[PHP] FreeBSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls()

Brian A. Seklecki lavalamp at spiritual-machines.org
Sat Sep 3 12:20:23 PDT 2005


Rasmus / all:

I'll revert to that as path of last resort.  The FreeBSD port mechanism 
for installing php extensions is administratively superior to maintaining 
source installations manually.  Apache/PHP/LDAP/SSL/SQL cocktails on 
anything other than Linux are way too convuluted to not be using Ports, 
especially with the number of security advisories that come out.  Without 
the XML vulnerability checklist from 'portaudit', you might as well grab 
your ankles.

Anyway, It's not FreeBSD ports.  The damn configure script in 
php{4,5}???/ext/ldap/ per the following:

Update:  The problem persists elsewhere than FreeBSD 5.3/i386.  It's also
happening on a NetBSD/i386 host with a -current (cvs -rHEAD)
pkgsrc/databases/{,php-ldap-}openldap/

Okay, I traced it down:

in /usr/ports/net/php5-ldap/work/php-5.0.4/ext/ldap/configure ->
conftest -> ldap_start_tls_s();
ldap_start_tls_s return false -> ac_cv_func_ldap_start_tls_s=no in 
config.log
config.log -> ldap.h -> #undef HAVE_LDAP_START_TLS_S
config.c -> HAVE_LDAP_START_TLS_S -> PHP_FE(ldap_start_tls, NULL)

...therefore ldap_start_tls isn't registered.  The question is why the 
conftest.c in GNU autoconf is failing with:

configure:5048: cc -o conftest -O -pipe -march=pentium3   conftest.c  >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'

...Which is odd since:


php4$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches
Binary file lib/pam_ldap.so matches

php4$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s 
function.  */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */


$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s

and...

php5$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches

php5$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s 
function.  */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */

$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s

..from 'make configure' in ports/net/php5-ldap/

checking for LDAP support... yes, shared
checking for LDAP Cyrus SASL support... no
checking for 3 arg ldap_set_rebind_proc... yes
checking for ldap_parse_reference... no
checking for ldap_start_tls_s... no
checking for ldap_bind_s... yes


...from config.log:

configure:5048: cc -o conftest -O -pipe -march=pentium3   conftest.c  >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'
configure:5051: $? = 1
configure: failed program was:
#line 5011 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char ldap_start_tls_s (); below.  */
#include <assert.h>
/* Override any gcc2 internal prototype to avoid an error.  */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
    builtin and then its argument prototype would still apply.  */
char ldap_start_tls_s ();
char (*f) ();
#ifdef F77_DUMMY_MAIN
#  ifdef __cplusplus
      extern "C"
#  endif
    int F77_DUMMY_MAIN() { return 1; }
#endif
int
main ()
{
/* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
#if defined (__stub_ldap_start_tls_s) || defined 
(__stub___ldap_start_tls_s)
choke me
#else
f = ldap_start_tls_s;
#endif

   ;
   return 0;
}
configure:5067: result: no
configure:5414: checking for ldap_bind_s
configure:5457: cc -o conftest -O -pipe -march=pentium3   -R/usr/local/lib 
-L/usr/local/lib -lldap -R/usr/local/lib -
L/usr/local/lib -llber  conftest.c  >&5
configure:5460: $? = 0
configure:5463: test -s conftest
configure:5466: $? = 0
configure:5476: result: yes
configure:5583: checking for ld used by GCC
configure:5646: result: /usr/bin/ld
configure:5655: checking if the linker (/usr/bin/ld) is GNU ld
GNU ld version 2.15 [FreeBSD] 2004-05-23
configure:5667: result: yes
configure:5672: checking for /usr/bin/ld option to reload object files
configure:5679: result: -r
configure:5684: checking for BSD-compatible nm
configure:5720: result: nm
configure:5723: checking for a sed that does not truncate output
configure:5805: result: /usr/bin/sed
configure:5808: checking whether ln -s works
configure:5812: result: yes
configure:5819: checking how to recognise dependent libraries
configure:6001: result: pass_all
configure:6013: checking command to parse nm output
configure:6097: cc -c -O -pipe -march=pentium3  conftest.c >&5
configure:6100: $? = 0
configure:6104: nm conftest.o \| sed -n -e 's/^.*[ 
]\([ABCDGISTW][ABCDGISTW]*\)[   ][      ]*\(\)\([_A-Za-z][_A-
Za-z0-9]*\)$/\1 \2\3 \3/p' \> conftest.nm
configure:6107: $? = 0
configure:6159: cc -o conftest -O -pipe -march=pentium3   conftest.c 
conftstm.o >&5
configure:6162: $? = 0
configure:6206: result: ok
configure:6215: checking how to run the C preprocessor
configure:6241: cc -E  conftest.c
configure:6247: $? = 0
configure:6274: cc -E  conftest.c
configure:6271:28: ac_nonexistent.h: No such file or directory
configure:6280: $? = 1
configure: failed program was:
#line 6270 "configure"
#include "confdefs.h"
#include <ac_nonexistent.h>
configure:6317: result: cc -E
configure:6332: cc -E  conftest.c
configure:6338: $? = 0
configure:6365: cc -E  conftest.c
configure:6362:28: ac_nonexistent.h: No such file or directory
configure:6371: $? = 1
configure: failed program was:
#line 6361 "configure"
#include "confdefs.h"
#include <ac_nonexistent.h>
configure:6411: checking for ANSI C header files
configure:6425: cc -E  conftest.c
configure:6431: $? = 0
configure:6518: cc -o conftest -O -pipe -march=pentium3   conftest.c  >&5
configure:6521: $? = 0

ac_cv_func_ldap_start_tls_s=no


 	From php_ldap.h:

#if LDAP_API_VERSION > 2000
PHP_FUNCTION(ldap_start_tls);
#endif

 	From ldap.c:

#ifdef HAVE_LDAP_START_TLS_S
         PHP_FE(ldap_start_tls, 
NULL)
#endif



#ifdef HAVE_LDAP_START_TLS_S
/* {{{ proto bool ldap_start_tls(resource link)
    Start TLS */
PHP_FUNCTION(ldap_start_tls)
{
         zval **link;
         ldap_linkdata *ld;
         int rc, protocol = LDAP_VERSION3;

         if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &link) == 
FAILURE) {
                 WRONG_PARAM_COUNT;
         }

         ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, link, -1, "ldap link", 
le_link);

         if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION, 
&protocol)) != LDAP_SUCCESS) ||
                 ((rc = ldap_start_tls_s(ld->link, NULL, NULL)) != 
LDAP_SUCCESS)
         ) {
                 php_error_docref(NULL TSRMLS_CC, E_WARNING,"Unable to 
start TLS: %s", ldap_err2string(rc));
                 RETURN_FALSE;
         } else {
                 RETURN_TRUE;
         }
}
/* }}} */
#endif



On Fri, 2 Sep 2005, Rasmus Lerdorf wrote:

> Brian A. Seklecki wrote:
>> Firstly, sorry if this is the wrong list.  There are thousands of forums
>> and PHP5 related MLs, but nothing FBSD specific.
>>
>> Second, I wouldn't post if this wasn't happening on two completely
>> different FBSD boxes.
>>
>> For whatever reason, the php4 and php5 from FreeBSD ports refuses to
>> properly configure SSL/TLS support for the LDAP module.
>
> Can't you just build from the PHP tarball instead?  Seems like a messed
> up port to me.  I use FreeBSD all day, every day and haven't seen this
> problem.  But I also don't use the ports.
>
> -Rasmus
>

l8*
 	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8


More information about the freebsd-questions mailing list