Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Sep 2005 21:18:50 GMT
From:      "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/85700: {Free, Net}BSD php{4, 5} w/ LDAP + SSL/TLS ldap_start_tls[_s]()
Message-ID:  <200509032118.j83LIon0083931@www.freebsd.org>
Resent-Message-ID: <200509032120.j83LKZmq091892@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         85700
>Category:       ports
>Synopsis:       {Free,Net}BSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls[_s]()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 03 21:20:34 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Brian A. Seklecki
>Release:        RELENG_5_3
>Organization:
Spiritual Machines
>Environment:
FreeBSD krok 5.3-RELEASE-p17 FreeBSD 5.3-RELEASE-p17 #0: Tue Jul  5 06:16:28 EDT 2005     root@krok.collaborativefusion.com:/usr/obj/usr/src/sys/KROK  i386
>Description:
      For whatever reason, the php4 and php5 from FreeBSD ports refuses to properly configure SSL/TLS    
support for the LDAP module.                                                                       
                                                                                                   
This breaks the TLS/SSL functionality in net/phpldapadmin and sysutils/ldap-account-manager        
(CC'ing maintainers)                                                                               
                                                                                                   
I've got two current i386/RELENG_5_3 boxes.  Both with Apache apache-2.0.54_2 and                  
openldap-client-2.2.27.                                                                            
                                                                                                   
The ldap client binaries are linked to SSL fine and can talk both ldaps:// and Start_TLS over      
ldap://.  That's out of the question.                                                              
                                                                                                   
One with php4-4.4.0, one with php5-5.0.3_2 (see below).  Both have the LDAP and SSL php            
extension modules installed:                                                                       
                                                                                                   
$ egrep -i "ldap|ssl" /usr/local/etc/php/extensions.ini                                            
extension=openssl.so                                                                               
extension=ldap.so

# ldd /usr/local/lib/php/20020429/ldap.so                                                          
/usr/local/lib/php/20020429/ldap.so:                                                               
        libldap-2.2.so.7 => /usr/local/lib/libldap-2.2.so.7 (0x28174000)                           
        liblber-2.2.so.7 => /usr/local/lib/liblber-2.2.so.7 (0x281a7000)                           
        libcrypto.so.3 => /lib/libcrypto.so.3 (0x281b4000)                                         
        libssl.so.3 => /usr/lib/libssl.so.3 (0x282c8000)                                           
                                                                                                   
The php5 box is as well:                                                                           
                                                                                                   
$ ldd /usr/local/lib/php/20041030/ldap.so                                                          
/usr/local/lib/php/20041030/ldap.so:                                                               
        libldap-2.2.so.7 => /usr/local/lib/libldap-2.2.so.7 (0x28173000)                           
        liblber-2.2.so.7 => /usr/local/lib/liblber-2.2.so.7 (0x281a6000)                           
        libcrypto.so.3 => /lib/libcrypto.so.3 (0x281b3000)                                         
        libssl.so.3 => /usr/lib/libssl.so.3 (0x282c7000)                                           
                                                                                                   
                                                                                                   
The problem is that ldap_start_tls() is an unregistered/invalid function.  When i run the functions.php at http://www.sitepoint.com/article/php-command-line-2                
                                                                                                   
ldap_start_tls() isn't listed on either machine (see below).  
# pkg_info |grep -i php                                                                            
libmcrypt-2.5.7_1   Multi-cipher cryptographic library (used in PHP)                               
pear-XML_RPC-1.4.0  PHP implementation of the XML-RPC protocol                                     
php4-4.4.0          PHP Scripting Language (Apache Module and CLI)                                 
php4-ctype-4.4.0    The ctype shared extension for php                                             
php4-dba-4.4.0      The dba shared extension for php                                               
php4-extensions-1.0 A "meta-port" to install PHP extensions                                        
php4-gettext-4.4.0  The gettext shared extension for php                                           
php4-ldap-4.4.0     The ldap shared extension for php                                              
php4-mcrypt-4.4.0   The mcrypt shared extension for php                                            
php4-mysql-4.4.0    The mysql shared extension for php                                             
php4-openssl-4.4.0  The openssl shared extension for php                                           
php4-overload-4.4.0 The overload shared extension for php                                          
php4-pcre-4.4.0     The pcre shared extension for php                                              
php4-pear-4.4.0     PEAR framework for PHP                                                         
php4-pgsql-4.4.0    The pgsql shared extension for php                                             
php4-posix-4.4.0    The posix shared extension for php                                             
php4-session-4.4.0  The session shared extension for php                                           
php4-tokenizer-4.4.0 The tokenizer shared extension for php                                        
php4-xml-4.4.0      The xml shared extension for php                                               
php4-zlib-4.4.0     The zlib shared extension for php                                              
phpldapadmin-0.9.7.a6,1 A set of PHP-scripts to administer LDAP servers

