Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624178 - net-nds/openldap-2.4.45 : misbuilds most contrib modules
Summary: net-nds/openldap-2.4.45 : misbuilds most contrib modules
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo LDAP project
Keywords: EBUILD, PATCH, PullRequest
Depends on:
Reported: 2017-07-07 23:13 UTC by Timo Rothenpieler
Modified: 2023-01-13 13:44 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---

patch for openldap-2.4.45.ebuild (openldap_contrib_build.patch,6.29 KB, patch)
2017-07-07 23:49 UTC, Timo Rothenpieler
Details | Diff
openldap-2.4.45.ebuild (openldap-2.4.45.ebuild,24.30 KB, text/plain)
2017-07-07 23:50 UTC, Timo Rothenpieler
sample Makefile to build in tree (Makefile,2.72 KB, text/plain)
2017-07-11 17:42 UTC, Luke McKee

Note You need to log in before you can comment on or make changes to this bug.
Description Timo Rothenpieler 2017-07-07 23:13:52 UTC
The openldap ebuild goes through great lengths to manually build a lot of the contrib modules.
This in fact leads to all of those modules being miscompiled and unusable.

In encountered this while trying to use pbkdf2/sha2, but on closer inspection, it affects almost all contrib modules.

The ebuild manually calls libtool to build each module individually, while the correct way would be to just use the Makefile.

A theory for this: Until 2.4.34, those contrib modules were actually missing Makefiles, but they were in turn added in 2.4.34, which was released in 2013. It seems like the ebuild was never updated for this, and somewhere in between things broke.

It kind of baffles me that so far nobody has noticed that a lot of those modules are broken.

To verify if a module is broken or not, one can use ldd on them.
If there are no other libraries then the few default ones, it's broken.
Specifically, should be in there for each and every module. The broken ones are missing it. And all other of their dependencies.

I only tested this on 2.4.45, but I suspect it affects all versions currently in the tree.
Comment 1 Timo Rothenpieler 2017-07-07 23:49:44 UTC
Created attachment 481768 [details, diff]
patch for openldap-2.4.45.ebuild

This changes the ebuild to just call the Makefile instead of building manually.
Produces intact and working modules for me.
Comment 2 Timo Rothenpieler 2017-07-07 23:50:18 UTC
Created attachment 481770 [details]

fixed ebuild with above patch applied
Comment 3 Luke McKee 2017-07-11 14:18:53 UTC
I can confirm this fix works for, and I talked to Tim on IRC.

However I'm battling trying to "just use the Makefile" to get smbkrb5pwd working (the mit-krb5 / github variant) by just building in the slapd-modules directory. 

It compiles but has the same, dyanmic linking issues (file not found), that pw-kerberos was previously getting.

Dynamic modules may have to have some defines added to the compiler command line, as the original gentoo ebuild used.

If I get it working I'll patch this ebuild to support smbkrb5pwd in addition to "smbk5pwd" (included in the contrib directory). The use flag is already using "smbkrb5pwd", so the ebuild will have to check if Mit or Heimdial is installed and compile the appropriate module if the "smbkrb5pwd" use flag is enabled.
Comment 4 Luke McKee 2017-07-11 17:42:09 UTC
Created attachment 483004 [details]
sample Makefile to build in tree

This is the Makefile I had to use to build the mit-krb5 flavored smbkrb5pwd from github. Not many people want to use hemidal on gentoo, because you nfs-utils and other key components loose kerberos support, which kind of defeats the purpose of having a kdc, if half of your main clients can't use it's client libs.

The module was built in tree. I added the pull request #12 for preserving sasl identities too.

To integrate this into the ebuild, there would have to be some checks to see if gnutls or openssl is used, and possibly execute /usr/bin/krb5-config to get the libraries.

Adding this feature would be a nice edition to the ebuild. Something for me to do on a rainy day, or anyone else with free time.

You also have to patch the keytab location. See:

Comment 5 Pacho Ramos gentoo-dev 2019-11-10 16:08:15 UTC
what is the situation with 2.4.48?
Comment 6 Timo Rothenpieler 2021-06-19 23:08:17 UTC
I can confirm that this is indeed still an issue with 2.4.58(and likely also 2.5, given the build_contrib_module function is untouched):

# ldd /usr/lib64/openldap/openldap/ (0x00007ffff7ffe000) => /lib64/ (0x00007f9d3c48d000)
        /lib64/ (0x00007f9d3c669000)

Should look more like this:

# ldd /usr/lib64/openldap/openldap/ (0x00007fff43dfe000) => /usr/lib64/ (0x00007f8f92580000) => /lib64/ (0x00007f8f92560000) => /lib64/ (0x00007f8f92399000)
        /lib64/ (0x00007f8f925ab000)

The fix will probably also still look similar to the old patch.
Comment 7 Larry the Git Cow gentoo-dev 2022-03-19 18:07:57 UTC
The bug has been referenced in the following commit(s):

commit d12a02243969b7c715e9b639345ec8aacd925a28
Author:     Dennis Lamm <>
AuthorDate: 2022-02-05 23:24:54 +0000
Commit:     Robin H. Johnson <>
CommitDate: 2022-03-19 18:07:51 +0000

    net-nds/openldap 2.6.1 version bump
    Signed-off-by: Dennis Lamm <>
    (cherry picked from commit c2e92fe1e144e8563f753a76d9d0cba923bb8878)
    Signed-off-by: Robin H. Johnson <>

 net-nds/openldap/Manifest                          |   1 +
 net-nds/openldap/files/openldap-2.6.1-cloak.patch  |  25 +
 .../files/openldap-2.6.1-fix-missing-mapping.patch |  21 +
 net-nds/openldap/files/openldap-2.6.1-flags.patch  | 416 +++++++++++
 .../openldap/files/openldap-2.6.1-system-mdb.patch | 148 ++++
 net-nds/openldap/files/slapd-2.6.1.service         |  12 +
 net-nds/openldap/files/slapd-confd-2.6.1           |  26 +
 net-nds/openldap/metadata.xml                      |   4 +
 net-nds/openldap/openldap-2.6.1.ebuild             | 796 +++++++++++++++++++++
 9 files changed, 1449 insertions(+)