[Pkg-freeipa-devel] [Pkg-openldap-devel] Bug#725153: freeipa-server backport to Jessie?

Ryan Tandy ryan at nardis.ca
Thu Apr 16 23:32:54 UTC 2015 

On Wed, Apr 15, 2015 at 06:45:39PM +0200, Holger Levsen wrote:
>to build the openldap package against libnss3-dev, one has to:
>
>- in debian/control: replace the build-dependency on libgnutls28-dev with
>libnss3-dev
>- in debian/configure.options: use --with-tls=moznss (instead of --with-tls)
>and also add the line "CPPFLAGS=-I/usr/include/nss\ -I/usr/include/nspr
>LDFLAGS=-L/usr/lib/x86_64-linux-gnu/nss" somewhere.
>
>With that the build still fails with
>
>smbk5pwd.c:1073:4: warning: too many arguments for format [-Wformat-extra-
>args]
>smbk5pwd.c:968:2: warning: variable 'dummy_ad' set but not used [-Wunused-but-
>set-variable]
>  dummy_ad;
>  ^
>Makefile:50: recipe for target 'smbk5pwd.lo' failed
>make[2]: *** [smbk5pwd.lo] Error 1
>make[2]: Leaving directory './openldap-2.4.40+dfsg/contrib/slapd-
>modules/smbk5pwd'
>
>but that should be easy to work around by not building the slapd packages or
>contrib modules (as freeipa-server users wont need slapd anyway...)

The attached debdiff replaces gnutls with nss but continues building 
smbk5pwd with nettle. AFAICT the result works properly, smbk5pwd 
included.

I didn't try importing Fedora's patches, but noted that several were 
upstreamed already, and more were submitted and await review.

Looks like Debian's nss doesn't support loading PEM certificates at 
runtime yet: #726116. My knee-jerk reaction is that I dislike the idea 
of changing the default libldap to moznss before resolving that. 
Migrating slapd's server certificates and CA certificates mentioned in 
ldap.conf is possible, with some work; but we'd also be breaking any 
clients configured for particular PEM certificates. It would be a lot 
nicer if existing setups could keep working.

I only spent a few minutes on this, didn't look yet at whether building 
a second libldap for freeipa's use is feasible. Timo, how far did you 
get on that when you looked at it previously?

Also, do you know anything about the thought process behind the recent 
(and then reverted) switch to openssl in Fedora? Are they planning to 
move away from moznss?
-------------- next part --------------
diff -u openldap-2.4.40+dfsg/debian/changelog openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,15 @@
+openldap (2.4.40+dfsg-1+moznss) UNRELEASED; urgency=medium
+
+  * Build against NSS instead of GnuTLS.
+    - debian/control: Build-Depend on libnss3-dev and pkg-config.
+    - debian/configure.options: Configure with moznss.
+    - debian/patches/openldap-autoconf-pkgconfig-nss.patch: Import Fedora 
+      patch to use pkg-config for NSS library detection.
+    - debian/patches/smbk5pwd-gnutls.patch: smbk5pwd hasn't been ported to 
+      moznss. Keep building it with nettle.
+
+ -- Ryan Tandy <ryan at nardis.ca>  Thu, 16 Apr 2015 13:28:15 -0700
+
 openldap (2.4.40+dfsg-1) unstable; urgency=medium
 
   * Remove inetorgperson.schema from the upstream source. Replace it with a
diff -u openldap-2.4.40+dfsg/debian/configure.options openldap-2.4.40+dfsg/debian/configure.options
--- openldap-2.4.40+dfsg/debian/configure.options
+++ openldap-2.4.40+dfsg/debian/configure.options
@@ -176,7 +176,7 @@
 #  --with-threads	  with threads [auto]
 --with-threads
 #  --with-tls		  with TLS/SSL support auto|openssl|gnutls|moznss [auto]
---with-tls=gnutls
+--with-tls=moznss
 #  --with-yielding-select  with implicitly yielding select [auto]
 #  --with-mp               with multiple precision statistics auto|longlong|long|bignum|gmp [auto]
 #  --with-odbc             with specific ODBC support iodbc|unixodbc|odbc32|auto [auto]
diff -u openldap-2.4.40+dfsg/debian/control openldap-2.4.40+dfsg/debian/control
--- openldap-2.4.40+dfsg/debian/control
+++ openldap-2.4.40+dfsg/debian/control
@@ -11,11 +11,11 @@
 Build-Depends: debhelper (>= 8.9.0~),
 	dpkg-dev (>= 1.16.1),
 	libdb5.3-dev, nettle-dev,
- libgnutls28-dev, unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0),
+ libnss3-dev, unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0),
  libsasl2-dev, libslp-dev, libltdl-dev | libltdl3-dev (>= 1.4.3),
  libwrap0-dev, perl, po-debconf, quilt (>= 0.46-7),
  groff-base, time, heimdal-multidev,
- dh-autoreconf
+ dh-autoreconf, pkg-config
 Build-Conflicts: libbind-dev, bind-dev, libicu-dev, autoconf2.13
 Standards-Version: 3.9.1
 Homepage: http://www.openldap.org/
diff -u openldap-2.4.40+dfsg/debian/patches/series openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -26,0 +27,2 @@
+openldap-autoconf-pkgconfig-nss.patch
+smbk5pwd-gnutls
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/openldap-autoconf-pkgconfig-nss.patch
+++ openldap-2.4.40+dfsg/debian/patches/openldap-autoconf-pkgconfig-nss.patch
@@ -0,0 +1,48 @@
+Use pkg-config for Mozilla NSS library detection
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+
+---
+ configure.in | 22 +++++-----------------
+ 1 file changed, 5 insertions(+), 17 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index ecffe30..2a9cfb4 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
+ 	fi
+ fi
+ 
+-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
+-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
+-dnl are not in the default system location
+ if test $ol_link_tls = no ; then
+ 	if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
+-		have_moznss=no
+-		AC_CHECK_HEADERS([nssutil.h])
+-		if test "$ac_cv_header_nssutil_h" = yes ; then
+-			AC_CHECK_LIB([nss3], [NSS_Initialize],
+-						 [ have_moznss=yes ], [ have_moznss=no ])
+-		fi
++		PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
+ 
+-		if test "$have_moznss" = yes ; then
++		if test $have_moznss = yes ; then
+ 			ol_with_tls=moznss
+ 			ol_link_tls=yes
+-			AC_DEFINE(HAVE_MOZNSS, 1, 
+-					  [define if you have MozNSS])
+-			TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
+-		else
+-			if test $ol_with_tls = moznss ; then
+-			AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
+-			fi
++			AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
++			TLS_LIBS="$MOZNSS_LIBS"
++			CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
+ 		fi
+ 	fi
+ fi
+-- 
+1.7.11.7
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/smbk5pwd-gnutls
+++ openldap-2.4.40+dfsg/debian/patches/smbk5pwd-gnutls
@@ -0,0 +1,11 @@
+--- a/contrib/slapd-modules/smbk5pwd/Makefile
++++ b/contrib/slapd-modules/smbk5pwd/Makefile
+@@ -28,7 +28,7 @@
+ CC = gcc
+ OPT = -g -O2 -Wall
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+-DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
++DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW -UHAVE_MOZNSS -DHAVE_GNUTLS
+ INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
+ # put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356
+ LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)

More information about the Pkg-freeipa-devel mailing list