601342 – net-nds/openldap USE=kerberos with app-crypt/heimdal compile fails

Bug 601342 - net-nds/openldap USE=kerberos with app-crypt/heimdal compile fails

Summary: net-nds/openldap USE=kerberos with app-crypt/heimdal compile fails

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo LDAP project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-01 13:53 UTC by Spooky Ghost
Modified:	2023-01-13 13:44 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
openldap-2.4.40-heimdal.patch (openldap-2.4.40-heimdal.patch,970 bytes, patch) 2017-07-13 12:42 UTC, Honza Macháček	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Spooky Ghost 2016-12-01 13:53:11 UTC

The contrib kinit module only supports mit-krb5 and breaks the build if the system kerberos library is heimdal:

 * Compiling contrib-module: kinit
libtool: compile:  x86_64-pc-linux-gnu-gcc -DSLAPD_OVER_KINIT=SLAPD_MOD_DYNAMIC -I/var/tmp/portage/net-nds/openldap-2.4.43/work/openldap-2.4.43-abi_x86_64.amd64/include -I../../../include -I../../../servers/slapd -march=amdfam10 -O3 -pipe -c kinit.c  -fPIC -DPIC -o .libs/kinit.o
kinit.c:28:23: fatal error: krb5/krb5.h: No such file or directory
 #include <krb5/krb5.h>
                       ^
compilation terminated.
 * ERROR: net-nds/openldap-2.4.43::gentoo failed (compile phase):
 *   compiling kinit failed
 * 
 * Call stack:
 *     ebuild.sh, line  115:  Called src_compile
 *   environment, line 4844:  Called multilib-minimal_src_compile
 *   environment, line 3587:  Called multilib_foreach_abi 'multilib-minimal_abi_src_compile'
 *   environment, line 3818:  Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_compile'
 *   environment, line 3522:  Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_compile'
 *   environment, line 3520:  Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_compile'
 *   environment, line  748:  Called multilib-minimal_abi_src_compile
 *   environment, line 3581:  Called multilib_src_compile
 *   environment, line 4061:  Called build_contrib_module 'kinit' 'kinit.c' 'kinit'
 *   environment, line  998:  Called die
 * The specific snippet of code:
 *       "${lt}" --mode=compile --tag=CC "${CC}" -D${define_name}=SLAPD_MOD_DYNAMIC -I"${BUILD_DIR}"/include -I../../../include -I../../../servers/slapd ${CFLAGS} -o ${2%.c}.lo -c $2 || die "compiling $3 failed";
 * 
 * If you need support, post the output of `emerge --info '=net-nds/openldap-2.4.43::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=net-nds/openldap-2.4.43::gentoo'`.
 * The complete build log is located at '/var/log/portage/net-nds:openldap-2.4.43:20161201-115937.log'.
 * For convenience, a symlink to the build log is located at '/var/tmp/portage/net-nds/openldap-2.4.43/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/net-nds/openldap-2.4.43/temp/environment'.
 * Working directory: '/var/tmp/portage/net-nds/openldap-2.4.43/work/openldap-2.4.43/contrib/slapd-modules/kinit'
 * S: '/var/tmp/portage/net-nds/openldap-2.4.43/work/openldap-2.4.43'

Commenting build_contrib_module "kinit" "kinit.c" "kinit" in the ebuild allows the package to compile.  Ideally this module should have an if condition which checks that mit-krb5 is providing the kerberos library.

Comment 1 Chris White 2016-12-02 04:10:53 UTC

I've done a good deal of research and `=net-nds/openldap-2.4.43` is simply not compatible with heimdal. While there is an actual krb5.h file in /usr/include for heimdal, the defined structures are incompatible with what openldap is expecting. This needs to be switched from a depend on virtual/krb5 to a depend specifically on app-crypt/mit-krb5.

Comment 2 Spooky Ghost 2016-12-02 08:35:47 UTC

The rest of the build passes and I can authenticate with kerberos, e.g.

ldapsearch -Y GSSAPI

returns correctly and I have an ldap service ticket after.  I don't know if that is simply the SASL layer doing all the work though.

Also looking at the README for the smbk5pwd module that states:

"The Kerberos support is written for Heimdal using its hdb-ldap backend."

so I think there is a bit of a mix of supported kerberos libraries.  The passwd module pw-kerberos builds with heimdal.

So for me at least it is only the kinit module which fails with heimdal and other kerberos components are fine.  Changing to from virtual/krb5 to mit-krb5 will break the components which do work.

Comment 3 Honza Macháček 2017-07-13 12:42:21 UTC

Created attachment 483974 [details, diff]
openldap-2.4.40-heimdal.patch

A patch to compile >=net-nds/openldap-2.4.40 with kerberos support and heimdal. Not tested with mit-krb5, applied conditionaly on has-version app-crypt/heimdal.

Comment 4 Honza Macháček 2017-07-13 12:44:01 UTC

(In reply to Chris White from comment #1)
> I've done a good deal of research and `=net-nds/openldap-2.4.43` is simply
> not compatible with heimdal.

That is probably wrong.

I have not done extensive testing, but I compile net-nds/openldap with kerberos support and heimdal. I only have to use since about the version 2.4.40 a small patch.

Comment 5 Pacho Ramos gentoo-dev

2019-11-10 16:04:54 UTC

still valid with 2.4.48?