1.) whats that? samba? ( >=dev-libs/openssl-0.9.6 )" 2.) cyrus-sasl-2.1.7 is very outdated it is best to keep OL and SASL on par. 3.) the MIT kerberos libraries have proven not to be thread safe with OL, it is recommendet to use heimdal instead. 4.) --enable-cyrus-sasl and --with-spasswd are quite different things. 5.) There is no --with-kerberos and the --enable-kpasswd option is gone. Neither spasswd nor kpasswd should be enabled per default, they tend to be major security issues. 6.) I doubt that samba will benefit from --with-lmpasswd in any way. 7.) disabling the testsuite is not a good idea. Reproducible: Always Steps to Reproduce:
i'll only comment on items #1 and #6 here for now. I explictly added them after checking how ldap does it's lanman/ntlm hashing. it uses the routines as supplied with OpenSSL, not those from samba or any itself. I've got ntlm hashes in a database that samba backends against serving up a windows network, and it breaks if --with-lmpassword is left out. for the rest of your changes, i don't use SASL or kerberos at all, so if it's broken, this is the first i've heard of it, as i've merely integrated things that other people have said works for them (and they've confirmed the ebuild worked at various points). if you have a fix for the ebuild, please attach a patch, it will be taken in and i'll ask the other people that use those features to test it before it gets put into the mainstream.
Thanks for the info, I just thought about the "usual" way to use ldap with samba. For the other points: Probably I'm just concerned about misleading USE flags. i.e. if one puts kerberos in USE one would expect to have the service/package kerberized but thats not what --enable-kpasswd do. Basically it opens your KDC by enabling users to auth with their kerberos *cleartext* pw agains the LDAP server (same for spasswd). Maybe a local flag like "legacy" should be used for that. I'll look into this...
any update on this?
Created attachment 30082 [details] ebuild for 2.1.30
Created attachment 30083 [details] diff against 2.1.27-r1
Created attachment 30084 [details] fixed db4 patch
These are most a political issues, but technical reasons first: 1. --enable-kpasswd is gone in the current "stable" release 2.1.30 it was deprecated and will be left unmaintained. If it is desired to acess kerberos through cleartext binds it could be done with --enable-spasswd and have something like {SASL}principal@REALM in "userPassword" then configure slapd to use saslautd with kerberos5. OpenLDAP => SASL (PLAIN, saslauthd) => kerberos5 I'd leave `use_enable sasl --enable-spasswd` for now to avoid using yet another new useflag. 2. There is no direct dependency on kerberos. Openldap uses kerberos5 through SASL/GSSAPI. 3. I'd really like to see the testsuite used as it will show problem at compile time and prevent people from running into subtle issues later on. Attached is the ebuild I'm using for 2.1.30 and a diff against 2.1.27-r1, the db4 patch needed fixed paths. It runs fine for me including all tests.
in cvs now.
