Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624178 - net-nds/openldap-2.4.45 : misbuilds most contrib modules
Summary: net-nds/openldap-2.4.45 : misbuilds most contrib modules
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: LDAP Herd
URL:
Whiteboard:
Keywords: EBUILD, PATCH
Depends on:
Blocks:
 
Reported: 2017-07-07 23:13 UTC by Timo Rothenpieler
Modified: 2017-07-11 17:42 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch for openldap-2.4.45.ebuild (openldap_contrib_build.patch,6.29 KB, patch)
2017-07-07 23:49 UTC, Timo Rothenpieler
Details | Diff
openldap-2.4.45.ebuild (openldap-2.4.45.ebuild,24.30 KB, text/plain)
2017-07-07 23:50 UTC, Timo Rothenpieler
Details
sample Makefile to build https://github.com/opinsys/smbkrb5pwd in tree (Makefile,2.72 KB, text/plain)
2017-07-11 17:42 UTC, Luke McKee
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Timo Rothenpieler 2017-07-07 23:13:52 UTC
The openldap ebuild goes through great lengths to manually build a lot of the contrib modules.
This in fact leads to all of those modules being miscompiled and unusable.

In encountered this while trying to use pbkdf2/sha2, but on closer inspection, it affects almost all contrib modules.

The ebuild manually calls libtool to build each module individually, while the correct way would be to just use the Makefile.

A theory for this: Until 2.4.34, those contrib modules were actually missing Makefiles, but they were in turn added in 2.4.34, which was released in 2013. It seems like the ebuild was never updated for this, and somewhere in between things broke.

It kind of baffles me that so far nobody has noticed that a lot of those modules are broken.

To verify if a module is broken or not, one can use ldd on them.
If there are no other libraries then the few default ones, it's broken.
Specifically, liblber-2.4.so.2 should be in there for each and every module. The broken ones are missing it. And all other of their dependencies.

I only tested this on 2.4.45, but I suspect it affects all versions currently in the tree.
Comment 1 Timo Rothenpieler 2017-07-07 23:49:44 UTC
Created attachment 481768 [details, diff]
patch for openldap-2.4.45.ebuild

This changes the ebuild to just call the Makefile instead of building manually.
Produces intact and working modules for me.
Comment 2 Timo Rothenpieler 2017-07-07 23:50:18 UTC
Created attachment 481770 [details]
openldap-2.4.45.ebuild

fixed ebuild with above patch applied
Comment 3 Luke McKee 2017-07-11 14:18:53 UTC
I can confirm this fix works for pw-kerberos.so, and I talked to Tim on IRC.

However I'm battling trying to "just use the Makefile" to get smbkrb5pwd working (the mit-krb5 / github variant) by just building in the slapd-modules directory. 

It compiles but has the same, dyanmic linking issues (file not found), that pw-kerberos was previously getting.

Dynamic modules may have to have some defines added to the compiler command line, as the original gentoo ebuild used.

If I get it working I'll patch this ebuild to support smbkrb5pwd in addition to "smbk5pwd" (included in the contrib directory). The use flag is already using "smbkrb5pwd", so the ebuild will have to check if Mit or Heimdial is installed and compile the appropriate module if the "smbkrb5pwd" use flag is enabled.
Comment 4 Luke McKee 2017-07-11 17:42:09 UTC
Created attachment 483004 [details]
sample Makefile to build https://github.com/opinsys/smbkrb5pwd in tree


This is the Makefile I had to use to build the mit-krb5 flavored smbkrb5pwd from github. Not many people want to use hemidal on gentoo, because you nfs-utils and other key components loose kerberos support, which kind of defeats the purpose of having a kdc, if half of your main clients can't use it's client libs.

The module was built in tree. I added the pull request #12 for preserving sasl identities too.

To integrate this into the ebuild, there would have to be some checks to see if gnutls or openssl is used, and possibly execute /usr/bin/krb5-config to get the libraries.

Adding this feature would be a nice edition to the ebuild. Something for me to do on a rainy day, or anyone else with free time.

You also have to patch the keytab location. See:
https://github.com/opinsys/smbkrb5pwd/wiki/Compiling-on-CentOS

Luke