[PHP] FreeBSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls()

Brian A. Seklecki lavalamp at spiritual-machines.org
Sat Sep 3 13:19:17 PDT 2005


Okay, problem fixed:

1) cd /usr/{ports,pkgsrc}/{net/php5-ldap,databases/php-ldap} on 
{Free,Net}BSD respectively

2) sudo make configure

3) sudo vim
On FreeBSD
work/php-5.0.4/ext/ldap/config.h or..
work/php-4.4.0/ext/ldap/config.h

on NetBSD:
work/php-5.0.4/ext/ldap/config.h

4) Change:
/* Define to 1 if you have the `ldap_start_tls_s' function. */
/* #undef HAVE_LDAP_START_TLS_S */

    To:

#define HAVE_LDAP_START_TLS_S 1

5) sudo make install

6) carry on pretending that your employee data is secure

$ cat ~/public_html/testtls.php
<?

if (function_exists('ldap_start_tls'))
                echo "I see it!\n";

?>

[0] seklecki at blah:/$ php ~/public_html/testtls.php
I see it!

7) ...sit around on your day off and try to determine how the following 
piece of code from configure.sh was [ever] supposed to determine if 
ldap_start_tls_s() was a valid function w/o including arguments 
-I/usr/local/include, -L/usr/local/lib to gcc(1) or #including ldap.h or 
lber.h, and wonder who is responsible >:}

*cough*

http://chora.php.net/diff.php/php-src/ext/ldap/config.m4?php=3c934ff67902f7c5ce419c901b82c77e&r1=1.23&r2=1.24&ty=h&num=10

*cough* ... 8-) ...i dunno, maybe it "just works(r)" on Linux >:}


| /* confdefs.h.  */
|
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define COMPILE_DL_LDAP 1
| #define HAVE_LDAP 1
| #define HAVE_3ARG_SETREBINDPROC 1
| /* end confdefs.h.  */
| /* Define ldap_start_tls_s to an innocuous variant, in case <limits.h> 
declares ldap_start_tls_s.
|    For example, HP-UX 11i <limits.h> declares gettimeofday.  */
| #define ldap_start_tls_s innocuous_ldap_start_tls_s
| /* System header to define __stub macros and hopefully few prototypes,
|     which can conflict with char ldap_start_tls_s (); below.
|     Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
|     <limits.h> exists even on freestanding compilers.  */
|
| #ifdef __STDC__
| # include <limits.h>
| #else
| # include <assert.h>
| #endif
|
| #undef ldap_start_tls_s
|
| /* Override any gcc2 internal prototype to avoid an error.  */
| #ifdef __cplusplus
| extern "C"
| {
| #endif
| /* We use char because int might match the return type of a gcc2
|    builtin and then its argument prototype would still apply.  */
| char ldap_start_tls_s ();
| /* The GNU C library defines this for functions which it implements
|     to always fail with ENOSYS.  Some functions are actually named
|     something starting with __ and the normal name is an alias.  */
| #if defined (__stub_ldap_start_tls_s) || defined 
(__stub___ldap_start_tls_s)
| choke me
| #else
| char (*f) () = ldap_start_tls_s;
| #endif
| #ifdef __cplusplus
| }
| #endif
|
| int
| main ()
| {
| return f != ldap_start_tls_s;
|   ;
|   return 0;
| }



~BAS

On Sat, 3 Sep 2005, Brian A. Seklecki wrote:

