Recompile apache2 to support LDAP on Solaris 10

###########################################################
How and WHY to re-compile apache to support LDAP on Solaris 10

by Ben Patridge
###########################################################

I had been fighting to install LDAP on my solaris 10 server with apache2 and php5 but had been unsuccessful.

==========================================================
TROUBLESHOOTING THAT LED TO THIS SOLUTION
==========================================================
In a nutshell, connecting using adLDAP works on PHP CLI but failed via web browser.

The clue that I needed to install the above was because I was receiving the following error messages in the /usr/local/apache/logs/php_error.log.
PHP Warning:  ldap_bind(): Unable to bind to server: Out of memory in /usr/local/apache/htdocs/ltest/includes/adLDAP.php on line 418
php_errors.log:[18-Nov-2010 10:05:02] PHP Fatal error:  Uncaught exception 'adLDAPException' with message 'Bind failed. Out of memory' in /usr/local/apache/htdocs/ltest/includes

I compared the http://hostname/phpinfo.php  to the /usr/local/apache/bin/php -i output, and they are identical.  I verified the adLDAP.php is being called by placing an echo statement within, however on line 417/418 of the adLDAP.php it returns false instead of continuing using the WEB  browser, however works like a charm with the CLI:

417:    $this->_bind = ldap_bind($this->_conn,$username.$this->_account_suffix,$password);
418:     if (!$this->_bind){ return (false); }

I verified the memory setting in the php.ini was higher than the default, and even upped it to 16, then 64, then 512 (memory_limit = 512M) which made no difference so I googled and found these messages were telling me that the apr-util was NOT compiled with LDAP. Therefore I needed to recompile apr, then apr-util with ldap support.


Here is a rough outline of how I did it on a Solaris 10 Server:

==========================================================
ASSUMPTIONS:
==========================================================
The following assumes you are familiar with compiling code, and you already have a SAMP (Solaris, Apache, MysQL, PHP) Server up and running, but you are looking to add LDAP functionality.

==========================================================
BASIC REQUIREMENTS:
==========================================================
apache2+ from http://www.apache.org/
php5+ from http://www.php.net
I downloaded and compiled openldap from http://www.openldap.org


Then I downloaded adLDAP from http://adldap.sourceforge.net/

I downloaded KADM5  http://pecl.php.net/package/kadm5.
http://php.net/manual/en/book.kadm5.php

I downloaded mod_auth_ldap-0.5.1.tar.gz from http://www.sfr-fresh.com/unix/www/mod_auth_ldap-0.5.1.tar.gz/
**CONFESSION** Not sure if this is required, but I added it anyway!

==========================================================
ENVIRONMENT VARIABLES
==========================================================
Set your environment correctly!

I typically ensure the following are set:
------------------------------------------------------
LD_LIBRARY_PATH=/usr/local/lib:/usr/local/include:/usr/lib:/usr/local/apache/:/usr/local/apache/lib:/usr/local/apache/lib/include:/usr/local/lib/sparcv9;export $LD_LIBRARY_PATH
PATH=/usr/local/apache/bin:/usr/local/bin:/usr/local/mysql:/usr/local/mysql/bin:/usr/local/sparc-sun-solaris2.10/bin:/usr/local/ssl:/usr/local/ssl/lib:/usr/local/sbin:/usr/local/include:/usr/local/include/libxml2:/usr/bin:/usr/sbin:/usr/lib:/usr/openwin/bin:/usr/local/apache;export $PATH
BLIB=/usr/local/bin ;export BLIB
export LDFLAGS=-lstdc++
CC=gcc ; export CC
CPPFLAGS="-I/usr/local/ssl/include" ; export CPPFLAGS
------------------------------------------------------



==========================================================
==========================================================
==========================================================
PROCEDURE
==========================================================
==========================================================
==========================================================



==========================================================
INSTALL OPENLADAP
==========================================================
cd openldap-VERSION
./configure --prefix=/usr/local
make
make install




==========================================================
COMPILE APR
==========================================================
./configure --prefix=/usr/local/apache --enable-threads \
--enable-other-child
make
make install

