Bug 42427

Summary:	openldap-2.1.26 ebuild is messy/broken
Product:	Gentoo Linux	Reporter:	paul <paul>
Component:	[OLD] Server	Assignee:	Robin Johnson <robbat2>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	ebuild for 2.1.30 diff against 2.1.27-r1 fixed db4 patch

Description paul 2004-02-21 16:24:47 UTC

1.) whats that? samba? ( >=dev-libs/openssl-0.9.6 )"
2.) cyrus-sasl-2.1.7 is very outdated it is best to keep OL and SASL on par.
3.) the MIT kerberos libraries have proven not to be thread safe with OL, it is recommendet to use heimdal instead.
4.) --enable-cyrus-sasl and --with-spasswd are quite different things.
5.) There is no --with-kerberos and the --enable-kpasswd option is gone. Neither  spasswd nor kpasswd should be enabled per default, they tend to be major security issues.

6.) I doubt that samba will benefit from --with-lmpasswd in any way.
7.) disabling the testsuite is not a good idea.


Reproducible: Always
Steps to Reproduce:

Comment 1 Robin Johnson archtester

2004-02-22 05:35:32 UTC

i'll only comment on items #1 and #6 here for now.
I explictly added them after checking how ldap does it's lanman/ntlm hashing. it uses the routines as supplied with OpenSSL, not those from samba or any itself. I've got ntlm hashes in a database that samba backends against serving up a windows network, and it breaks if --with-lmpassword is left out.

for the rest of your changes, i don't use SASL or kerberos at all, so if it's broken, this is the first i've heard of it, as i've merely integrated things that other people have said works for them (and they've confirmed the ebuild worked at various points). if you have a fix for the ebuild, please attach a patch, it will be taken in and i'll ask the other people that use those features to test it before it gets put into the mainstream.

Comment 2 paul 2004-02-23 03:26:43 UTC

Thanks for the info, I just thought about the "usual" way to use ldap with samba. For the other points: Probably I'm just concerned about misleading USE flags. i.e. if one puts kerberos in USE one would expect to have the service/package kerberized but thats not what --enable-kpasswd do. Basically it opens your KDC by enabling users to auth with their kerberos *cleartext* pw agains the LDAP server (same for spasswd). Maybe a local flag like "legacy" should be used for that. I'll look into this...

Comment 3 Robin Johnson archtester

2004-04-25 15:21:46 UTC

any update on this?

Comment 4 paul 2004-04-26 07:21:57 UTC

Created attachment 30082 [details]
ebuild for 2.1.30

Comment 5 paul 2004-04-26 07:22:42 UTC

Created attachment 30083 [details]
diff against 2.1.27-r1

Comment 6 paul 2004-04-26 07:23:18 UTC

Created attachment 30084 [details]
fixed db4 patch

Comment 7 paul 2004-04-26 07:23:46 UTC

These are most a political issues, but technical reasons first:

1. --enable-kpasswd is gone in the current "stable" release 2.1.30 it was deprecated and will be left unmaintained. If it is desired to acess kerberos through cleartext binds it could be done with --enable-spasswd and have something like {SASL}principal@REALM in "userPassword" then configure slapd to use saslautd with kerberos5. 

OpenLDAP => SASL (PLAIN, saslauthd) => kerberos5

I'd leave `use_enable sasl --enable-spasswd` for now to avoid using yet another new useflag.

2. There is no direct dependency on kerberos. Openldap uses kerberos5 through SASL/GSSAPI.

3. I'd really like to see the testsuite used as it will show problem at compile time and prevent people from running into subtle issues later on.

Attached is  the ebuild I'm using for 2.1.30 and a diff against 2.1.27-r1, the db4 patch needed fixed paths. It runs fine for me including all tests.

Comment 8 Robin Johnson archtester

2004-04-28 15:17:21 UTC

in cvs now.