In message <20250624173442.adc1...@slippy.cwsent.com>, Cy Schubert writes:
> In message <afrblueohuxah...@freefall.freebsd.org>, Lexi Winter writes:
> >
> > Cy Schubert:
> > > In message <afrsquqsti4pr...@freefall.freebsd.org>, Lexi Winter writes:
> > > > i'm hoping with MIT krb5 in base, we might be able to find a better
> > > > solution to this, but i haven't had a chance to actually try it.
> > > > it may be we have to go with a glib-style "bootstrap port" solution.
> > =20
> > > It may help bootstrap but you can't rely on it to supply your KDC needs a
> =
> > s=20
> > > it doesn't and will never use LDAP, unless we import OpenLDAP into base,=
> > =20
> > > and that's another matter of discussion.
> >
> > i am thinking purely in terms of ports here, e.g.:
> >
> > - krb5-ldap requires openldap26@bootstrap
> > - openldap26@bootstrap builds OpenLDAP without Kerberos support
> > - after building krb5-ldap you then build openldap26 with Kerberos
> > support which is a drop-in replacement for openldap26@bootstrap.
> >
> > then you install krb5-ldap and openldap26-server and the
> > openldap26@bootstrap port is never used after the package build is done.
> >
> > the exact details of how this works might be more complicated but my
> > understanding is that this is how devel/glib20 and
> > devel/gobject-introspection manage to depend on each other.
> >
> > i was hoping MIT krb5 in base would avoid the need for this, but i don't
> > think it does: if ports openldap links to base krb5, and ports krb5
> > links to ports openldap, you'd end up with the KDC binary linking to
> > both base and ports krb5. so in practice, you'd still need to ignore
> > base Kerberos entirely (other than for NFS) and build everything against
> > ports krb5, like we do now.
>
> This is the same problem we have with Heimdal currently. This is why
> gssapi.mk was created in the first place. Considering the alternative it
> does a fairly good job of insulating ports from whatever kerberos is in
> base.
>
> gssapi.mk should determine its default based on what it finds, whether it
> be Heimdal in base or ports or MIT in base or ports. The changes made to
> the kdc rc script detect the kerberos. We should be able to do the same in
> gssapi.mk. This avoids people having to muck around with make.conf.
>
> Currently with Heimdal 1.5.2 in 13 and 14, and in default in 15 (until the
> default changes), users will need to use some kind of modern kerberos from
> ports. And this will be the state of affairs until 14 is EOL. gssapi.mk
> will need to account for this and the best way would be to test 1) if the
> user has selected a default in make.conf, 2) test if one of the ports is
> installed and use that, and 3) use whatever is in base (in 13, 14, or 15).
>
> Testing for the kdc or krb5kdc binary in ${LOCALBASE} first, next in
> /usr/libexec will tell gssapi.mk which version is installed.
>
> Regardless, LDAP requires one of the ports be prebuilt.
Something we should start thinking about is bringing FreeIPA into ports.
FreeIPA allows building a trust relationship between it and Microsoft
Active Directory. I don't know what the requirements are but it's been on
my radar for a while.
--
Cheers,
Cy Schubert <cy.schub...@cschubert.com>
FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org
NTP: <c...@nwtime.org> Web: https://nwtime.org
e**(i*pi)+1=0