$ pkg_info |grep -i php5                                                                           
php5-5.0.4_1        PHP Scripting Language (Apache Module and CLI)                                 
php5-bz2-5.0.3_2    The bz2 shared extension for php                                               
php5-calendar-5.0.3_2 The calendar shared extension for php                                        
php5-ctype-5.0.3_2  The ctype shared extension for php                                             
php5-curl-5.0.4_2   The curl shared extension for php                                              
php5-dom-5.0.3_2    The dom shared extension for php                                               
php5-exif-5.0.3_2   The exif shared extension for php                                              
php5-extensions-1.0 A "meta-port" to install PHP extensions                                        
php5-ftp-5.0.3_2    The ftp shared extension for php                                               
php5-gd-5.0.3_2     The gd shared extension for php                                                
php5-gettext-5.0.3_2 The gettext shared extension for php                                          
php5-iconv-5.0.3_2  The iconv shared extension for php                                             
php5-imap-5.0.3_2   The imap shared extension for php                                              
php5-ldap-5.0.4_2   The ldap shared extension for php                                              
php5-mcrypt-5.0.3_2 The mcrypt shared extension for php                                            
php5-mhash-5.0.3_2  The mhash shared extension for php                                             
php5-mysql-5.0.3_2  The mysql shared extension for php                                             
php5-odbc-5.0.4_2   The odbc shared extension for php                                              
php5-openssl-5.0.3_2 The openssl shared extension for php                                          
php5-pcre-5.0.3_2   The pcre shared extension for php                                              
php5-pear-5.0.3_2   PEAR framework for PHP                                                         
php5-pgsql-5.0.3_2  The pgsql shared extension for php                                             
php5-posix-5.0.3_2  The posix shared extension for php                                             
php5-session-5.0.3_2 The session shared extension for php                                          
php5-simplexml-5.0.3_2 The simplexml shared extension for php                                      
php5-soap-5.0.3_2   The soap shared extension for php                                              
php5-sqlite-5.0.3_2 The sqlite shared extension for php                                            
php5-sysvmsg-5.0.3_2 The sysvmsg shared extension for php                                          
php5-sysvsem-5.0.3_2 The sysvsem shared extension for php                                          
php5-sysvshm-5.0.3_2 The sysvshm shared extension for php                                          
php5-tokenizer-5.0.3_2 The tokenizer shared extension for php                                      
php5-xml-5.0.3_2    The xml shared extension for php                                               
php5-zlib-5.0.3_2   The zlib shared extension for php


php4box# php public_html/functions.php -e ldap                                                     
ldap_connect                                                                                       
ldap_close                                                                                         
ldap_bind                                                                                          
ldap_unbind                                                                                        
ldap_read                                                                                          
ldap_list                                                                                          
ldap_search                                                                                        
ldap_free_result                                                                                   
ldap_count_entries                                                                                 
ldap_first_entry                                                                                   
ldap_next_entry                                                                                    
ldap_get_entries                                                                                   
ldap_first_attribute                                                                               
ldap_next_attribute                                                                                
ldap_get_attributes                                                                                
ldap_get_values                                                                                    
ldap_get_values_len                                                                                
ldap_get_dn                                                                                        
ldap_explode_dn                                                                                    
ldap_dn2ufn                                                                                        
ldap_add                                                                                           
ldap_delete                                                                                        
ldap_modify                                                                                        
ldap_mod_add                                                                                       
ldap_mod_replace                                                                                   
ldap_mod_del                                                                                       
ldap_errno                                                                                         
ldap_err2str                                                                                       
ldap_error                                                                                         
ldap_compare                                                                                       
ldap_sort                                                                                          
ldap_rename                                                                                        
ldap_get_option                                                                                    
ldap_set_option                                                                                    
ldap_first_reference                                                                               
ldap_next_reference                                                                                
ldap_set_rebind_proc

 php5 box$ php functions.php -e ldap        ldap_connect                                            
ldap_close                                                                                         
ldap_bind                                                                                          
ldap_unbind                                                                                        
ldap_read                                                                                          
ldap_list                                                                                          
ldap_search                                                                                        
ldap_free_result                                                                                   
ldap_count_entries                                                                                 
ldap_first_entry                                                                                   
ldap_next_entry                                                                                    
ldap_get_entries                                                                                   
ldap_first_attribute                                                                               
ldap_next_attribute                                                                                
ldap_get_attributes                                                                                
ldap_get_values                                                                                    
ldap_get_values_len                                                                                
ldap_get_dn                                                                                        
ldap_explode_dn                                                                                    
ldap_dn2ufn                                                                                        
ldap_add                                                                                           
ldap_delete                                                                                        
ldap_modify                                                                                        
ldap_mod_add                                                                                       
ldap_mod_replace                                                                                   
ldap_mod_del                                                                                       
ldap_errno                                                                                         
ldap_err2str                                                                                       
ldap_error                                                                                         
ldap_compare                                                                                       
ldap_sort                                                                                          
ldap_get_option                                                                                    
ldap_set_option                                                                                    
ldap_parse_result                                                                                  
ldap_first_reference                                                                               
ldap_next_reference                                                                                
ldap_rename                                                                                        
ldap_set_rebind_proc 

>How-To-Repeat:
      I traced it down:                                                                            
                                                                                                   
in /usr/ports/net/php5-ldap/work/php-5.0.4/ext/ldap/configure ->                                   
conftest -> ldap_start_tls_s();                                                                    
ldap_start_tls_s return false -> ac_cv_func_ldap_start_tls_s=no in config.log                      
config.log -> ldap.h -> #undef HAVE_LDAP_START_TLS_S                                               
config.c -> HAVE_LDAP_START_TLS_S -> PHP_FE(ldap_start_tls, NULL)                                  
                                                                                                   
..therefore ldap_start_tls isn't registered.  The question is why the conftest.c in GNU           
autoconf is failing with:                                                                          
                                                                                                   
configure:5048: cc -o conftest -O -pipe -march=pentium3   conftest.c  >&5                          
/var/tmp//cc63HySI.o(.text+0x12): In function `main':                                              
: undefined reference to `ldap_start_tls_s'                                                        
                                                                                                   
..Which is odd since:                                                                             
                                                                                                   
                                                                                                   
php4$ grep -ir ldap_start_tls_s lib/*                                                              
Binary file lib/libldap-2.2.so matches                                                             
Binary file lib/libldap-2.2.so.7 matches                                                           
Binary file lib/libldap.a matches                                                                  
Binary file lib/libldap.so matches                                                                 
Binary file lib/libldap_r-2.2.so matches                                                           
Binary file lib/libldap_r-2.2.so.7 matches                                                         
Binary file lib/libldap_r.a matches                                                                
Binary file lib/libldap_r.so matches                                                               
Binary file lib/pam_ldap.so matches                                                                
                                                                                                   
php4$ grep -ir ldap_start_tls_s include/*                                                          
include/ldap.h:ldap_start_tls_s LDAP_P((                                                           
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s function.  */             
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */                                   
                                                                                                   
                                                                                                   
$ nm lib/libldap-2.2.so.7|grep -i start_tls                                                        
0002b770 T ldap_start_tls_s                                                                        
                                                                                                   
and...                                                                                             
                                                                                                   
php5$ grep -ir ldap_start_tls_s lib/*                                                              
Binary file lib/libldap-2.2.so matches                                                             
Binary file lib/libldap-2.2.so.7 matches        
Binary file lib/libldap.a matches                                                                  
Binary file lib/libldap.so matches                                                                 
Binary file lib/libldap_r-2.2.so matches                                                           
Binary file lib/libldap_r-2.2.so.7 matches                                                         
Binary file lib/libldap_r.a matches                                                                
Binary file lib/libldap_r.so matches                                                               
                                                                                                   
php5$ grep -ir ldap_start_tls_s include/*                                                          
include/ldap.h:ldap_start_tls_s LDAP_P((                                                           
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s function.  */             
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */                                   
                                                                                                   
$ nm lib/libldap-2.2.so.7|grep -i start_tls                                                        
0002b770 T ldap_start_tls_s                                                                        
                                                                                                   
.from 'make configure' in ports/net/php5-ldap/                                                    
                                                                                                   
checking for LDAP support... yes, shared                                                           
checking for LDAP Cyrus SASL support... no                                                         
checking for 3 arg ldap_set_rebind_proc... yes                                                     
checking for ldap_parse_reference... no                                                            
checking for ldap_start_tls_s... no                                                                
checking for ldap_bind_s... yes                                                                    
                                                                                                   
                                                                                                   
..from config.log:                                                                                
                                                                                                   
configure:5048: cc -o conftest -O -pipe -march=pentium3   conftest.c  >&5                          
/var/tmp//cc63HySI.o(.text+0x12): In function `main':                                              
: undefined reference to `ldap_start_tls_s'                                                        
configure:5051: $? = 1                                                                             
configure: failed program was:                    
>Fix:
      I don't dabble in GNU Autoconf, and I recommend everyone else do the same, but if someone actually wants to fix the autoconf aspect of this so that a patch on the Free/NetBSD side isn't required forever, then God speed.  

