[Freeipa-devel] [PATCH] Replace OpenLDAP with mozldap
W. Michael Petullo
mike at flyn.org
Sun Feb 24 14:10:40 UTC 2008
I've attached a patch that begins the process of replacing OpenLDAP with
mozldap. FreeIPA relies on RedHat's Directory Server, which uses mozldap. A
FreeIPA build using mozldap would reduce the project's dependencies and
redundant code. In addition, mozldap uses NSS instead of OpenSSL. This is
beneficial for the reasons listed in [1].
[1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation
--
Mike
-------------- next part --------------
diff -u --recursive freeipa-0.99-vanilla/ipa-client/configure.ac freeipa-0.99/ipa-client/configure.ac
--- freeipa-0.99-vanilla/ipa-client/configure.ac 2008-02-18 18:21:39.000000000 +0430
+++ freeipa-0.99/ipa-client/configure.ac 2008-02-24 16:56:55.000000000 +0430
@@ -82,42 +82,10 @@
AC_SUBST(KRB5_LIBS)
dnl ---------------------------------------------------------------------------
-dnl - Check for LDAP
+dnl - Check for Mozilla LDAP SDK
dnl ---------------------------------------------------------------------------
-LDAP_LIBS=
-AC_CHECK_HEADER(ldap.h)
-AC_CHECK_HEADER(lber.h)
-
-AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
-dnl Check for other libraries we need to link with to get the main routines.
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
-dnl Recently, we need -lber even though the main routines are elsewhere,
-dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just
-dnl check for that (it's a variable not a fun but that doesn't seem to
-dnl matter in these checks) and stick in -lber if so. Can't hurt (even to
-dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
-dnl #### understands LDAP needs to fix this properly.
-test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
-
-if test "$with_ldap" = "yes"; then
- if test "$with_ldap_des" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -ldes"
- fi
- if test "$with_ldap_krb" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -lkrb"
- fi
- if test "$with_ldap_lber" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -llber"
- fi
- LDAP_LIBS="${LDAP_LIBS} -lldap"
-else
- AC_MSG_ERROR([LDAP not found])
-fi
-
-AC_SUBST(LDAP_LIBS)
+PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
dnl ---------------------------------------------------------------------------
dnl - Check for POPT
diff -u --recursive freeipa-0.99-vanilla/ipa-client/ipa-getkeytab.c freeipa-0.99/ipa-client/ipa-getkeytab.c
--- freeipa-0.99-vanilla/ipa-client/ipa-getkeytab.c 2008-02-18 18:21:39.000000000 +0430
+++ freeipa-0.99/ipa-client/ipa-getkeytab.c 2008-02-24 18:16:03.000000000 +0430
@@ -31,7 +31,7 @@
#include <errno.h>
#include <time.h>
#include <krb5.h>
-#include <ldap.h>
+#include <mozldap/ldap.h>
#include <sasl/sasl.h>
#include <popt.h>
@@ -275,7 +275,6 @@
BerElement *ctrl = NULL;
BerElement *sctrl = NULL;
struct berval *control = NULL;
- char *ldap_uri = NULL;
struct berval **ncvals;
char *ldap_base = NULL;
char *retoid = NULL;
@@ -306,23 +305,16 @@
goto error_out;
}
- /* connect to ldap server */
- ret = asprintf(&ldap_uri, "ldap://%s:389", servername);
- if (ret == -1) {
- fprintf(stderr, "Unable to determine server URI!\n");
- goto error_out;
- }
-
/* TODO: support referrals ? */
- ret = ldap_initialize(&ld, ldap_uri);
- if(ret != LDAP_SUCCESS) {
+ ld = ldap_init(servername, 389);
+ if(ld == NULL) {
fprintf(stderr, "Unable to initialize ldap library!\n");
goto error_out;
}
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
- if (ret != LDAP_OPT_SUCCESS) {
+ if (ret != LDAP_SUCCESS) {
fprintf(stderr, "Unable to set ldap options!\n");
goto error_out;
}
@@ -427,8 +419,7 @@
ber_free(sctrl, 1);
ldap_controls_free(srvctrl);
ldap_msgfree(res);
- ldap_unbind_ext_s(ld, NULL, NULL);
- free(ldap_uri);
+ ldap_unbind_ext(ld, NULL, NULL);
return kvno;
error_out:
@@ -436,8 +427,7 @@
if (srvctrl) ldap_controls_free(srvctrl);
if (err) ldap_memfree(err);
if (res) ldap_msgfree(res);
- if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
- if (ldap_uri) free(ldap_uri);
+ if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
if (encs) free(encs);
return 0;
diff -u --recursive freeipa-0.99-vanilla/ipa-client/Makefile.am freeipa-0.99/ipa-client/Makefile.am
--- freeipa-0.99-vanilla/ipa-client/Makefile.am 2008-02-18 18:21:39.000000000 +0430
+++ freeipa-0.99/ipa-client/Makefile.am 2008-02-24 16:45:47.000000000 +0430
@@ -13,7 +13,7 @@
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
$(KRB5_CFLAGS) \
- $(LDAP_CFLAGS) \
+ $(MOZLDAP_CFLAGS) \
$(SASL_CFLAGS) \
$(POPT_CFLAGS) \
$(WARN_CFLAGS) \
@@ -29,7 +29,7 @@
ipa_getkeytab_LDADD = \
$(KRB5_LIBS) \
- $(LDAP_LIBS) \
+ $(MOZLDAP_LIBS) \
$(SASL_LIBS) \
$(POPT_LIBS) \
$(NULL)
diff -u --recursive freeipa-0.99-vanilla/ipa-server/configure.ac freeipa-0.99/ipa-server/configure.ac
--- freeipa-0.99-vanilla/ipa-server/configure.ac 2008-02-18 18:21:39.000000000 +0430
+++ freeipa-0.99/ipa-server/configure.ac 2008-02-24 16:56:32.000000000 +0430
@@ -87,44 +87,6 @@
AC_SUBST(KRB5_LIBS)
dnl ---------------------------------------------------------------------------
-dnl - Check for LDAP
-dnl ---------------------------------------------------------------------------
-
-LDAP_LIBS=
-AC_CHECK_HEADER(ldap.h)
-AC_CHECK_HEADER(lber.h)
-
-AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
-dnl Check for other libraries we need to link with to get the main routines.
