[Pkg-openldap-devel] Bug#725153: Bug#725153: openldap, nss, and gnutls
Timo Aaltonen
tjaalton at debian.org
Sat Apr 9 15:10:16 UTC 2016
09.04.2016, 09:12, Ryan Tandy kirjoitti:
> On Fri, Apr 08, 2016 at 08:41:01PM +0300, Timo Aaltonen wrote:
> Are you planning to do this in unstable as well, or just in xenial (as
> it sounds like it might be a temporary measure)? Luca and I talked about
> binNEW a while back, and flagged the out-of-date debian/copyright and
> remaining lintian errors as possible concerns that might slow that down.
I think it would be more permanent than that, as it's still useful for
non-freeipa multimaster 389ds installations, and also test-suites using
ldaps (both 389 & freeipa).
> Adding libldap-common probably resolves #330695. I don't remember
> whether there was anything else to be done for that one.
Ah, I can look into that some more.
> The dh_auto_configure invocation you have looks like it breaks stage1
> builds (unconditional --enable-slapd).
Indeed, I'll fix that.
> I notice the ITS#7373 patch hasn't been applied upstream yet. If we're
> going to apply the NSS patches to both source trees, maybe you could
> ping them for a review?
Oh right, well for now this could be applied only to the nss tree. The
other patches should only touch tls_n.c iirc.. will double-check that.
> What happens if both copies of libldap somehow end up linked into the
> same process? I don't know freeipa well enough to imagine a specific
> scenario, but it probably involves PAM somehow... Looks like curl
> handles this via renaming the symbol versions, we could probably do the
> same, if needed.
Hmm right, I didn't notice the symbol renaming in curl though I used it
as an example for how to build separate versions.. so it just needs
changes in .symbols?
> I had anticipated a second out-of-tree build with the same source, so
> now I'm curious: what required copying the source tree? It looks like
> nss-build.patch is just changing the filename of the shared library, not
> the SONAME or anything, right? (Should it? Or are they actually
> ABI-compatible? From an earlier comment of yours, it sounded like they
> might not be.)
Well I used curl as an example.. but now that you mentioned it maybe it
could just be configured without nss-build.diff and then again with it
applied. Should be ABI compatible, which comment are you referring to?
> What does the NSS build do with the TLS_CACERT setting we put in the
> default ldap.conf? I notice #726116 is still open.
Good point, didn't notice that until now..
> Best of luck getting freeipa working, by one approach or the other...
it works great, just blocked on getting pkcs11 support in bind9, and
native systemd units for apache2 & opendnssec...
--
t
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20160409/5c8c8f23/attachment.sig>
More information about the Pkg-openldap-devel
mailing list