[Pkg-openldap-devel] Bug#725153: [Pkg-freeipa-devel] Bug#725153: freeipa-server backport to Jessie?

Fri Apr 17 04:45:24 UTC 2015

On 17.04.2015 02:32, Ryan Tandy wrote:
> On Wed, Apr 15, 2015 at 06:45:39PM +0200, Holger Levsen wrote:
>> to build the openldap package against libnss3-dev, one has to:
>>
>> - in debian/control: replace the build-dependency on libgnutls28-dev with
>> libnss3-dev
>> - in debian/configure.options: use --with-tls=moznss (instead of
>> --with-tls)
>> and also add the line "CPPFLAGS=-I/usr/include/nss\ -I/usr/include/nspr
>> LDFLAGS=-L/usr/lib/x86_64-linux-gnu/nss" somewhere.
>>
>> With that the build still fails with
>>
>> smbk5pwd.c:1073:4: warning: too many arguments for format
>> [-Wformat-extra-
>> args]
>> smbk5pwd.c:968:2: warning: variable 'dummy_ad' set but not used
>> [-Wunused-but-
>> set-variable]
>>  dummy_ad;
>>  ^
>> Makefile:50: recipe for target 'smbk5pwd.lo' failed
>> make[2]: *** [smbk5pwd.lo] Error 1
>> make[2]: Leaving directory './openldap-2.4.40+dfsg/contrib/slapd-
>> modules/smbk5pwd'
>>
>> but that should be easy to work around by not building the slapd
>> packages or
>> contrib modules (as freeipa-server users wont need slapd anyway...)
> 
> The attached debdiff replaces gnutls with nss but continues building
> smbk5pwd with nettle. AFAICT the result works properly, smbk5pwd included.
> 
> I didn't try importing Fedora's patches, but noted that several were
> upstreamed already, and more were submitted and await review.
> 
> Looks like Debian's nss doesn't support loading PEM certificates at
> runtime yet: #726116. My knee-jerk reaction is that I dislike the idea
> of changing the default libldap to moznss before resolving that.
> Migrating slapd's server certificates and CA certificates mentioned in
> ldap.conf is possible, with some work; but we'd also be breaking any
> clients configured for particular PEM certificates. It would be a lot
> nicer if existing setups could keep working.
> 
> I only spent a few minutes on this, didn't look yet at whether building
> a second libldap for freeipa's use is feasible. Timo, how far did you
> get on that when you looked at it previously?

Actually, I pushed a hacked up libldap to my openldap git on alioth
yesterday, but forgot to update this bug, oops

git://git.debian.org/git/users/tjaalton/openldap.git

it doesn't build anything other than libldap & ldap-utils, and includes
the applicable Fedora patches (yes three of them were upstream already)
minus autoconf one which gave me some pain. If it's ok for you, we could
have a branch on the official pkg repo so folks that need to build their
own packages could use that as the base.

I don't think fixing this bug by switching to build against moznss makes
much sense for Debian, because the need for it is going away once
Freeipa ditches using ldap+tls connections altogether which is currently
only used in the replication process. Once that's rewritten and using
GSSAPI (in 4.2?) we'd be fine.

That might still leave plain 389-ds-base multimaster replication in the
dust though, but I'm not interested in that personally.. Building a
second libldap against moznss might be possible, but looks icky..

> Also, do you know anything about the thought process behind the recent
> (and then reverted) switch to openssl in Fedora? Are they planning to
> move away from moznss?

Nah I guess that was some kind of frustration by the maintainer, did
that without any discussion and it caused some "concern" on #freeipa at
the time :)

-- 
t