Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 Dec 2015 17:56:40 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 205493] net/freeradius3: Does not link properly against selected kerberos implementation
Message-ID:  <bug-205493-13@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205493

            Bug ID: 205493
           Summary: net/freeradius3: Does not link properly against
                    selected kerberos implementation
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: zi@FreeBSD.org
          Reporter: freebsd@simweb.ch
             Flags: maintainer-feedback?(zi@FreeBSD.org)
          Assignee: zi@FreeBSD.org

Created attachment 164463
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=164463&action=edit
Patch net/freeradius3/Makefile to fix/improve kerberos selection.

Hi

net/freeradius3 seems to link always against Heimdal kerberos in base as soon
as one of the 3 possible options is enabled. The issue is already visible 'make
stage':

# HEIMDAL
# ldd work/stage/usr/local/lib/freeradius-3.0.10/rlm_krb5.so
work/stage/usr/local/lib/freeradius-3.0.10/rlm_krb5.so:
        libkrb5.so.11 => /usr/lib/libkrb5.so.11 (0x801604000)
-> OK.

HEIMDAL_PORT: Builds but doesn't find the library and thus no rlm_krb5.so is
built

KERBEROS: stops with an error when building rlm_krb5, I haven't dug deeper
there.

The main cause is due to an upstream change which changed the Kerberos
parameters starting with 3.0.1. 3.0.0 used the same options as are still valid
with 2.2.9, not 3.0.1 onwards.* The relevant file in the FreeRADIUS source is
src/modules/rlm_krb5/configure(.ac), the option is not revealed by 'configure
--help'

I'd propose to make a selection group which makes it impossible to chose
more than 1 Kerberos implementation, but still allows disabling rlm_krb5
entirely.

The dependency was changed with the following idea:
HEIMDAL_BASE: libkrb5.so*.26*, otherwise the dependency is fullfilled by
librkrb5.so in base

After the modifications:
# HEIMDAL (test with and without security/heimdal installed)
# ldd work/stage/usr/local/lib/freeradius-3.0.10/rlm_krb5.so
work/stage/usr/local/lib/freeradius-3.0.10/rlm_krb5.so:
        libkrb5.so.11 => /usr/lib/libkrb5.so.11 (0x801604000)
[...]

# HEIMDAL_PORT (security/heimdal installed, security/krb5 absend as they
conflict)
# ldd work/stage/usr/local/lib/freeradius-3.0.10/rlm_krb5.so
work/stage/usr/local/lib/freeradius-3.0.10/rlm_krb5.so:
        libkrb5.so.26 => /usr/local/lib/heimdal/libkrb5.so.26 (0x801604000)
[...]

# KERBEROS (security/krb5 instaled, security/heimdal absend as they conflict)
# ldd work/stage/usr/local/lib/freeradius-3.0.10/rlm_krb5.so
work/stage/usr/local/lib/freeradius-3.0.10/rlm_krb5.so:
        libkrb5.so.3.3 => /usr/local/lib/libkrb5.so.3.3 (0x801604000)
[...]

There is still 1 corner case which I don't know how to fix yet:
If the system has krb5 installed from ports/packages but the port is built with
HEIMDAL from base it gets confused and fails to build.

Upstream has said that usually there should not be 2 different Kerberos
libraries and currently I don't know where the exception should be handled
best.

-- Mathieu

* Here is the commit from back then:
https://github.com/FreeRADIUS/freeradius-server/commit/7889d4b840920526b4598422771617d389ea5ab7

-- 
You are receiving this mail because:
You are the assignee for the bug.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-205493-13>