>
> Rasmus / all:
>
> I'll revert to that as path of last resort.  The FreeBSD port mechanism for 
> installing php extensions is administratively superior to maintaining source 
> installations manually.  Apache/PHP/LDAP/SSL/SQL cocktails on anything other 
> than Linux are way too convuluted to not be using Ports, especially with the 
> number of security advisories that come out.  Without the XML vulnerability 
> checklist from 'portaudit', you might as well grab your ankles.
>
> Anyway, It's not FreeBSD ports.  The damn configure script in 
> php{4,5}???/ext/ldap/ per the following:
>
> Update:  The problem persists elsewhere than FreeBSD 5.3/i386.  It's also
> happening on a NetBSD/i386 host with a -current (cvs -rHEAD)
> pkgsrc/databases/{,php-ldap-}openldap/
>
> Okay, I traced it down:
>
> in /usr/ports/net/php5-ldap/work/php-5.0.4/ext/ldap/configure ->
> conftest -> ldap_start_tls_s();
> ldap_start_tls_s return false -> ac_cv_func_ldap_start_tls_s=no in config.log
> config.log -> ldap.h -> #undef HAVE_LDAP_START_TLS_S
> config.c -> HAVE_LDAP_START_TLS_S -> PHP_FE(ldap_start_tls, NULL)
>
> ...therefore ldap_start_tls isn't registered.  The question is why the 
> conftest.c in GNU autoconf is failing with:
>
> configure:5048: cc -o conftest -O -pipe -march=pentium3   conftest.c  >&5
> /var/tmp//cc63HySI.o(.text+0x12): In function `main':
> : undefined reference to `ldap_start_tls_s'
>
> ...Which is odd since:
>
>
> php4$ grep -ir ldap_start_tls_s lib/*
> Binary file lib/libldap-2.2.so matches
> Binary file lib/libldap-2.2.so.7 matches
> Binary file lib/libldap.a matches
> Binary file lib/libldap.so matches
> Binary file lib/libldap_r-2.2.so matches
> Binary file lib/libldap_r-2.2.so.7 matches
> Binary file lib/libldap_r.a matches
> Binary file lib/libldap_r.so matches
> Binary file lib/pam_ldap.so matches
>
> php4$ grep -ir ldap_start_tls_s include/*
> include/ldap.h:ldap_start_tls_s LDAP_P((
> include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s 
> function.  */
> include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
>
>
> $ nm lib/libldap-2.2.so.7|grep -i start_tls
> 0002b770 T ldap_start_tls_s
>
> and...
>
> php5$ grep -ir ldap_start_tls_s lib/*
> Binary file lib/libldap-2.2.so matches
> Binary file lib/libldap-2.2.so.7 matches
> Binary file lib/libldap.a matches
> Binary file lib/libldap.so matches
> Binary file lib/libldap_r-2.2.so matches
> Binary file lib/libldap_r-2.2.so.7 matches
> Binary file lib/libldap_r.a matches
> Binary file lib/libldap_r.so matches
>
> php5$ grep -ir ldap_start_tls_s include/*
> include/ldap.h:ldap_start_tls_s LDAP_P((
> include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s 
> function.  */
> include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
>
> $ nm lib/libldap-2.2.so.7|grep -i start_tls
> 0002b770 T ldap_start_tls_s
>
> ..from 'make configure' in ports/net/php5-ldap/
>
> checking for LDAP support... yes, shared
> checking for LDAP Cyrus SASL support... no
> checking for 3 arg ldap_set_rebind_proc... yes
> checking for ldap_parse_reference... no
> checking for ldap_start_tls_s... no
> checking for ldap_bind_s... yes
>
>
> ...from config.log:
>
> configure:5048: cc -o conftest -O -pipe -march=pentium3   conftest.c  >&5
> /var/tmp//cc63HySI.o(.text+0x12): In function `main':
> : undefined reference to `ldap_start_tls_s'
> configure:5051: $? = 1
> configure: failed program was:
> #line 5011 "configure"
> #include "confdefs.h"
> /* System header to define __stub macros and hopefully few prototypes,
>    which can conflict with char ldap_start_tls_s (); below.  */
> #include <assert.h>
> /* Override any gcc2 internal prototype to avoid an error.  */
> #ifdef __cplusplus
> extern "C"
> #endif
> /* We use char because int might match the return type of a gcc2
>   builtin and then its argument prototype would still apply.  */
> char ldap_start_tls_s ();
> char (*f) ();
> #ifdef F77_DUMMY_MAIN
> #  ifdef __cplusplus
>     extern "C"
> #  endif
>   int F77_DUMMY_MAIN() { return 1; }
> #endif
> int
> main ()
> {
> /* The GNU C library defines this for functions which it implements
>    to always fail with ENOSYS.  Some functions are actually named
>    something starting with __ and the normal name is an alias.  */
> #if defined (__stub_ldap_start_tls_s) || defined (__stub___ldap_start_tls_s)
> choke me
> #else
> f = ldap_start_tls_s;
> #endif
>
>  ;
>  return 0;
> }
> configure:5067: result: no
