The openldap ebuild goes through great lengths to manually build a lot of the contrib modules.
This in fact leads to all of those modules being miscompiled and unusable.
In encountered this while trying to use pbkdf2/sha2, but on closer inspection, it affects almost all contrib modules.
The ebuild manually calls libtool to build each module individually, while the correct way would be to just use the Makefile.
A theory for this: Until 2.4.34, those contrib modules were actually missing Makefiles, but they were in turn added in 2.4.34, which was released in 2013. It seems like the ebuild was never updated for this, and somewhere in between things broke.
It kind of baffles me that so far nobody has noticed that a lot of those modules are broken.
To verify if a module is broken or not, one can use ldd on them.
If there are no other libraries then the few default ones, it's broken.
Specifically, liblber-2.4.so.2 should be in there for each and every module. The broken ones are missing it. And all other of their dependencies.
I only tested this on 2.4.45, but I suspect it affects all versions currently in the tree.
Created attachment 481768 [details, diff]
patch for openldap-2.4.45.ebuild
This changes the ebuild to just call the Makefile instead of building manually.
Produces intact and working modules for me.
Created attachment 481770 [details]
fixed ebuild with above patch applied
I can confirm this fix works for pw-kerberos.so, and I talked to Tim on IRC.
However I'm battling trying to "just use the Makefile" to get smbkrb5pwd working (the mit-krb5 / github variant) by just building in the slapd-modules directory.
It compiles but has the same, dyanmic linking issues (file not found), that pw-kerberos was previously getting.
Dynamic modules may have to have some defines added to the compiler command line, as the original gentoo ebuild used.
If I get it working I'll patch this ebuild to support smbkrb5pwd in addition to "smbk5pwd" (included in the contrib directory). The use flag is already using "smbkrb5pwd", so the ebuild will have to check if Mit or Heimdial is installed and compile the appropriate module if the "smbkrb5pwd" use flag is enabled.
Created attachment 483004 [details]
sample Makefile to build https://github.com/opinsys/smbkrb5pwd in tree
This is the Makefile I had to use to build the mit-krb5 flavored smbkrb5pwd from github. Not many people want to use hemidal on gentoo, because you nfs-utils and other key components loose kerberos support, which kind of defeats the purpose of having a kdc, if half of your main clients can't use it's client libs.
The module was built in tree. I added the pull request #12 for preserving sasl identities too.
To integrate this into the ebuild, there would have to be some checks to see if gnutls or openssl is used, and possibly execute /usr/bin/krb5-config to get the libraries.
Adding this feature would be a nice edition to the ebuild. Something for me to do on a rainy day, or anyone else with free time.
You also have to patch the keytab location. See: