On 17.04.2015 02:32, Ryan Tandy wrote: > On Wed, Apr 15, 2015 at 06:45:39PM +0200, Holger Levsen wrote: >> to build the openldap package against libnss3-dev, one has to: >> >> - in debian/control: replace the build-dependency on libgnutls28-dev with >> libnss3-dev >> - in debian/configure.options: use --with-tls=moznss (instead of >> --with-tls) >> and also add the line "CPPFLAGS=-I/usr/include/nss\ -I/usr/include/nspr >> LDFLAGS=-L/usr/lib/x86_64-linux-gnu/nss" somewhere. >> >> With that the build still fails with >> >> smbk5pwd.c:1073:4: warning: too many arguments for format >> [-Wformat-extra- >> args] >> smbk5pwd.c:968:2: warning: variable 'dummy_ad' set but not used >> [-Wunused-but- >> set-variable] >> dummy_ad; >> ^ >> Makefile:50: recipe for target 'smbk5pwd.lo' failed >> make[2]: *** [smbk5pwd.lo] Error 1 >> make[2]: Leaving directory './openldap-2.4.40+dfsg/contrib/slapd- >> modules/smbk5pwd' >> >> but that should be easy to work around by not building the slapd >> packages or >> contrib modules (as freeipa-server users wont need slapd anyway...) > > The attached debdiff replaces gnutls with nss but continues building > smbk5pwd with nettle. AFAICT the result works properly, smbk5pwd included. > > I didn't try importing Fedora's patches, but noted that several were > upstreamed already, and more were submitted and await review. > > Looks like Debian's nss doesn't support loading PEM certificates at > runtime yet: #726116. My knee-jerk reaction is that I dislike the idea > of changing the default libldap to moznss before resolving that. > Migrating slapd's server certificates and CA certificates mentioned in > ldap.conf is possible, with some work; but we'd also be breaking any > clients configured for particular PEM certificates. It would be a lot > nicer if existing setups could keep working. > > I only spent a few minutes on this, didn't look yet at whether building > a second libldap for freeipa's use is feasible. Timo, how far did you > get on that when you looked at it previously?
Actually, I pushed a hacked up libldap to my openldap git on alioth yesterday, but forgot to update this bug, oops git://git.debian.org/git/users/tjaalton/openldap.git it doesn't build anything other than libldap & ldap-utils, and includes the applicable Fedora patches (yes three of them were upstream already) minus autoconf one which gave me some pain. If it's ok for you, we could have a branch on the official pkg repo so folks that need to build their own packages could use that as the base. I don't think fixing this bug by switching to build against moznss makes much sense for Debian, because the need for it is going away once Freeipa ditches using ldap+tls connections altogether which is currently only used in the replication process. Once that's rewritten and using GSSAPI (in 4.2?) we'd be fine. That might still leave plain 389-ds-base multimaster replication in the dust though, but I'm not interested in that personally.. Building a second libldap against moznss might be possible, but looks icky.. > Also, do you know anything about the thought process behind the recent > (and then reverted) switch to openssl in Fedora? Are they planning to > move away from moznss? Nah I guess that was some kind of frustration by the maintainer, did that without any discussion and it caused some "concern" on #freeipa at the time :) -- t -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org