From thomas@laurel.tmseck.homedns.org  Fri Jul 23 05:27:25 2004
Return-Path: <thomas@laurel.tmseck.homedns.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 059D716A519
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 23 Jul 2004 05:27:25 +0000 (GMT)
Received: from smtp2.netcologne.de (smtp2.netcologne.de [194.8.194.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 629EC43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 23 Jul 2004 05:27:24 +0000 (GMT)
	(envelope-from thomas@laurel.tmseck.homedns.org)
Received: from laurel.tmseck.homedns.org (xdsl-213-196-251-181.netcologne.de [213.196.251.181])
	by smtp2.netcologne.de (Postfix) with SMTP id 454844A49
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 23 Jul 2004 07:27:23 +0200 (MEST)
Received: (qmail 927 invoked by uid 1001); 23 Jul 2004 05:27:07 -0000
Message-Id: <20040723052707.926.qmail@laurel.tmseck.homedns.org>
Date: 23 Jul 2004 05:27:07 -0000
From: Thomas-Martin Seck <tmseck@netcologne.de>
Reply-To: Thomas-Martin Seck <tmseck@netcologne.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [Maintainer] www/squid: use OpenLDAP 2.1 for authentication
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         69465
>Category:       ports
>Synopsis:       [Maintainer] www/squid: use OpenLDAP 2.1 for authentication
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    krion
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 23 05:30:20 GMT 2004
>Closed-Date:    Fri Jul 23 12:30:27 GMT 2004
>Last-Modified:  Fri Jul 23 12:40:26 GMT 2004
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of July 23rd, 2004.

	
>Description:

The squid LDAP helpers do not yet work with OpenLDAP 2.2, see
squid bug #1018.

Use OpenLDAP 2.1 instead until this issue is resolved.

	
>How-To-Repeat:
	
>Fix:
Apply this patch:


Index: Makefile
===================================================================
--- Makefile	(revision 126)
+++ Makefile	(working copy)
@@ -161,6 +161,7 @@
 MAN8+=		pam_auth.8 squid_unix_group.8
 .if defined(WITH_SQUID_LDAP_AUTH)
 USE_OPENLDAP=	yes
+WANT_OPENLDAP_VER=	21
 CFLAGS+=	-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib
 MAN8+=		squid_ldap_auth.8 squid_ldap_group.8
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->krion 
Responsible-Changed-By: krion 
Responsible-Changed-When: Fri Jul 23 05:36:28 GMT 2004 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=69465 

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: Thomas-Martin Seck <tmseck@netcologne.de>
Cc: FreeBSD-gnats-submit@FreeBSD.org,
	Kirill Ponomarew <krion@FreeBSD.org>
Subject: Re: ports/69465: [Maintainer] www/squid: use OpenLDAP 2.1 for authentication
Date: Fri, 23 Jul 2004 10:17:11 +0200

 Thomas-Martin Seck wrote:
 
 > --- Makefile	(revision 126)
 > +++ Makefile	(working copy)
 > @@ -161,6 +161,7 @@
 >  MAN8+=		pam_auth.8 squid_unix_group.8
 >  .if defined(WITH_SQUID_LDAP_AUTH)
 >  USE_OPENLDAP=	yes
 > +WANT_OPENLDAP_VER=	21
 >  CFLAGS+=	-I${LOCALBASE}/include
 >  LDFLAGS+=	-L${LOCALBASE}/lib
 >  MAN8+=		squid_ldap_auth.8 squid_ldap_group.8
 
 IMHO this is not the right fix. I would do
 
 .if ${WANT_OPENLDAP_VER}==22
 IGNORE=	Bugs in squid_ldap_auth with OpenLDAP 2.2 
 <http://www.squid-cache.org/bugs/show_bug.cgi?id=1018>
 .endif
 
 because
 
 a) This does not need a PORTREVISION bump (ok, OpenLDAP support is not 
 the default, so this might be unnecessary)
 
 b) Users with OpenLDAP 2.2 installed get an informative error message, 
 instead of
    `openldap-client-2.1.30 conflicts with installed package(s): 
 openldap-client-2.2.14'
 
 c) It doesn't force the installation of an OpenLDAP version incompatible 
 with other ports.
 
 Btw, has anyone tested the code with OpenLDAP 2.1? I seem to get the 
 same crashes in the -P case, -H doesn't work as advertised, and, what's 
 even worse that crashing is that I'm able to authorize with *every* 
 password. So the proper `fix' would be
 
 IGNORE=	Bugs in squid_ldap_auth <http://www.squid-
 cache.org/bugs/show_bug.cgi?id=1018>
 
 -Oliver
 

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: Thomas-Martin Seck <tmseck@netcologne.de>
Cc: Kirill Ponomarew <krion@FreeBSD.org>,
	FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/69465: [Maintainer] www/squid: use OpenLDAP 2.1 for authentication
Date: Fri, 23 Jul 2004 10:22:39 +0200

 For the record:
 
 the following patch (the same as in <http://www.squid-
 cache.org/bugs/show_bug.cgi?id=1018>), added as files/patch-
 helpers::basic_auth::LDAP::squid_ldap_auth.c, will fix the `authenticate 
 everyone' bug and the crashes in the non-persistent case (without -P), 
 so the module is at least barely usable. -H and -P still don't work, 
 neither with OpenLDAP 2.2 nor with OpenLDAP 2.1.
 
