Date: Sat, 3 Sep 2005 15:20:21 -0400 (EDT)
From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: php-general@lists.php.net, freebsd-questions@freebsd.org, ale@FreeBSD.org
Subject: Re: [PHP] FreeBSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls()
Message-ID: <20050903151453.E33721@arbitor.digitalfreaks.org>
In-Reply-To: <43193747.3050805@lerdorf.com>
References: <20050902214813.Q52162@arbitor.digitalfreaks.org> <43193747.3050805@lerdorf.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Rasmus / all:
I'll revert to that as path of last resort. The FreeBSD port mechanism
for installing php extensions is administratively superior to maintaining
source installations manually. Apache/PHP/LDAP/SSL/SQL cocktails on
anything other than Linux are way too convuluted to not be using Ports,
especially with the number of security advisories that come out. Without
the XML vulnerability checklist from 'portaudit', you might as well grab
your ankles.
Anyway, It's not FreeBSD ports. The damn configure script in
php{4,5}???/ext/ldap/ per the following:
Update: The problem persists elsewhere than FreeBSD 5.3/i386. It's also
happening on a NetBSD/i386 host with a -current (cvs -rHEAD)
pkgsrc/databases/{,php-ldap-}openldap/
Okay, I traced it down:
in /usr/ports/net/php5-ldap/work/php-5.0.4/ext/ldap/configure ->
conftest -> ldap_start_tls_s();
ldap_start_tls_s return false -> ac_cv_func_ldap_start_tls_s=no in
config.log
config.log -> ldap.h -> #undef HAVE_LDAP_START_TLS_S
config.c -> HAVE_LDAP_START_TLS_S -> PHP_FE(ldap_start_tls, NULL)
...therefore ldap_start_tls isn't registered. The question is why the
conftest.c in GNU autoconf is failing with:
configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'
...Which is odd since:
php4$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches
Binary file lib/pam_ldap.so matches
php4$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s
function. */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s
and...
php5$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches
php5$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s
function. */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s
..from 'make configure' in ports/net/php5-ldap/
checking for LDAP support... yes, shared
checking for LDAP Cyrus SASL support... no
checking for 3 arg ldap_set_rebind_proc... yes
checking for ldap_parse_reference... no
checking for ldap_start_tls_s... no
checking for ldap_bind_s... yes
...from config.log:
configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'
configure:5051: $? = 1
configure: failed program was:
#line 5011 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char ldap_start_tls_s (); below. */
#include <assert.h>
/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char ldap_start_tls_s ();
char (*f) ();
#ifdef F77_DUMMY_MAIN
# ifdef __cplusplus
extern "C"
# endif
int F77_DUMMY_MAIN() { return 1; }
#endif
int
main ()
{
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
#if defined (__stub_ldap_start_tls_s) || defined
(__stub___ldap_start_tls_s)
choke me
#else
f = ldap_start_tls_s;
#endif
;
return 0;
}
configure:5067: result: no
configure:5414: checking for ldap_bind_s
configure:5457: cc -o conftest -O -pipe -march=pentium3 -R/usr/local/lib
-L/usr/local/lib -lldap -R/usr/local/lib -
L/usr/local/lib -llber conftest.c >&5
configure:5460: $? = 0
configure:5463: test -s conftest
configure:5466: $? = 0
configure:5476: result: yes
configure:5583: checking for ld used by GCC
configure:5646: result: /usr/bin/ld
configure:5655: checking if the linker (/usr/bin/ld) is GNU ld
GNU ld version 2.15 [FreeBSD] 2004-05-23
configure:5667: result: yes
configure:5672: checking for /usr/bin/ld option to reload object files
configure:5679: result: -r
configure:5684: checking for BSD-compatible nm
configure:5720: result: nm
configure:5723: checking for a sed that does not truncate output
configure:5805: result: /usr/bin/sed
configure:5808: checking whether ln -s works
configure:5812: result: yes
configure:5819: checking how to recognise dependent libraries
configure:6001: result: pass_all
configure:6013: checking command to parse nm output
configure:6097: cc -c -O -pipe -march=pentium3 conftest.c >&5
configure:6100: $? = 0
configure:6104: nm conftest.o \| sed -n -e 's/^.*[
]\([ABCDGISTW][ABCDGISTW]*\)[ ][ ]*\(\)\([_A-Za-z][_A-
Za-z0-9]*\)$/\1 \2\3 \3/p' \> conftest.nm
configure:6107: $? = 0
configure:6159: cc -o conftest -O -pipe -march=pentium3 conftest.c
conftstm.o >&5
configure:6162: $? = 0
configure:6206: result: ok
configure:6215: checking how to run the C preprocessor
configure:6241: cc -E conftest.c
configure:6247: $? = 0
configure:6274: cc -E conftest.c
configure:6271:28: ac_nonexistent.h: No such file or directory
configure:6280: $? = 1
configure: failed program was:
#line 6270 "configure"
#include "confdefs.h"
#include <ac_nonexistent.h>
configure:6317: result: cc -E
configure:6332: cc -E conftest.c
configure:6338: $? = 0
configure:6365: cc -E conftest.c
configure:6362:28: ac_nonexistent.h: No such file or directory
configure:6371: $? = 1
configure: failed program was:
#line 6361 "configure"
#include "confdefs.h"
#include <ac_nonexistent.h>
configure:6411: checking for ANSI C header files
configure:6425: cc -E conftest.c
configure:6431: $? = 0
configure:6518: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
configure:6521: $? = 0
ac_cv_func_ldap_start_tls_s=no
From php_ldap.h:
#if LDAP_API_VERSION > 2000
PHP_FUNCTION(ldap_start_tls);
#endif
From ldap.c:
#ifdef HAVE_LDAP_START_TLS_S
PHP_FE(ldap_start_tls,
NULL)
#endif
#ifdef HAVE_LDAP_START_TLS_S
/* {{{ proto bool ldap_start_tls(resource link)
Start TLS */
PHP_FUNCTION(ldap_start_tls)
{
zval **link;
ldap_linkdata *ld;
int rc, protocol = LDAP_VERSION3;
if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &link) ==
FAILURE) {
WRONG_PARAM_COUNT;
}
ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, link, -1, "ldap link",
le_link);
if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION,
&protocol)) != LDAP_SUCCESS) ||
((rc = ldap_start_tls_s(ld->link, NULL, NULL)) !=
LDAP_SUCCESS)
) {
php_error_docref(NULL TSRMLS_CC, E_WARNING,"Unable to
start TLS: %s", ldap_err2string(rc));
RETURN_FALSE;
} else {
RETURN_TRUE;
}
}
/* }}} */
#endif
On Fri, 2 Sep 2005, Rasmus Lerdorf wrote:
> Brian A. Seklecki wrote:
>> Firstly, sorry if this is the wrong list. There are thousands of forums
>> and PHP5 related MLs, but nothing FBSD specific.
>>
>> Second, I wouldn't post if this wasn't happening on two completely
>> different FBSD boxes.
>>
>> For whatever reason, the php4 and php5 from FreeBSD ports refuses to
>> properly configure SSL/TLS support for the LDAP module.
>
> Can't you just build from the PHP tarball instead? Seems like a messed
> up port to me. I use FreeBSD all day, every day and haven't seen this
> problem. But I also don't use the ports.
>
> -Rasmus
>
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050903151453.E33721>