==========================================================
COMPILE APR-ICONV
==========================================================
cd apr-iconv-1.2.1

./configure --prefix=/usr/local/apache --enable-threads
make
make install

==========================================================
COMPILE APR-UTIL
==========================================================
compiled apr-util-1.3.9 with the following options:

cd ../apr-util
make clean
./configure --prefix=/usr/local/apache --with-apr=../apr \
--with-ldap-lib=/usr/lib --with-ldap-include=/usr/include \
--with-ldap=ldap
make
make install

==========================================================
COMPILE MOD_AUTH_LDAP
==========================================================
tar -xzvf mod_auth_ldap-0.5.1.tar.gz
..

mv mod_auth_ldap  ../httpd-2.2.13/modules
cd ../httpd-2.2.13/modules
./configure

==========================================================
COMPILE HTTPD/APACHE2
==========================================================
cd httpd-2.2.13
make clean
/configure -prefix=/usr/local/apache   --with-ldap=ldap --with-ldap-lib=/usr/local/lib --with-ldap-include=/usr/local/include    --enable-ldap --enable-auth-ldap    --enable-so --with-apr=/usr/local/apache    --enable-auth-digest    --enable-rewrite    --enable-setenvif    --enable-mime    --enable-deflate    --enable-ssl    --with-ssl=/usr/local/ssl    --enable-headers;
make;
make install

==========================================================
COMPILE THE PHP KERBEROS MODULE KADM5
==========================================================
cd kadm5-0.2.3
./configure --prefix=/usr/local
make
make install

==========================================================
COMPILE PHP5
==========================================================
Now to compile PHP 5
*NOTE: You may need to install some of the dependencies (i.e. such as the oracle oci8 instant client) if you wish to use them.
cd php-5.3.3
./configure --prefix=/usr/local/apache --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-openssl --with-pic --with-freetype-dir=/usr/local --with-png-dir=/usr/local --with-gd --enable-gd-native-ttf --with-png-dir --with-zlib --enable-ftp --enable-magic-quotes --enable-sockets --with-gmp --with-iconv-dir --with-magickwand=/usr/local --with-apxs2=/usr/local/apache/bin/apxs --with-oci8=instantclient,/usr/local/oracle/instantclient_11_1 --enable-sigchild --enable-mbstring --enable-calendar --enable-bcmath --enable-exif --with-jpeg-dir --enable-gd-native-ttf --with-ldap --with-cli --with-kerberos
make
make install

==========================================================
START APACHE
==========================================================
start apache:
# /usr/local/apache/bin/apachectl start

==========================================================
VERIFY WITH PHP CLI THE CORRECT PHP.INI IS IN USE
==========================================================
Verify the php.ini is in the correct location and CLI php is using the correct php.ini
# php -i |grep "php.ini"
Configuration File (php.ini) Path => /usr/local/apache/lib
Loaded Configuration File => /usr/local/apache/lib/php.ini

==========================================================
VERIFY LDAP IS INSTALLED
==========================================================

# php -i |grep -i ldap
Configure Command =>  './configure'  '--prefix=/usr/local/apache' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd' '--with-openssl' '--with-pic' '--with-freetype-dir=/usr/local' '--with-png-dir=/usr/local' '--with-gd' '--enable-gd-native-ttf' '--with-png-dir' '--with-zlib' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--with-gmp' '--with-iconv-dir' '--with-magickwand=/usr/local' '--with-apxs2=/usr/local/apache/bin/apxs' '--with-oci8=instantclient,/usr/local/oracle/instantclient_11_1' '--enable-sigchild' '--enable-mbstring' '--enable-calendar' '--enable-bcmath' '--enable-exif' '--with-jpeg-dir' '--enable-gd-native-ttf' '--with-ldap' '--with-cli' '--with-kerberos'
ldap
LDAP Support => enabled
RCS Version => $Id: ldap.c 299434 2010-05-17 20:09:42Z pajoye $
Vendor Name => OpenLDAP
ldap.max_links => Unlimited => Unlimited

==========================================================
VERIFY LDAP IS SUPPORTED WITHIN THE HTTPD BINARY
==========================================================

