app-admin/sudo-1.8.20_p1[ldap] compiles and works well without sasl In this case Ldap plugin uses Simple Authentication in place of Sasl Authentication plugins/sudoers/ldap.c: #ifdef HAVE_LDAP_SASL_BIND_S { struct berval bv; bv.bv_val = ldap_conf.bindpw ? ldap_conf.bindpw : ""; bv.bv_len = strlen(bv.bv_val); ret = ldap_sasl_bind_s(ld, ldap_conf.binddn, LDAP_SASL_SIMPLE, &bv, NULL, NULL, NULL); if (ret != LDAP_SUCCESS) { sudo_warnx("ldap_sasl_bind_s(): %s", ldap_err2string(ret)); goto done; } DPRINTF1("ldap_sasl_bind_s() ok"); } #else { ret = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw); if (ret != LDAP_SUCCESS) { sudo_warnx("ldap_simple_bind_s(): %s", ldap_err2string(ret)); goto done; } DPRINTF1("ldap_simple_bind_s() ok"); } #endif Reproducible: Always --- a/app-admin/sudo/sudo-1.8.20_p1.ebuild +++ b/app-admin/sudo/sudo-1.8.20_p1.ebuild @@ -25,7 +25,7 @@ if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~sparc-solaris" fi -IUSE="gcrypt ldap nls pam offensive openssl selinux skey +sendmail" +IUSE="gcrypt ldap nls pam offensive openssl sasl selinux skey +sendmail" CDEPEND=" gcrypt? ( dev-libs/libgcrypt:= ) @@ -34,7 +34,7 @@ skey? ( >=sys-auth/skey-1.1.5-r1 ) ldap? ( >=net-nds/openldap-2.1.30-r1 - dev-libs/cyrus-sasl + sasl? ( dev-libs/cyrus-sasl ) ) sys-libs/zlib "
Sorry, but your proposed change would leave cyrus-sasl being an automagic dep which is very bad (see [1]). Unfortunately the configure.ac file does not provide a switch to explicitly en-/disable cyrus-sasl support for ldap functionality, so right now we have to force-enable sasl support in order to get a reasonable working package. I understand your request and I'm sorry for not being able to provide a satifying solution yet. If you want to help further in fixing this issue you could contact upstream and request some "--enable-sasl" configure switch. An official fix is always the preferred method and to be honest I cannot tell when I have the time to look into the configure.ac file working on a solution. I gonna leave this bug open in case someone else provides a patch. [1] https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Automagic_dependencies
Thank you, Lars I posted configure.ac patch upstream https://bugzilla.sudo.ws/show_bug.cgi?id=788 Current automagic is not so bad since sasl is not linked to sudoers.so But the current sudo ebuild is not perfect. If net-nds/openldap library compiled without sasl support, sudo (with sasl ldap configuration) got runtime error: sudo: ldap_sasl_interactive_bind_s(): Not Supported Fix: --- a/app-admin/sudo/sudo-1.8.20_p1.ebuild +++ b/app-admin/sudo/sudo-1.8.20_p1.ebuild @@ -3,7 +3,7 @@ EAPI=6 -inherit eutils pam multilib libtool +inherit autotools eutils pam multilib libtool MY_P=${P/_/} MY_P=${MY_P/beta/b} @@ -25,7 +25,7 @@ if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~sparc-solaris" fi -IUSE="gcrypt ldap nls pam offensive openssl selinux skey +sendmail" +IUSE="gcrypt ldap nls pam offensive openssl sasl selinux skey +sendmail" CDEPEND=" gcrypt? ( dev-libs/libgcrypt:= ) @@ -34,7 +34,10 @@ skey? ( >=sys-auth/skey-1.1.5-r1 ) ldap? ( >=net-nds/openldap-2.1.30-r1 - dev-libs/cyrus-sasl + sasl? ( + dev-libs/cyrus-sasl + net-nds/openldap[sasl] + ) ) sys-libs/zlib " @@ -62,9 +65,15 @@ MAKEOPTS+=" SAMPLES=" +PATCHES=( + "${FILESDIR}"/${PN}-1.8.20_p1-sasl-disable.patch + ) + src_prepare() { default - elibtoolize + # patch needs autoreconf, so dont need libtoolize + eautoreconf + #elibtoolize } set_rootpath() { @@ -134,6 +143,7 @@ $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) $(use_with ldap) $(use_with pam) + $(use_with sasl) $(use_with skey) $(use_with selinux) $(use_with sendmail) @@ -149,14 +159,25 @@ dosbin plugins/sudoers/sudoers2ldif cat <<-EOF > "${T}"/ldap.conf.sudo - # See ldap.conf(5) and README.LDAP for details + # See sudoers.ldap(5) and README.LDAP for details # This file should only be readable by root # supported directives: host, port, ssl, ldap_version # uri, binddn, bindpw, sudoers_base, sudoers_debug - # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key} + # bind_timelimit, timelimit, timeout, deref + # rootbinddn, sudoers_timed, sudoers_search_filter + # netgroup_base, netgroup_search_filter + # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key,keypw} EOF + if use sasl ; then + cat <<-EOF >> "${T}"/ldap.conf.sudo + + # SASL directives: use_sasl, sasl_mech, sasl_auth_id + # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname + EOF + fi + insinto /etc doins "${T}"/ldap.conf.sudo fperms 0440 /etc/ldap.conf.sudo
Created attachment 475002 [details, diff] Add --without-sasl to configure.ac
Thanks again for your work here. I did not forget about this report but I merely wait on upstream's input of your patch.
Commited upstream with --enable-sasl / --disable-sasl https://www.sudo.ws/repos/sudo/rev/cf94d407d576
Sudo 1.8.21 is out now and supports --disable-sasl in configure. https://bugzilla.sudo.ws/show_bug.cgi?id=788#c2
commit 37f622e253f50f0f220356f445a3aaeb32efb078 (HEAD -> master, origin/master, origin/HEAD) Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Sep 4 10:38:24 2017 app-admin/sudo: Added "sasl" USE flag (bug #620240). Package-Manager: Portage-2.3.8, Repoman-2.3.3