Bug#725153: [Pkg-openldap-devel] Bug#725153: [Pkg-freeipa-devel] freeipa-server backport to Jessie?

Thu, 16 Apr 2015 16:37:24 -0700 

On Wed, Apr 15, 2015 at 06:45:39PM +0200, Holger Levsen wrote:

to build the openldap package against libnss3-dev, one has to:

- in debian/control: replace the build-dependency on libgnutls28-dev with
libnss3-dev
- in debian/configure.options: use --with-tls=moznss (instead of --with-tls)
and also add the line "CPPFLAGS=-I/usr/include/nss\ -I/usr/include/nspr
LDFLAGS=-L/usr/lib/x86_64-linux-gnu/nss" somewhere.

With that the build still fails with

smbk5pwd.c:1073:4: warning: too many arguments for format [-Wformat-extra-
args]
smbk5pwd.c:968:2: warning: variable 'dummy_ad' set but not used [-Wunused-but-
set-variable]
 dummy_ad;
 ^
Makefile:50: recipe for target 'smbk5pwd.lo' failed
make[2]: *** [smbk5pwd.lo] Error 1
make[2]: Leaving directory './openldap-2.4.40+dfsg/contrib/slapd-
modules/smbk5pwd'

but that should be easy to work around by not building the slapd packages or
contrib modules (as freeipa-server users wont need slapd anyway...)
The attached debdiff replaces gnutls with nss but continues building smbk5pwd with nettle. AFAICT the result works properly, smbk5pwd included.
I didn't try importing Fedora's patches, but noted that several were upstreamed already, and more were submitted and await review.
Looks like Debian's nss doesn't support loading PEM certificates at runtime yet: #726116. My knee-jerk reaction is that I dislike the idea of changing the default libldap to moznss before resolving that. Migrating slapd's server certificates and CA certificates mentioned in ldap.conf is possible, with some work; but we'd also be breaking any clients configured for particular PEM certificates. It would be a lot nicer if existing setups could keep working.
I only spent a few minutes on this, didn't look yet at whether building a second libldap for freeipa's use is feasible. Timo, how far did you get on that when you looked at it previously?
Also, do you know anything about the thought process behind the recent (and then reverted) switch to openssl in Fedora? Are they planning to move away from moznss? 
diff -u openldap-2.4.40+dfsg/debian/changelog 
openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,15 @@
+openldap (2.4.40+dfsg-1+moznss) UNRELEASED; urgency=medium
+
+  * Build against NSS instead of GnuTLS.
+    - debian/control: Build-Depend on libnss3-dev and pkg-config.
+    - debian/configure.options: Configure with moznss.
+    - debian/patches/openldap-autoconf-pkgconfig-nss.patch: Import Fedora 
+      patch to use pkg-config for NSS library detection.
+    - debian/patches/smbk5pwd-gnutls.patch: smbk5pwd hasn't been ported to 
+      moznss. Keep building it with nettle.
+
+ -- Ryan Tandy <r...@nardis.ca>  Thu, 16 Apr 2015 13:28:15 -0700
+
 openldap (2.4.40+dfsg-1) unstable; urgency=medium
 
   * Remove inetorgperson.schema from the upstream source. Replace it with a
diff -u openldap-2.4.40+dfsg/debian/configure.options 
openldap-2.4.40+dfsg/debian/configure.options
--- openldap-2.4.40+dfsg/debian/configure.options
+++ openldap-2.4.40+dfsg/debian/configure.options
@@ -176,7 +176,7 @@
 #  --with-threads        with threads [auto]
 --with-threads
 #  --with-tls            with TLS/SSL support auto|openssl|gnutls|moznss [auto]
---with-tls=gnutls
+--with-tls=moznss
 #  --with-yielding-select  with implicitly yielding select [auto]
 #  --with-mp               with multiple precision statistics 
auto|longlong|long|bignum|gmp [auto]
 #  --with-odbc             with specific ODBC support 
iodbc|unixodbc|odbc32|auto [auto]
diff -u openldap-2.4.40+dfsg/debian/control openldap-2.4.40+dfsg/debian/control
--- openldap-2.4.40+dfsg/debian/control
+++ openldap-2.4.40+dfsg/debian/control
@@ -11,11 +11,11 @@
 Build-Depends: debhelper (>= 8.9.0~),
        dpkg-dev (>= 1.16.1),
        libdb5.3-dev, nettle-dev,
- libgnutls28-dev, unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0),
+ libnss3-dev, unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0),
  libsasl2-dev, libslp-dev, libltdl-dev | libltdl3-dev (>= 1.4.3),
  libwrap0-dev, perl, po-debconf, quilt (>= 0.46-7),
  groff-base, time, heimdal-multidev,
- dh-autoreconf
+ dh-autoreconf, pkg-config
 Build-Conflicts: libbind-dev, bind-dev, libicu-dev, autoconf2.13
 Standards-Version: 3.9.1
 Homepage: http://www.openldap.org/
diff -u openldap-2.4.40+dfsg/debian/patches/series 
openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -26,0 +27,2 @@
+openldap-autoconf-pkgconfig-nss.patch
+smbk5pwd-gnutls
only in patch2:
unchanged:
--- 
openldap-2.4.40+dfsg.orig/debian/patches/openldap-autoconf-pkgconfig-nss.patch
+++ openldap-2.4.40+dfsg/debian/patches/openldap-autoconf-pkgconfig-nss.patch
@@ -0,0 +1,48 @@
+Use pkg-config for Mozilla NSS library detection
+
+Author: Jan Vcelak <jvce...@redhat.com>
+
+---
+ configure.in | 22 +++++-----------------
+ 1 file changed, 5 insertions(+), 17 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index ecffe30..2a9cfb4 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
+       fi
+ fi
+ 
+-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
+-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
+-dnl are not in the default system location
+ if test $ol_link_tls = no ; then
+       if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
+-              have_moznss=no
+-              AC_CHECK_HEADERS([nssutil.h])
+-              if test "$ac_cv_header_nssutil_h" = yes ; then
+-                      AC_CHECK_LIB([nss3], [NSS_Initialize],
+-                                               [ have_moznss=yes ], [ 
have_moznss=no ])
+-              fi
++              PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], 
[have_moznss=no])
+ 
+-              if test "$have_moznss" = yes ; then
++              if test $have_moznss = yes ; then
+                       ol_with_tls=moznss
+                       ol_link_tls=yes
+-                      AC_DEFINE(HAVE_MOZNSS, 1, 
+-                                        [define if you have MozNSS])
+-                      TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 
-lplc4 -lnspr4"
+-              else
+-                      if test $ol_with_tls = moznss ; then
+-                      AC_MSG_ERROR([MozNSS not found - please specify the 
location to the NSPR and NSS header files in CPPFLAGS and the location to the 
NSPR and NSS libraries in LDFLAGS (if not in the system location)])
+-                      fi
++                      AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
++                      TLS_LIBS="$MOZNSS_LIBS"
++                      CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
+               fi
+       fi
+ fi
+-- 
+1.7.11.7
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/smbk5pwd-gnutls
+++ openldap-2.4.40+dfsg/debian/patches/smbk5pwd-gnutls
@@ -0,0 +1,11 @@
+--- a/contrib/slapd-modules/smbk5pwd/Makefile
++++ b/contrib/slapd-modules/smbk5pwd/Makefile
+@@ -28,7 +28,7 @@
+ CC = gcc
+ OPT = -g -O2 -Wall
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+-DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
++DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW -UHAVE_MOZNSS -DHAVE_GNUTLS
+ INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
+ # put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, 
#745356
+ LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)

Reply via email to