# ldd httpd  |grep -i ldap
        libldap-2.4.so.2 =>      /usr/local/lib/libldap-2.4.so.2

==========================================================
VERIFY THE APR UTILITY LIBRARIES ARE INSTALLED
==========================================================

To verify apr utility libraries are in /usr/local/apache/lib:
# ls lib/*apr*
lib/apr.exp                 lib/libapr-1.a              lib/libapr-1.so             lib/libapr-1.so.0.4.2       lib/libaprutil-1.la         lib/libaprutil-1.so.0
lib/aprutil.exp             lib/libapr-1.la             lib/libapr-1.so.0           lib/libaprutil-1.a          lib/libaprutil-1.so         lib/libaprutil-1.so.0.3.10

lib/apr-util-1:
apr_dbd_freetds-1.so  apr_dbd_freetds.la    apr_dbd_pgsql-1.so    apr_dbd_pgsql.la      apr_ldap-1.so         apr_ldap.la
apr_dbd_freetds.a     apr_dbd_freetds.so    apr_dbd_pgsql.a       apr_dbd_pgsql.so      apr_ldap.a            apr_ldap.so

==========================================================
INSTALL ADLDAP
==========================================================
Install adLDAP
cd $HOME
tar -xzvf adLDAP_3.3.1.zip
...

cd /usr/local/apache/htdocs/
mkdir ldap
cd ldap
cp $HOME/adLDAP_3.3.1/adLDAP.php .

modify the following lines in the adLDAP.php (shown with the line numbers)
  64     * The account suffix for your domain, can be set when the class is invoked
  65     *
  66     * @var string
  67     */
  68         protected $_account_suffix = "@corp.bs.com";
  69
  70     /**
  71     * The base dn for your domain
  72     *
  73     * @var string
  74     */
  75         protected $_base_dn = "DC=corp,DC=bs,DC=com";
  76
  77     /**
  78     * Array of domain controllers. Specifiy multiple controllers if you
  79     * would like the class to balance the LDAP queries amongst multiple servers
  80     *
  81     * @var array
  82     */
  83     protected $_domain_controllers = array ("usinddc01.corp.bs.com");




==========================================================
CREATE A TEST FILE
==========================================================


Create a TEST file named test.php in the /usr/local/apache/htdocs/ldap
//----------------------------------------------------
<?
//error_reporting(E_ALL ^ E_NOTICE);

include ("adLDAP.php");
try {
    $adldap = new adLDAP($options);
}
catch (adLDAPException $e) {
    echo $e; exit();
}
//var_dump($ldap);
$username="bpatridge";
$password="myP@ssw0rd";
$authUser = $adldap->authenticate($username, $password);
if ($authUser == true) {
  echo "User authenticated successfully";
}
else {
  echo "User authentication unsuccessful";
}
exit;
//----------------------------------------------------


==========================================================
VERIFY CONNECTION TO THE ACTIVE DIRECTORY SERVER
==========================================================

Verify connectivity to usinddc01.corp.bs.com
# ping -s usinddc01.corp.hds.com
PING usinddc01.corp.hds.com: 56 data bytes
64 bytes from usinddc01.corp.bs.com (10.74.12.6): icmp_seq=0. time=0.642 ms
64 bytes from usinddc01.corp.bs.com (10.74.12.6): icmp_seq=1. time=0.471 ms
64 bytes from usinddc01.corp.bs.com (10.74.12.6): icmp_seq=2. time=0.592 ms
64 bytes from usinddc01.corp.bs.com (10.74.12.6): icmp_seq=3. time=0.438 ms

==========================================================
VERY CONNECTIVITY TO THE LDAP PORT ON THE ACTIVE DIRECTORY SERVER
==========================================================
Verify connectivity to the LDAP port on the DC:
A common alternate method of securing LDAP communication is using an SSL tunnel. ... The default port for LDAP over SSL is 636

# telnet  usinddc01.corp.bs.com 389
Trying 10.74.12.6...
Connected to usinddc01.corp.bs.com.
Escape character is '^]'.
^]

