Date: Tue, 14 Jan 2014 14:19:05 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r339687 - in head/net/nss_ldap: . files Message-ID: <201401141419.s0EEJ592091759@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Tue Jan 14 14:19:05 2014 New Revision: 339687 URL: http://svnweb.freebsd.org/changeset/ports/339687 Log: Functional changes: - Add a SASL port option - Fix the KERBEROS ports option - it was a no-op, setting a configure flag which modifies how Kerberos was used without setting the flag that actually enables it. - Use GSSAPI instead of $ENV{KRB5CCNAME} to set the credential cache. The latter pollutes the unsuspecting application's environment and does not always work (for instance, it breaks when nss_ldap is invoked from OpenSSH, although I haven't quite determined why) - Add patches to support Heimdal in addition to MIT Kerberos. Note that I tried to ensure that the code is unchanged in the non-Heimdal case, but that I have no way of testing with MIT Kerberos. With the above changes, I have successfully configured a FreeBSD 9.2 server to authenticate users against a Microsoft Windows 2012 Active Directory server. Non-functional changes: - Modernize and stagify - Remove text in pkg-message about a change that was made ten years ago - Take maintainership as current maintainer has been AWOL for 2+ years - Bump PORTREVISION Approved by: maintainer hasn't been heard of for 2+ years Added: head/net/nss_ldap/files/patch-ldap-init-krb5-cache.c (contents, props changed) head/net/nss_ldap/files/patch-ldap-nss.h (contents, props changed) Modified: head/net/nss_ldap/Makefile head/net/nss_ldap/files/patch-configure.in head/net/nss_ldap/files/patch-ldap-nss.c head/net/nss_ldap/files/pkg-message.in Modified: head/net/nss_ldap/Makefile ============================================================================== --- head/net/nss_ldap/Makefile Tue Jan 14 14:16:13 2014 (r339686) +++ head/net/nss_ldap/Makefile Tue Jan 14 14:19:05 2014 (r339687) @@ -3,13 +3,13 @@ PORTNAME= nss_ldap PORTVERSION= 1.${NSS_LDAP_VERSION} -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= net MASTER_SITES= http://www.padl.com/download/ \ LOCAL/martymac DISTNAME= ${PORTNAME}-${NSS_LDAP_VERSION} -MAINTAINER= mikeg@bsd-box.net +MAINTAINER= des@FreeBSD.org COMMENT= RFC 2307 NSS module LICENSE= GPLv2 @@ -24,11 +24,13 @@ AUTOMAKE_ARGS= --add-missing USE_LDCONFIG= yes USE_OPENLDAP= yes -OPTIONS_DEFINE= LCLASS KERBEROS +OPTIONS_DEFINE= LCLASS KERBEROS SASL OPTIONS_DEFAULT=LCLASS KERBEROS LCLASS_DESC= Enable login classes via the loginClass attribute +SASL_DESC= Use the SASL-enabled version of OpenLDAP + CPPFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib -Wl,-rpath,${LOCALBASE}/lib @@ -41,17 +43,21 @@ MAN5= nss_ldap.5 SUB_FILES= pkg-message -NO_STAGE= yes .include <bsd.port.options.mk> .if ${PORT_OPTIONS:MKERBEROS} -CONFIGURE_ARGS+=--enable-configurable-krb5-ccname-env +CONFIGURE_ARGS+=--enable-configurable-krb5-ccname-gssapi \ + --enable-configurable-krb5-keytab .endif .if ${PORT_OPTIONS:MLCLASS} CFLAGS+="-DHAVE_LOGIN_CLASSES" .endif +.if ${PORT_OPTIONS:MSASL} +WANT_OPENLDAP_SASL = YES +.endif + post-extract: ${CP} ${FILESDIR}/bsdnss.c ${WRKSRC} @@ -73,16 +79,8 @@ post-configure: @${ECHO} "#define HAVE_RESOLV_H 1" >> ${WRKSRC}/config.h do-install: - ${INSTALL_PROGRAM} ${WRKSRC}/nss_ldap.so ${PREFIX}/lib/nss_ldap.so.1 - ${INSTALL_DATA} ${WRKSRC}/ldap.conf ${PREFIX}/etc/nss_ldap.conf.sample - ${INSTALL_MAN} ${WRKSRC}/${MAN5} ${MAN5PREFIX}/man/man5 - -post-install: - @if [ ! -f ${PREFIX}/etc/nss_ldap.conf ]; then \ - ${CP} -pv ${PREFIX}/etc/nss_ldap.conf.sample ${PREFIX}/etc/nss_ldap.conf ; \ - fi -.if !defined(PACKAGE_BUILDING) - @${CAT} ${PKGMESSAGE} -.endif + ${INSTALL_PROGRAM} ${WRKSRC}/nss_ldap.so ${STAGEDIR}/${PREFIX}/lib/nss_ldap.so.1 + ${INSTALL_DATA} ${WRKSRC}/ldap.conf ${STAGEDIR}/${PREFIX}/etc/nss_ldap.conf.sample + ${INSTALL_MAN} ${WRKSRC}/${MAN5} ${STAGEDIR}/${MAN5PREFIX}/man/man5 .include <bsd.port.mk> Modified: head/net/nss_ldap/files/patch-configure.in ============================================================================== --- head/net/nss_ldap/files/patch-configure.in Tue Jan 14 14:16:13 2014 (r339686) +++ head/net/nss_ldap/files/patch-configure.in Tue Jan 14 14:19:05 2014 (r339687) @@ -1,6 +1,6 @@ ---- configure.in.orig 2007-10-29 06:30:12.000000000 -0700 -+++ configure.in 2008-09-26 20:38:20.000000000 -0700 -@@ -96,11 +96,15 @@ +--- configure.in.orig ++++ configure.in +@@ -97,11 +97,15 @@ linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;; *) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic" ;; esac @@ -16,7 +16,7 @@ AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$nss_ldap_so_LD") -@@ -152,7 +156,6 @@ +@@ -153,7 +157,6 @@ aix*) AC_CHECK_HEADERS(irs.h usersec.h) ;; hpux*) AC_CHECK_HEADERS(nsswitch.h) ;; *) AC_CHECK_HEADERS(nss.h) @@ -24,7 +24,21 @@ AC_CHECK_HEADERS(irs.h) ;; esac AC_CHECK_HEADERS(thread.h) -@@ -227,7 +230,6 @@ +@@ -188,6 +191,13 @@ + AC_CHECK_HEADERS(gssapi/gssapi_krb5.h gssapi.h) + AC_CHECK_HEADERS(krb5.h) + ++AC_MSG_CHECKING([if Kerberos is Heimdal]) ++AC_TRY_LINK([#include <krb5.h>], ++ [const char hv = heimdal_version;], ++ [AC_MSG_RESULT(yes) ++ AC_DEFINE(HEIMDAL,1,[Define if Kerberos is Heimdal])], ++ [AC_MSG_RESULT(no)]) ++ + AC_CHECK_LIB(resolv, main) + AC_CHECK_LIB(nsl, main) + AC_CHECK_LIB(socket, main) +@@ -230,7 +240,6 @@ AC_CHECK_FUNCS(gethostbyname) AC_CHECK_FUNCS(nsdispatch) AC_CHECK_LIB(pthread_nonshared, main) Added: head/net/nss_ldap/files/patch-ldap-init-krb5-cache.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/nss_ldap/files/patch-ldap-init-krb5-cache.c Tue Jan 14 14:19:05 2014 (r339687) @@ -0,0 +1,62 @@ +--- ldap-init-krb5-cache.c.orig ++++ ldap-init-krb5-cache.c +@@ -109,6 +109,10 @@ + #include <gssapi/gssapi.h> + #include <gssapi/gssapi_krb5.h> + ++#ifndef HOST_NAME_MAX ++#define HOST_NAME_MAX 1024 ++#endif ++ + #define MAX_RENEW_TIME "365d" + + #define KT_PATH_MAX 256 +@@ -213,14 +217,25 @@ + { + krb5_error_code code = 0; + krb5_keytab __keytab; ++#ifdef HEIMDAL ++ char kttypebuf[KRB5_KT_PREFIX_MAX_LEN]; ++ size_t kttypesize = sizeof kttypebuf; ++#endif ++ char *kttype; + + debug ("==> krb5_cache_kt_is_accessible: ktname %s", __ktname); + assert (context != NULL); + if (!(code = krb5_kt_resolve (context, __ktname, &__keytab))) + { ++#ifdef HEIMDAL ++ krb5_kt_get_type (context, __keytab, kttypebuf, kttypesize); ++ kttype = kttypebuf; ++#else ++ kttype = krb5_kt_get_type (context, __keytab); ++#endif + debug ("==> krb5_cache_kt_is_accessible: resolved ktname %s - %s", +- __ktname, krb5_kt_get_type (context, __keytab)); +- if (strcmp ("FILE", krb5_kt_get_type (context, __keytab)) == 0) ++ __ktname, kttype); ++ if (strcmp ("FILE", kttype) == 0) + { + debug ("==> krb5_cache_kt_is_accessible: kt type = FILE"); + uid_t ruid = getuid (); +@@ -542,7 +557,7 @@ + } + profile_release (profile); + #else +- skew = context->max_skew; ++ /* skew = context->max_skew; */ + #endif + ccname = krb5_cache_get_ccname (config); + debug ("==> krb5_cache_setup: credential cache name %s", +@@ -671,7 +686,11 @@ + ccname ? ccname : "NULL"); + } + } ++#ifdef HEIMDAL ++ free (principal_name); ++#else + krb5_free_unparsed_name (context, principal_name); ++#endif + } + } + Modified: head/net/nss_ldap/files/patch-ldap-nss.c ============================================================================== --- head/net/nss_ldap/files/patch-ldap-nss.c Tue Jan 14 14:16:13 2014 (r339686) +++ head/net/nss_ldap/files/patch-ldap-nss.c Tue Jan 14 14:19:05 2014 (r339687) @@ -1,5 +1,5 @@ ---- ldap-nss.c.orig Sat May 27 16:23:40 2006 -+++ ldap-nss.c Sat May 27 16:23:52 2006 +--- ldap-nss.c.orig ++++ ldap-nss.c @@ -69,7 +69,7 @@ #endif @@ -9,3 +9,18 @@ #include <sasl/sasl.h> #elif defined(HAVE_SASL_H) #include <sasl.h> +@@ -78,11 +78,11 @@ + #ifndef HAVE_SNPRINTF + #include "snprintf.h" + #endif +-#ifdef HAVE_GSSAPI_H +-#include <gssapi.h> +-#elif defined(HAVE_GSSAPI_GSSAPI_KRB5_H) ++#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H + #include <gssapi/gssapi.h> + #include <gssapi/gssapi_krb5.h> ++#elif defined(HAVE_GSSAPI_H) ++#include <gssapi.h> + #endif + #ifdef CONFIGURE_KRB5_CCNAME + #include <krb5.h> Added: head/net/nss_ldap/files/patch-ldap-nss.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/nss_ldap/files/patch-ldap-nss.h Tue Jan 14 14:19:05 2014 (r339687) @@ -0,0 +1,12 @@ +--- ldap-nss.h.orig ++++ ldap-nss.h +@@ -923,6 +923,8 @@ + int _nss_ldap_get_ld_errno (char **m, char **s); + + #ifdef CONFIGURE_KRB5_KEYTAB +-int do_init_krb5_cache(ldap_config_t *config); ++int do_init_krb5_cache (ldap_config_t *config); ++int do_select_krb5_cache (ldap_config_t * config); ++int do_restore_krb5_cache (ldap_config_t * config); + #endif /* CONFIGURE_KRB5_KEYTAB */ + #endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */ Modified: head/net/nss_ldap/files/pkg-message.in ============================================================================== --- head/net/nss_ldap/files/pkg-message.in Tue Jan 14 14:16:13 2014 (r339686) +++ head/net/nss_ldap/files/pkg-message.in Tue Jan 14 14:19:05 2014 (r339687) @@ -4,12 +4,4 @@ following paths: LDAP configuration: %%PREFIX%%/etc/nss_ldap.conf LDAP secret (optional): %%PREFIX%%/etc/nss_ldap.secret - - -WARNING: For users of previous versions of this port: -WARNING: -WARNING: Previous versions of this port expected configuration files -WARNING: to be located at /etc/ldap.conf and /etc/ldap.secret. You -WARNING: may need to move these configuration files to their new -WARNING: location specified above. =====================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401141419.s0EEJ592091759>