My temporary solution is:

1) cd /usr/{ports,pkgsrc}/{net/php5-ldap,databases/php-ldap} on {Free,Net}BSD respectively         
                                                                                                   
2) sudo make configure                                                                             
                                                                                                   
3) sudo vim                                                                                        
On FreeBSD                                                                                         
work/php-5.0.4/ext/ldap/config.h or..                                                              
work/php-4.4.0/ext/ldap/config.h                                                                   
                                                                                                   
on NetBSD:                                                                                         
work/php-5.0.4/ext/ldap/config.h                                                                   
                                                                                                   
4) Change:                                                                                         
/* Define to 1 if you have the `ldap_start_tls_s' function. */                                     
/* #undef HAVE_LDAP_START_TLS_S */                                                                 
                                                                                                   
   To:                                                                                             
                                                                                                   
#define HAVE_LDAP_START_TLS_S 1                                                                    
                                                                                                   
5) sudo make install                                                                               
                                                                                                   
6) carry on pretending that your employee data is secure                                           
                                                                                                   
$ cat ~/public_html/testtls.php                                                                    
<?                                                                                                 
                                                                                                   
if (function_exists('ldap_start_tls'))                                                             
               echo "I see it!\n";                                                                 
                                                                                                   
?>                                                                                                 
                                                                                                   
[0] seklecki@blah:/$ php ~/public_html/testtls.php                                                 
I see it!                                                                                          
                                                                                                   
7) ...sit around on your day off and try to determine how the following piece of code from         
configure.sh was [ever] supposed to determine if ldap_start_tls_s() was a valid function w/o       
including arguments -I/usr/local/include, -L/usr/local/lib to gcc(1) or #including ldap.h or       
lber.h, and wonder who is responsible >:}    

*cough*                                                                                            
                                                                                                   
http://chora.php.net/diff.php/php-src/ext/ldap/config.m4?php=3c934ff67902f7c5ce419c901b82c77e&r    
1=1.23&r2=1.24&ty=h&num=10                                                                         
                                                                                                   
*cough* ... 8-) ...i dunno, maybe it "just works(r)" on Linux >:}                                  
                                                | /* confdefs.h.  */
| 
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define COMPILE_DL_LDAP 1
| #define HAVE_LDAP 1
| #define HAVE_3ARG_SETREBINDPROC 1
| /* end confdefs.h.  */
| /* Define ldap_start_tls_s to an innocuous variant, in case <limits.h> declares ldap_start_tls_s.
|    For example, HP-UX 11i <limits.h> declares gettimeofday.  */
| #define ldap_start_tls_s innocuous_ldap_start_tls_s
| /* System header to define __stub macros and hopefully few prototypes,
|     which can conflict with char ldap_start_tls_s (); below.
|     Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
|     <limits.h> exists even on freestanding compilers.  */
| 
| #ifdef __STDC__
| # include <limits.h>
| #else
| # include <assert.h>
| #endif
| 
| #undef ldap_start_tls_s
| 
| /* Override any gcc2 internal prototype to avoid an error.  */
| #ifdef __cplusplus
| extern "C"
| {
| #endif
| /* We use char because int might match the return type of a gcc2
|    builtin and then its argument prototype would still apply.  */
| char ldap_start_tls_s ();
| /* The GNU C library defines this for functions which it implements
|     to always fail with ENOSYS.  Some functions are actually named
|     something starting with __ and the normal name is an alias.  */
| #if defined (__stub_ldap_start_tls_s) || defined (__stub___ldap_start_tls_s)
| choke me
| #else
| char (*f) () = ldap_start_tls_s;
| #endif
| #ifdef __cplusplus
| }
| #endif
| 
| int
| main ()
| {
| return f != ldap_start_tls_s;
|   ;
|   return 0;
| }                       


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509032118.j83LIon0083931>