 -Oliver
 
 --- helpers/basic_auth/LDAP/squid_ldap_auth.c.orig	Thu Jul 22 19:53:20 
 2004
 +++ helpers/basic_auth/LDAP/squid_ldap_auth.c	Thu Jul 22 19:53:20 2004
 @@ -486,7 +486,8 @@
   	if (checkLDAP(ld, user, passwd, ldapServer, port) != 0) {
   	    if (tryagain && squid_ldap_errno(ld) != 
 LDAP_INVALID_CREDENTIALS) {
   		tryagain = 0;
 -		ldap_unbind(ld);
 +		if (ld)
 +		    ldap_unbind(ld);
   		ld = NULL;
   		goto recover;
   	    }
 @@ -637,7 +638,7 @@
   	ldap_unbind(bind_ld);
   	bind_ld = NULL;
       }
 -    return 0;
 +    return ret;
   }
 
   int
 

From: Thomas-Martin Seck <tmseck@netcologne.de>
To: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Cc: bug-followup@freebsd.org
Subject: Re: ports/69465: [Maintainer] www/squid: use OpenLDAP 2.1 for authentication
Date: Fri, 23 Jul 2004 13:52:53 +0200

 * Oliver Eikemeier (eikemeier@fillmore-labs.com):
 
 > Thomas-Martin Seck wrote:
 > 
 > >--- Makefile	(revision 126)
 > >+++ Makefile	(working copy)
 > >@@ -161,6 +161,7 @@
 > > MAN8+=		pam_auth.8 squid_unix_group.8
 > > .if defined(WITH_SQUID_LDAP_AUTH)
 > > USE_OPENLDAP=	yes
 > >+WANT_OPENLDAP_VER=	21
 > > CFLAGS+=	-I${LOCALBASE}/include
 > > LDFLAGS+=	-L${LOCALBASE}/lib
 > > MAN8+=		squid_ldap_auth.8 squid_ldap_group.8
 > 
 > IMHO this is not the right fix. I would do
 > 
 > .if ${WANT_OPENLDAP_VER}==22
 > IGNORE=	Bugs in squid_ldap_auth with OpenLDAP 2.2 
 > <http://www.squid-cache.org/bugs/show_bug.cgi?id=1018>
 > .endif
 > 
 
 This is fine with me.
 
 > because
 > 
 > a) This does not need a PORTREVISION bump (ok, OpenLDAP support is not 
 > the default, so this might be unnecessary)
 
 This was my intention -- my rule of thumb is: does the content of the
 pointyhat package change? If so, bump PORTREVISION. I do not think this
 change justifies this; I don't think LDAP auth is in widespread use.
 
 > 
 > b) Users with OpenLDAP 2.2 installed get an informative error message, 
 > instead of
 >   `openldap-client-2.1.30 conflicts with installed package(s): 
 > openldap-client-2.2.14'
 
 Yep. 
 
 > 
 > c) It doesn't force the installation of an OpenLDAP version incompatible 
 > with other ports.
 
 Hm -- is WANT_LDAP_VER only to be used as a general variable and should
 not be used by a port? That's what you get from trying to find a quick
 workaround...
 
 > Btw, has anyone tested the code with OpenLDAP 2.1? I seem to get the 
 > same crashes in the -P case, -H doesn't work as advertised, and, what's 
 > even worse that crashing is that I'm able to authorize with *every* 
 > password. So the proper `fix' would be
 > 
 > IGNORE=	Bugs in squid_ldap_auth <http://www.squid-
 > cache.org/bugs/show_bug.cgi?id=1018>
 
 It seems the LDAP-update patch is the root of all evil. Could you back
 it out and test the "old" ldap_auth helpers against OpenLDAP 2.2? If it
 works, I simply remove it from the list of patches and wait until the
 dust settles.
 
State-Changed-From-To: open->closed 
State-Changed-By: eik 
State-Changed-When: Fri Jul 23 14:29:41 CEST 2004 
State-Changed-Why:  
Patch removed until the problems are resolved upstream. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=69465 

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: Thomas-Martin Seck <tmseck@netcologne.de>
Cc: bug-followup@freebsd.org
Subject: Re: ports/69465: [Maintainer] www/squid: use OpenLDAP 2.1 for authentication
Date: Fri, 23 Jul 2004 14:28:37 +0200

 Thomas-Martin Seck wrote:
 
 > * Oliver Eikemeier (eikemeier@fillmore-labs.com):
 > [...]
 >> c) It doesn't force the installation of an OpenLDAP version 
 >> incompatible
 >> with other ports.
 >
 > Hm -- is WANT_LDAP_VER only to be used as a general variable and should
 > not be used by a port? That's what you get from trying to find a quick
 > workaround...
 
 It's though for ports that generally need OpenLDAP 2.1. I do not expect 
 them to exists, but it's there just in case. In this case it's just a 
 temporary breakage, which I would treat differently. It's a matter of 
 style, your approach isn't wrong, but points users in the wrong 
 direction (IMHO).
 
 >> Btw, has anyone tested the code with OpenLDAP 2.1? I seem to get the
 >> same crashes in the -P case, -H doesn't work as advertised, and, what's
 >> even worse that crashing is that I'm able to authorize with *every*
 >> password. So the proper `fix' would be
 >>
 >> IGNORE=	Bugs in squid_ldap_auth <http://www.squid-
 >> cache.org/bugs/show_bug.cgi?id=1018>
 >
 > It seems the LDAP-update patch is the root of all evil. Could you back
 > it out and test the "old" ldap_auth helpers against OpenLDAP 2.2? If it
 > works, I simply remove it from the list of patches and wait until the
 > dust settles.
 
 Jup, lets try this.
 
 -Oliver
 
>Unformatted:
