Re: MoNSS support in openldap
Silvan Marco Fin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Is there any magic to be cast upon openldap to enable the MozNSS support when compiling it? Perhaps I'm missing something, but there doesn't seem to be a configure switch to enable NSS, like with Gnutls or OpenSSL. It is not yet supported by configure. In the meantime, you have to do something like this (I use 64-bit RHEL and Fedora, so your OS may vary): This assumes you have openldap from a source tarball or CVS in a directory called ol2.4.23: ls ol2.4.23/ mkdir build cd build # I don't build in tree - I build in a separate directory EXTRA_CFLAGS=-I/usr/include/nss3 -I/usr/include/nspr4 -DHAVE_TLS -DHAVE_MOZNSS if [ ! -d include/nss ] ; then # openldap uses the #include nss/file.h style, but nspr and nss use the # #include file.h style - so we have to accommodate both styles mkdir include ; cd include ; ln -s /usr/include/nss3 nss ; cd .. fi if [ ! -d include/nspr ] ; then # openldap uses the #include nss/file.h style, but nspr and nss use the # #include file.h style - so we have to accommodate both styles mkdir include ; cd include ; ln -s /usr/include/nspr4 nspr ; cd .. fi TLS_LIBS=-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 LIBS=$TLS_LIBS CFLAGS=-g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic $EXTRA_CFLAGS ../ol2.4.23/configure --with-tls=no ...other configure args... Kind regards, Silvan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyc3wAACgkQ9s/B3wYT4543twCfcdYTtJyeKbtiJoT8yFZblvDb 8DQAmwfZpxpoaHic1ZIpovUeH+jqzo1d =ih5n -END PGP SIGNATURE-
Re: MoNSS support in openldap
Thanks for your input, currently I'm trying to get it working with the description supplied here. Am 27.09.2010 22:38, schrieb Howard Chu: doesn't seem to be a configure switch to enable NSS, like with Gnutls or There is no switch for it at this time. And that is because currently MozNSS cannot be used transparently as a drop-in replacement for OpenSSL or GnuTLS. Once the MozNSS folks get their PEM handler into their mainline code, it ought to work reasonably transparently, and at that point we may provide a configure switch for it. For now, we do not endorse or support it. Perhaps I can give you some additional reason to support NSS: MozNSS has the certdb thing and PKCS11 support. We (that is my company: kernel concepts) want to get evolution's ldap backend to support client side certificates from software and hardware tokens and that is exactly, what MozNSS provides out of the box. OpenSSL currently lacks PKCS11 support completely (AFAIK) and Gnutls support for PKCS11 is very new, so our goal is, to get everything we need out of NSS. Kind regards, Silvan signature.asc Description: OpenPGP digital signature
Re: MoNSS support in openldap
Silvan Marco Fin wrote: Thanks for your input, currently I'm trying to get it working with the description supplied here. Am 27.09.2010 22:38, schrieb Howard Chu: doesn't seem to be a configure switch to enable NSS, like with Gnutls or There is no switch for it at this time. And that is because currently MozNSS cannot be used transparently as a drop-in replacement for OpenSSL or GnuTLS. Once the MozNSS folks get their PEM handler into their mainline code, it ought to work reasonably transparently, and at that point we may provide a configure switch for it. For now, we do not endorse or support it. Perhaps I can give you some additional reason to support NSS: MozNSS has the certdb thing and PKCS11 support. We (that is my company: kernel concepts) want to get evolution's ldap backend to support client side certificates from software and hardware tokens and that is exactly, what MozNSS provides out of the box. OpenSSL currently lacks PKCS11 support completely (AFAIK) and Gnutls support for PKCS11 is very new, so our goal is, to get everything we need out of NSS. OpenSSL has had PKCS11 support since at least 2001. It's usually packaged by distros and ready to use, e.g. https://launchpad.net/ubuntu/karmic/+package/libengine-pkcs11-openssl MozNSS still has serious design problems wrt reentrancy and multiple independent code bases (programs and libraries) calling into it with different config requirements... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: MoNSS support in openldap
Am 28.09.2010 11:15, schrieb Howard Chu: OpenSSL has had PKCS11 support since at least 2001. It's usually packaged by distros and ready to use, e.g. Interesting! But the PKCS11-Engine is from the OpenSC project and not contained in the OpenSSL software. But anyway, it's worth a try, thanks for the hint! signature.asc Description: OpenPGP digital signature
Re: MoNSS support in openldap
Quanah Gibson-Mount wrote: --On Friday, September 24, 2010 7:25 PM +0200 Silvan Marco Fin sil...@kernelconcepts.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Is there any magic to be cast upon openldap to enable the MozNSS support when compiling it? Perhaps I'm missing something, but there doesn't seem to be a configure switch to enable NSS, like with Gnutls or OpenSSL. There is no switch for it at this time. And that is because currently MozNSS cannot be used transparently as a drop-in replacement for OpenSSL or GnuTLS. Once the MozNSS folks get their PEM handler into their mainline code, it ought to work reasonably transparently, and at that point we may provide a configure switch for it. For now, we do not endorse or support it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