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
-dnl Recently, we need -lber even though the main routines are elsewhere,
-dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just
-dnl check for that (it's a variable not a fun but that doesn't seem to
-dnl matter in these checks) and stick in -lber if so. Can't hurt (even to
-dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
-dnl #### understands LDAP needs to fix this properly.
-test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
-
-if test "$with_ldap" = "yes"; then
- if test "$with_ldap_des" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -ldes"
- fi
- if test "$with_ldap_krb" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -lkrb"
- fi
- if test "$with_ldap_lber" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -llber"
- fi
- LDAP_LIBS="${LDAP_LIBS} -lldap"
-else
- AC_MSG_ERROR([LDAP not found])
-fi
-
-AC_SUBST(LDAP_LIBS)
-
-dnl ---------------------------------------------------------------------------
dnl - Check for Mozilla LDAP SDK
dnl ---------------------------------------------------------------------------
@@ -257,7 +219,7 @@
source code location: ${srcdir}
compiler: ${CC}
cflags: ${CFLAGS}
- LDAP libs: ${LDAP_LIBS}
+ LDAP libs: ${MOZLDAP_LIBS}
KRB5 libs: ${KRB5_LIBS}
OpenSSL libs: ${SSL_LIBS}
Maintainer mode: ${USE_MAINTAINER_MODE}
diff -u --recursive freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/ipa_kpasswd.c freeipa-0.99/ipa-server/ipa-kpasswd/ipa_kpasswd.c
--- freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/ipa_kpasswd.c 2008-02-18 18:21:39.000000000 +0430
+++ freeipa-0.99/ipa-server/ipa-kpasswd/ipa_kpasswd.c 2008-02-24 18:13:30.000000000 +0430
@@ -39,13 +39,17 @@
#include <arpa/inet.h>
#include <time.h>
#include <krb5.h>
-#include <ldap.h>
+#include <mozldap/ldap.h>
#include <sasl/sasl.h>
#define DEFAULT_KEYTAB "FILE:/var/kerberos/krb5kdc/kpasswd.keytab"
#define TMP_TEMPLATE "/tmp/kpasswd.XXXXXX"
#define KPASSWD_PORT 464
+/* From OpenLDAP's ldap.h */
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
+
/* blacklist entries are released only BLCAKLIST_TIMEOUT seconds
* after the children performing the noperation has finished.
* this is to avoid races */
@@ -310,7 +314,6 @@
struct berval control;
struct berval newpw;
char hostname[1024];
- char *ldap_uri = NULL;
struct berval **ncvals;
char *ldap_base = NULL;
char *filter;
@@ -367,17 +370,10 @@
goto done;
}
- ret = asprintf(&ldap_uri, "ldap://%s:389", hostname);
- if (ret == -1) {
- syslog(LOG_ERR, "Out of memory!");
- ret = KRB5_KPASSWD_HARDERROR;
- goto done;
- }
-
/* connect to ldap server */
/* TODO: support referrals ? */
- ret = ldap_initialize(&ld, ldap_uri);
- if(ret != LDAP_SUCCESS) {
+ ld = ldap_init(hostname, 389);
+ if(ld == NULL) {
syslog(LOG_ERR, "Unable to connect to ldap server");
ret = KRB5_KPASSWD_HARDERROR;
goto done;
@@ -385,7 +381,7 @@
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
- if (ret != LDAP_OPT_SUCCESS) {
+ if (ret != LDAP_SUCCESS) {
syslog(LOG_ERR, "Unable to set ldap protocol version");
ret = KRB5_KPASSWD_HARDERROR;
goto done;
@@ -480,11 +476,12 @@
ret = KRB5_KPASSWD_HARDERROR;
goto done;
}
+
ber_printf(ctrl, "{tstON}",
LDAP_TAG_EXOP_MODIFY_PASSWD_ID, userdn,
LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &newpw);
- ret = ber_flatten2(ctrl, &control, 0);
+ ret = ber_flatten(ctrl, &control);
if (ret < 0) {
syslog(LOG_ERR, "ber flattening failed!");
ret = KRB5_KPASSWD_HARDERROR;
@@ -645,8 +642,7 @@
if (exterr1) free(exterr1);
if (exterr2) free(exterr2);
if (userdn) free(userdn);
- if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
- if (ldap_uri) free(ldap_uri);
+ if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (tmp_file) {
unlink(tmp_file);
free(tmp_file);
diff -u --recursive freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/Makefile.am freeipa-0.99/ipa-server/ipa-kpasswd/Makefile.am
--- freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/Makefile.am 2008-02-18 18:21:39.000000000 +0430
+++ freeipa-0.99/ipa-server/ipa-kpasswd/Makefile.am 2008-02-24 16:24:57.000000000 +0430
@@ -8,7 +8,7 @@
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(LDAP_CFLAGS) \
+ $(MOZLDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
@@ -22,7 +22,7 @@
$(NULL)
ipa_kpasswd_LDADD = \
- $(LDAP_LIBS) \
+ $(MOZLDAP_LIBS) \
$(KRB5_LIBS) \
$(NULL)
More information about the Freeipa-devel
mailing list