Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 601342

Summary: net-nds/openldap USE=kerberos with app-crypt/heimdal compile fails
Product: Gentoo Linux Reporter: Spooky Ghost <spookyghost>
Component: Current packagesAssignee: Gentoo LDAP project <ldap-bugs>
Status: UNCONFIRMED ---    
Severity: normal CC: galtgendo, Hloupy.Honza, ldap-bugs, mrpoole, pacho, stijn+gentoo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: openldap-2.4.40-heimdal.patch

Description Spooky Ghost 2016-12-01 13:53:11 UTC 
The contrib kinit module only supports mit-krb5 and breaks the build if the system kerberos library is heimdal:

 * Compiling contrib-module: kinit
libtool: compile:  x86_64-pc-linux-gnu-gcc -DSLAPD_OVER_KINIT=SLAPD_MOD_DYNAMIC -I/var/tmp/portage/net-nds/openldap-2.4.43/work/openldap-2.4.43-abi_x86_64.amd64/include -I../../../include -I../../../servers/slapd -march=amdfam10 -O3 -pipe -c kinit.c  -fPIC -DPIC -o .libs/kinit.o
kinit.c:28:23: fatal error: krb5/krb5.h: No such file or directory
 #include <krb5/krb5.h>
                       ^
compilation terminated.
 * ERROR: net-nds/openldap-2.4.43::gentoo failed (compile phase):
 *   compiling kinit failed
 * 
 * Call stack:
 *     ebuild.sh, line  115:  Called src_compile
 *   environment, line 4844:  Called multilib-minimal_src_compile
 *   environment, line 3587:  Called multilib_foreach_abi 'multilib-minimal_abi_src_compile'
 *   environment, line 3818:  Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_compile'
 *   environment, line 3522:  Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_compile'
 *   environment, line 3520:  Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_compile'
 *   environment, line  748:  Called multilib-minimal_abi_src_compile
 *   environment, line 3581:  Called multilib_src_compile
 *   environment, line 4061:  Called build_contrib_module 'kinit' 'kinit.c' 'kinit'
 *   environment, line  998:  Called die
 * The specific snippet of code:
 *       "${lt}" --mode=compile --tag=CC "${CC}" -D${define_name}=SLAPD_MOD_DYNAMIC -I"${BUILD_DIR}"/include -I../../../include -I../../../servers/slapd ${CFLAGS} -o ${2%.c}.lo -c $2 || die "compiling $3 failed";
 * 
 * If you need support, post the output of `emerge --info '=net-nds/openldap-2.4.43::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=net-nds/openldap-2.4.43::gentoo'`.
 * The complete build log is located at '/var/log/portage/net-nds:openldap-2.4.43:20161201-115937.log'.
 * For convenience, a symlink to the build log is located at '/var/tmp/portage/net-nds/openldap-2.4.43/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/net-nds/openldap-2.4.43/temp/environment'.
 * Working directory: '/var/tmp/portage/net-nds/openldap-2.4.43/work/openldap-2.4.43/contrib/slapd-modules/kinit'
 * S: '/var/tmp/portage/net-nds/openldap-2.4.43/work/openldap-2.4.43'

Commenting build_contrib_module "kinit" "kinit.c" "kinit" in the ebuild allows the package to compile.  Ideally this module should have an if condition which checks that mit-krb5 is providing the kerberos library.
Comment 1 Chris White 2016-12-02 04:10:53 UTC 
I've done a good deal of research and `=net-nds/openldap-2.4.43` is simply not compatible with heimdal. While there is an actual krb5.h file in /usr/include for heimdal, the defined structures are incompatible with what openldap is expecting. This needs to be switched from a depend on virtual/krb5 to a depend specifically on app-crypt/mit-krb5.
Comment 2 Spooky Ghost 2016-12-02 08:35:47 UTC 
The rest of the build passes and I can authenticate with kerberos, e.g.

ldapsearch -Y GSSAPI

returns correctly and I have an ldap service ticket after.  I don't know if that is simply the SASL layer doing all the work though.

Also looking at the README for the smbk5pwd module that states:

"The Kerberos support is written for Heimdal using its hdb-ldap backend."

so I think there is a bit of a mix of supported kerberos libraries.  The passwd module pw-kerberos builds with heimdal.

So for me at least it is only the kinit module which fails with heimdal and other kerberos components are fine.  Changing to from virtual/krb5 to mit-krb5 will break the components which do work.
Comment 3 Honza Macháček 2017-07-13 12:42:21 UTC 
Created attachment 483974 [details, diff]
openldap-2.4.40-heimdal.patch

A patch to compile >=net-nds/openldap-2.4.40 with kerberos support and heimdal. Not tested with mit-krb5, applied conditionaly on has-version app-crypt/heimdal.
Comment 4 Honza Macháček 2017-07-13 12:44:01 UTC 
(In reply to Chris White from comment #1)
> I've done a good deal of research and `=net-nds/openldap-2.4.43` is simply
> not compatible with heimdal.

That is probably wrong.

I have not done extensive testing, but I compile net-nds/openldap with kerberos support and heimdal. I only have to use since about the version 2.4.40 a small patch.
Comment 5 Pacho Ramos gentoo-dev 2019-11-10 16:04:54 UTC 
still valid with 2.4.48?