==========================================================
VERIFY YOU ARE USING THE CORRECT PHP BINARY
==========================================================
Verify the PHP binary is in /usr/local/apache/bin
# which php
# /usr/local/apache/bin/php

==========================================================
TEST THE NEWLY CREATED TEST FILE
==========================================================
Test the newly created test.php file:

php test.php
# php test.php
User authenticated successfully

==========================================================
VERIFY IT DOES NOT WORK
==========================================================
Verify you aren't being scammed and you are in fact authenticating with LDAP by using an invalid user by editing the adLDAP.php

FROM:
$username="bpatridge";
$password="myP@ssw0rd";

TO:
$username="wylecoyote";
$password="myP@ssw0rd";

Then re-test:
php test.php
# php test.php
User authenticated unsuccessfully

==========================================================
PULL BACK EXTENDED INFORMATION USING ADLDAP
==========================================================



At this point you are able to take advantage of the extended options in adLDAP such as pulling back group information.

Here is another small test script that will pull back group information and distribution list data assuming the user belogns to group CORP-TRC:


//----------------------------------------------------
<?
error_reporting(E_ALL ^ E_NOTICE);

include ("adLDAP.php");
try {
    $adldap = new adLDAP($options);
}
catch (adLDAPException $e) {
    echo $e; exit();
}

$username="bpatridge";
$password="myP@ssw0rd";
$authUser = $adldap->authenticate($username, $password);
if ($authUser == true) {
  echo "User authenticated successfully";
}
else {
  echo "User authentication unsuccessful";
}
 $group=$adldap->user_ingroup($username,"CORP-TRC");
        echo "\n";

foreach($user as $group) {
  // extract Group name from string
  $temp = substr($group, 0, stripos($group, ","));
  // Strip the CN= and change to lowercase for easy handling
  $temp = strtolower(str_replace("CN=", "", $temp));

  echo "{$temp}<br />";   // Print out Group.s name
  $groups[] .= $temp;
}
// retrieve information about a group
$group=$adldap->user_groups($username);
echo "\n";
      print_r($group);
// Loop through the groups that the user is a `memberof`
//foreach($user[0][.memberof.] as $group) {
foreach($user as $group) {
  // extract Group name from string
  $temp = substr($group, 0, stripos($group, ","));
  // Strip the CN= and change to lowercase for easy handling
  $temp = strtolower(str_replace("CN=", "", $temp));

  echo "{$temp}<br />";   // Print out Group.s name
  $groups[] .= $temp;
}
$group=$adldap->group_info("GSO-TRC");
echo "\n";
      print_r($group);
?>
//----------------------------------------------------


php test.php will show someting similar to the following:

User authenticated successfully

Array
(
    [0] => HCMT
    [1] => Default Route Change Communications
    [2] => LCSusers
    [3] => JDBC Staff
    [4] => CORP DocControl
    [5] => CORP Software
    [6] => TUC Feedback
.....

Array
(
    [count] => 1
    [0] => Array
        (
            [cn] => Array
                (
                    [count] => 1
                    [0] => GSO-TRC
                )

            [0] => cn
            [member] => Array
                (
                    [count] => 84
                    [0] => CN=Erwin van Londen,OU=Melbourne,OU=USERS,OU=AU,OU=APIA,DC=corp,DC=bss,DC=com
                    [1] => CN=Ken Booth,OU=Sydney,OU=UK,OU=EMEA,DC=corp,DC=bss,DC=com
                    [2] => CN=Javier Jazo,OU=USERS,OU=SAN,OU=AMER,DC=corp,DC=bss,DC=com

......

            [1] => member
            [distinguishedname] => Array
                (
                    [count] => 1
                    [0] => CN=CORP-TRC,OU=DLists,OU=ADC,DC=corp,DC=bss,DC=com
                )

            [2] => distinguishedname
            [memberof] => Array
                (
                    [count] => 1
                    [0] => CN=CORP-All,OU=DLists,OU=ADC,DC=corp,DC=bss,DC=com
                )



==========================================================
CONCLUSION
==========================================================

Although this is a very complex procedure you can now see it is easy to create a front-end form which passes the $username and $password variables to adldap and thus authenticates with AD.