> builtin and then its argument prototype would still apply. */
> char ldap_start_tls_s ();
> char (*f) ();
> #ifdef F77_DUMMY_MAIN
> # ifdef __cplusplus
> extern "C"
> # endif
> int F77_DUMMY_MAIN() { return 1; }
> #endif
> int
> main ()
> {
> /* The GNU C library defines this for functions which it implements
> to always fail with ENOSYS. Some functions are actually named
> something starting with __ and the normal name is an alias. */
> #if defined (__stub_ldap_start_tls_s) || defined (__stub___ldap_start_tls_s)
> choke me
> #else
> f = ldap_start_tls_s;
> #endif
>
> ;
> return 0;
> }
> configure:5067: result: no
> configure:5414: checking for ldap_bind_s
> configure:5457: cc -o conftest -O -pipe -march=pentium3 -R/usr/local/lib
> -L/usr/local/lib -lldap -R/usr/local/lib -
> L/usr/local/lib -llber conftest.c >&5
> configure:5460: $? = 0
> configure:5463: test -s conftest
> configure:5466: $? = 0
> configure:5476: result: yes
> configure:5583: checking for ld used by GCC
> configure:5646: result: /usr/bin/ld
> configure:5655: checking if the linker (/usr/bin/ld) is GNU ld
> GNU ld version 2.15 [FreeBSD] 2004-05-23
> configure:5667: result: yes
> configure:5672: checking for /usr/bin/ld option to reload object files
> configure:5679: result: -r
> configure:5684: checking for BSD-compatible nm
> configure:5720: result: nm
> configure:5723: checking for a sed that does not truncate output
> configure:5805: result: /usr/bin/sed
> configure:5808: checking whether ln -s works
> configure:5812: result: yes
> configure:5819: checking how to recognise dependent libraries
> configure:6001: result: pass_all
> configure:6013: checking command to parse nm output
> configure:6097: cc -c -O -pipe -march=pentium3 conftest.c >&5
> configure:6100: $? = 0
> configure:6104: nm conftest.o \| sed -n -e 's/^.*[
> ]\([ABCDGISTW][ABCDGISTW]*\)[ ][ ]*\(\)\([_A-Za-z][_A-
> Za-z0-9]*\)$/\1 \2\3 \3/p' \> conftest.nm
> configure:6107: $? = 0
> configure:6159: cc -o conftest -O -pipe -march=pentium3 conftest.c
> conftstm.o >&5
> configure:6162: $? = 0
> configure:6206: result: ok
> configure:6215: checking how to run the C preprocessor
> configure:6241: cc -E conftest.c
> configure:6247: $? = 0
> configure:6274: cc -E conftest.c
> configure:6271:28: ac_nonexistent.h: No such file or directory
> configure:6280: $? = 1
> configure: failed program was:
> #line 6270 "configure"
> #include "confdefs.h"
> #include <ac_nonexistent.h>
> configure:6317: result: cc -E
> configure:6332: cc -E conftest.c
> configure:6338: $? = 0
> configure:6365: cc -E conftest.c
> configure:6362:28: ac_nonexistent.h: No such file or directory
> configure:6371: $? = 1
> configure: failed program was:
> #line 6361 "configure"
> #include "confdefs.h"
> #include <ac_nonexistent.h>
> configure:6411: checking for ANSI C header files
> configure:6425: cc -E conftest.c
> configure:6431: $? = 0
> configure:6518: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
> configure:6521: $? = 0
>
> ac_cv_func_ldap_start_tls_s=no
>
>
> From php_ldap.h:
>
> #if LDAP_API_VERSION > 2000
> PHP_FUNCTION(ldap_start_tls);
> #endif
>
> From ldap.c:
>
> #ifdef HAVE_LDAP_START_TLS_S
> PHP_FE(ldap_start_tls, NULL)
> #endif
>
>
>
> #ifdef HAVE_LDAP_START_TLS_S
> /* {{{ proto bool ldap_start_tls(resource link)
> Start TLS */
> PHP_FUNCTION(ldap_start_tls)
> {
> zval **link;
> ldap_linkdata *ld;
> int rc, protocol = LDAP_VERSION3;
>
> if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &link) ==
> FAILURE) {
> WRONG_PARAM_COUNT;
> }
>
> ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, link, -1, "ldap link",
> le_link);
>
> if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION,
> &protocol)) != LDAP_SUCCESS) ||
> ((rc = ldap_start_tls_s(ld->link, NULL, NULL)) !=
> LDAP_SUCCESS)
> ) {
> php_error_docref(NULL TSRMLS_CC, E_WARNING,"Unable to start
> TLS: %s", ldap_err2string(rc));
> RETURN_FALSE;
> } else {
> RETURN_TRUE;
> }
> }
> /* }}} */
> #endif
>
>
>
> On Fri, 2 Sep 2005, Rasmus Lerdorf wrote:
>
>> Brian A. Seklecki wrote:
>>> Firstly, sorry if this is the wrong list. There are thousands of forums
>>> and PHP5 related MLs, but nothing FBSD specific.
>>>
>>> Second, I wouldn't post if this wasn't happening on two completely
>>> different FBSD boxes.
>>>
>>> For whatever reason, the php4 and php5 from FreeBSD ports refuses to
>>> properly configure SSL/TLS support for the LDAP module.
>>
>> Can't you just build from the PHP tarball instead? Seems like a messed
>> up port to me. I use FreeBSD all day, every day and haven't seen this
>> problem. But I also don't use the ports.
>>
>> -Rasmus
>>
>
> l8*
> -lava
>
> x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050903160401.W33721>