James Carlson wrote: > Jeff Trawick writes: > >> * The system now has two alternative LDAP libraries. >> * Traditional Solaris stuff works with the native library just fine >> thank you. >> * Open source packages developed on other platforms work fine with OpenLDAP. >> > > If the two libraries weren't hostile to each other (which > ldap_url_parse do I get today?), and if the duplication didn't > potentially have implications for other projects down the road (such > as ones that supply configuration information for the system, like > NWAM), then that might just be the end of the story. > > I don't think it is, though. > > How does this work in deployment? If I need OpenLDAP in order to get > SSL support, but there are other things on the system using the native > libraries, then how can I deploy LDAP+SSL successfully? Does it work > only with "some" applications? >
The problem isn't as general as "Other things on the system," though certainly problems can occur. LDAP+SSL is specific to particular applications; namely, the traditional Solaris ones when they use Solaris LDAP, and the open source ones when they use OpenLDAP (generally speaking). The expected problem scenario looks like this: Start with OpenSolaris Apache with its LDAP extension loaded for use in web server authentication (using OpenLDAP). Add to it some third-party Apache extension which uses Solaris LDAP, either directly or in some library it adds to the mix. => brokenness in one use of LDAP or the other due to multiple definitions of some ldap* symbols in the same process, unless special link-time precautions have been taken PHP is similar. (And PHP can be an extension to Apache, hence the requirement to handle both of these in one shot.) FWLIW, the CoolStack, Blastwave, and Sun Freeware distributions of Apache and PHP for Solaris all use OpenLDAP. (Sun Freeware also has a special "noldap" build of Apache for users who don't use LDAP and want to avoid downloading openldap and its dependencies, but they don't have that shortcut for PHP.) > >> ** Solaris users of these open source packages for some years now have >> been following instructions to build OpenLDAP and link >> Apache/PHP/whatever with OpenLDAP. We didn't follow the traditional >> advice with the web stack, and it hurts. >> >> Is this a "system architecture" issue? >> > > Yes, I believe that it is. We (Sun) need a much better story here. > Letting the system libraries rot in place while the world moves on > ahead can't possibly be the right answer. > >