> configure:5414: checking for ldap_bind_s
> configure:5457: cc -o conftest -O -pipe -march=pentium3   -R/usr/local/lib 
> -L/usr/local/lib -lldap -R/usr/local/lib -
> L/usr/local/lib -llber  conftest.c  >&5
> configure:5460: $? = 0
> configure:5463: test -s conftest
> configure:5466: $? = 0
> configure:5476: result: yes
> configure:5583: checking for ld used by GCC
> configure:5646: result: /usr/bin/ld
> configure:5655: checking if the linker (/usr/bin/ld) is GNU ld
> GNU ld version 2.15 [FreeBSD] 2004-05-23
> configure:5667: result: yes
> configure:5672: checking for /usr/bin/ld option to reload object files
> configure:5679: result: -r
> configure:5684: checking for BSD-compatible nm
> configure:5720: result: nm
> configure:5723: checking for a sed that does not truncate output
> configure:5805: result: /usr/bin/sed
> configure:5808: checking whether ln -s works
> configure:5812: result: yes
> configure:5819: checking how to recognise dependent libraries
> configure:6001: result: pass_all
> configure:6013: checking command to parse nm output
> configure:6097: cc -c -O -pipe -march=pentium3  conftest.c >&5
> configure:6100: $? = 0
> configure:6104: nm conftest.o \| sed -n -e 's/^.*[ 
> ]\([ABCDGISTW][ABCDGISTW]*\)[   ][      ]*\(\)\([_A-Za-z][_A-
> Za-z0-9]*\)$/\1 \2\3 \3/p' \> conftest.nm
> configure:6107: $? = 0
> configure:6159: cc -o conftest -O -pipe -march=pentium3   conftest.c 
> conftstm.o >&5
> configure:6162: $? = 0
> configure:6206: result: ok
> configure:6215: checking how to run the C preprocessor
> configure:6241: cc -E  conftest.c
> configure:6247: $? = 0
> configure:6274: cc -E  conftest.c
> configure:6271:28: ac_nonexistent.h: No such file or directory
> configure:6280: $? = 1
> configure: failed program was:
> #line 6270 "configure"
> #include "confdefs.h"
> #include <ac_nonexistent.h>
> configure:6317: result: cc -E
> configure:6332: cc -E  conftest.c
> configure:6338: $? = 0
> configure:6365: cc -E  conftest.c
> configure:6362:28: ac_nonexistent.h: No such file or directory
> configure:6371: $? = 1
> configure: failed program was:
> #line 6361 "configure"
> #include "confdefs.h"
> #include <ac_nonexistent.h>
> configure:6411: checking for ANSI C header files
> configure:6425: cc -E  conftest.c
> configure:6431: $? = 0
> configure:6518: cc -o conftest -O -pipe -march=pentium3   conftest.c  >&5
> configure:6521: $? = 0
>
> ac_cv_func_ldap_start_tls_s=no
>
>
> 	From php_ldap.h:
>
> #if LDAP_API_VERSION > 2000
> PHP_FUNCTION(ldap_start_tls);
> #endif
>
> 	From ldap.c:
>
> #ifdef HAVE_LDAP_START_TLS_S
>        PHP_FE(ldap_start_tls, NULL)
> #endif
>
>
>
> #ifdef HAVE_LDAP_START_TLS_S
> /* {{{ proto bool ldap_start_tls(resource link)
>   Start TLS */
> PHP_FUNCTION(ldap_start_tls)
> {
>        zval **link;
>        ldap_linkdata *ld;
>        int rc, protocol = LDAP_VERSION3;
>
>        if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &link) == 
> FAILURE) {
>                WRONG_PARAM_COUNT;
>        }
>
>        ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, link, -1, "ldap link", 
> le_link);
>
>        if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION, 
> &protocol)) != LDAP_SUCCESS) ||
>                ((rc = ldap_start_tls_s(ld->link, NULL, NULL)) != 
> LDAP_SUCCESS)
>        ) {
>                php_error_docref(NULL TSRMLS_CC, E_WARNING,"Unable to start 
> TLS: %s", ldap_err2string(rc));
>                RETURN_FALSE;
>        } else {
>                RETURN_TRUE;
>        }
> }
> /* }}} */
> #endif
>
>
>
> On Fri, 2 Sep 2005, Rasmus Lerdorf wrote:
>
>> Brian A. Seklecki wrote:
>>> Firstly, sorry if this is the wrong list.  There are thousands of forums
>>> and PHP5 related MLs, but nothing FBSD specific.
>>> 
>>> Second, I wouldn't post if this wasn't happening on two completely
>>> different FBSD boxes.
>>> 
>>> For whatever reason, the php4 and php5 from FreeBSD ports refuses to
>>> properly configure SSL/TLS support for the LDAP module.
>> 
>> Can't you just build from the PHP tarball instead?  Seems like a messed
>> up port to me.  I use FreeBSD all day, every day and haven't seen this
>> problem.  But I also don't use the ports.
>> 
>> -Rasmus
>> 
>
> l8*
> 	-lava
>
> x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
>
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

l8*
 	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8


More information about the freebsd-questions mailing list