Re: Building OpenLDAP with TLS support

Fri, 02 Dec 2016 13:05:24 -0800

So, as a followup to anyone else who may hit this issue, OpenLDAP 2.4.44 won't build (without a set of patches) using OpenSSL 1.1.0c. I downloaded the older OpenSSL 1.0.2j and everything built fine. Hopefully the patches that allow OpenSSL 1.1.0 will be rolled into OpenLDAP 2.4.45 but it may be longer as there seem to be a number of OpenSSL API changes. 
Tom

On 12/01/2016 02:26 PM, Tom Leach wrote:
OK, I know I'm missing something since I know people are building OpenLDAP with OpenSSL for TLS/SSL, but when I add the --with-tls flag to configure, it all goes pear shaped. 


I'm starting with freshly downloaded tarballs of openssl-1.1.0c and 
openldap-2.4.44 on CentOS 7.2.1511.
I've install the packages using yum: yum -y install tcp_wrappers 
tcp_wrappers-devel tcp_wrappers-libs libtool-ltdl-devel



I've built/installed openssl with: ./config shared 
--prefix=/usr/local;make;make test; make install



I then successfully build openldap with: ./configure 
CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib 
-Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers 
--enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes 
--enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes 
--enable-modules --enable-mdb --enable-debug=yes --enable-syslog 
--enable-slapd --enable-cleartext --enable-monitor --enable-overlays 
-with-threads --enable-rewrite --enable-syncprov=yes

(without TLS support)
make depend; make; make distclean

I now add the "--with-tls=openssl" option to configure it fails with:

./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib 
-Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers 
--enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes 
--enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes 
--enable-modules --enable-mdb --enable-debug=yes --enable-syslog 
--enable-slapd --enable-cleartext --enable-monitor --enable-overlays 
-with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl

<snip>
checking for sys/un.h... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for SSL_library_init in -lssl... no
checking for ssl3_accept in -lssl... no
configure: error: Could not locate TLS/SSL package

In looking at config.log:
configure:15466: checking openssl/ssl.h usability
configure:15466: cc -c -g -O2 -I/usr/local/include conftest.c >&5
configure:15466: $? = 0
configure:15466: result: yes
configure:15466: checking openssl/ssl.h presence
configure:15466: cc -E -I/usr/local/include conftest.c
configure:15466: $? = 0
configure:15466: result: yes
configure:15466: checking for openssl/ssl.h
configure:15466: result: yes
configure:15478: checking for SSL_library_init in -lssl

configure:15503: cc -o conftest -g -O2 -I/usr/local/include 
-L/usr/local/lib -L/usr/local/lib64 -Wl,-rpath,/usr/local/lib 
conftest.c -lssl -lcrypto -lresolv  >&5

/tmp/ccpvG28c.o: In function `main':

/usr/local/src/openldap-2.4.44/conftest.c:107: undefined reference to 
`SSL_library_init'

collect2: error: ld returned 1 exit status
configure:15503: $? = 1



The source for OpenSSL 1.1.0c no longer has SSL_library_init in either 
the ssl or crypto libraries.  It's now a macro in ssh.h which 
references OPENSSL_init_ssl.  Since the OpenLDAP configure script 
doesn't pull in ssh.h in it's test, it doesn't find SSL_library_init 
and that test fails.  As a hack, I changed the test in configure to 
use OPENSSL_init_ssl instead of SSL_library_init and OpenLDAP 
successfully configured but that blows up during make with a whole 
host of errors.



I've also tried adding "-I/usr/local/include/openssl" to the CPPFLAGS 
environment but that doesn't change anything (as I expected):
./configure CPPFLAGS="-I/usr/local/include 
-I/usr/local/include/openssl" LDFLAGS="-L/usr/local/lib 
-Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers 
--enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes 
--enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes 
--enable-modules --enable-mdb --enable-debug=yes --enable-syslog 
--enable-slapd --enable-cleartext --enable-monitor --enable-overlays 
-with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl



So, is my next step to pull the dev version of 2.4.45 from git or am I 
just being a moron?

Tom Leach






























					Reply via email to