This patch begins the process of replacing OpenLDAP with mozldap.

FreeIPA relies on RedHat's Directory Server, which uses mozldap.
A FreeIPA build using mozldap would reduce the project's dependencies and
redundant code. In addition, mozldap uses NSS instead of OpenSSL.
This is beneficial for the reasons listed in [1].

[1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation

3 files changed, 49 insertions, 48 deletions

diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am
index 3379eea8c..639dbb813 100644
--- a/ipa-client/Makefile.am
+++ b/ipa-client/Makefile.am
@@ -13,7 +13,8 @@ INCLUDES =							\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	$(KRB5_CFLAGS)						\
-	$(LDAP_CFLAGS)						\
+	$(OPENLDAP_CFLAGS)					\
+	$(MOZLDAP_CFLAGS)					\
 	$(SASL_CFLAGS)						\
 	$(POPT_CFLAGS)						\
 	$(WARN_CFLAGS)						\
@@ -29,7 +30,8 @@ ipa_getkeytab_SOURCES =		\
 
 ipa_getkeytab_LDADD = 		\
 	$(KRB5_LIBS)		\
-	$(LDAP_LIBS)		\
+	$(OPENLDAP_LIBS)	\
+	$(MOZLDAP_LIBS)		\
 	$(SASL_LIBS)		\
 	$(POPT_LIBS)		\
 	$(NULL)
diff --git a/ipa-client/configure.ac b/ipa-client/configure.ac
index 5718f8fe0..c9dbdfae3 100644
--- a/ipa-client/configure.ac
+++ b/ipa-client/configure.ac
@@ -82,42 +82,47 @@ fi
 AC_SUBST(KRB5_LIBS)
 
 dnl ---------------------------------------------------------------------------
-dnl - Check for LDAP
+dnl - Check for Mozilla LDAP or OpenLDAP SDK
 dnl ---------------------------------------------------------------------------
 
-LDAP_LIBS=
-AC_CHECK_HEADER(ldap.h)
-AC_CHECK_HEADER(lber.h)
-
-AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
-dnl Check for other libraries we need to link with to get the main routines.
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
-dnl Recently, we need -lber even though the main routines are elsewhere,
-dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
-dnl check for that (it's a variable not a fun but that doesn't seem to
-dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
-dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
-dnl #### understands LDAP needs to fix this properly.
-test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
-
-if test "$with_ldap" = "yes"; then
-  if test "$with_ldap_des" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -ldes"
-  fi
-  if test "$with_ldap_krb" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -lkrb"
-  fi
-  if test "$with_ldap_lber" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -llber"
-  fi
-  LDAP_LIBS="${LDAP_LIBS} -lldap"
+AC_ARG_WITH(openldap, [  --with-openldap            Use OpenLDAP])
+
+if test x$with_openldap = xyes; then
+        AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
+        dnl Check for other libraries we need to link with to get the main routines.
+        test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
+        test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
+        test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
+        dnl Recently, we need -lber even though the main routines are elsewhere,
+        dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
+        dnl check for that (it's a variable not a fun but that doesn't seem to
+        dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
+        dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
+        dnl #### understands LDAP needs to fix this properly.
+        test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
+
+        if test "$with_ldap" = "yes"; then
+          if test "$with_ldap_des" = "yes" ; then
+            OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes"
+          fi
+          if test "$with_ldap_krb" = "yes" ; then
+            OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb"
+          fi
+          if test "$with_ldap_lber" = "yes" ; then
+            OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
+          fi
+          OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
+        else
+          AC_MSG_ERROR([OpenLDAP not found])
+        fi
+
+        AC_SUBST(OPENLDAP_LIBS)
 else
-  AC_MSG_ERROR([LDAP not found])
+        PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
+	MOZLDAP_CFLAGS="${MOZLDAP_CFLAGS} -DWITH_MOZLDAP"
+	AC_SUBST(MOZLDAP_CFLAGS)
 fi
 
-AC_SUBST(LDAP_LIBS)
 
 dnl ---------------------------------------------------------------------------
 dnl - Check for POPT
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 28859a7f6..96426509a 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -31,7 +31,11 @@
 #include <errno.h>
 #include <time.h>
 #include <krb5.h>
+#ifdef WITH_MOZLDAP
+#include <mozldap/ldap.h>
+#else
 #include <ldap.h>
+#endif
 #include <sasl/sasl.h>
 #include <popt.h>
 
@@ -275,7 +279,6 @@ static int ldap_set_keytab(const char *servername,
 	BerElement *ctrl = NULL;
 	BerElement *sctrl = NULL;
 	struct berval *control = NULL;
-	char *ldap_uri = NULL;
 	struct berval **ncvals;
 	char *ldap_base = NULL;
 	char *retoid = NULL;
@@ -306,23 +309,16 @@ static int ldap_set_keytab(const char *servername,
 		goto error_out;
 	}
 
-	/* connect to ldap server */
-	ret = asprintf(&ldap_uri, "ldap://%s:389", servername);
-	if (ret == -1) {
-		fprintf(stderr, "Unable to determine server URI!\n");
-		goto error_out;
-	}
-
 	/* TODO: support referrals ? */
-	ret = ldap_initialize(&ld, ldap_uri);
-	if(ret != LDAP_SUCCESS) {
+	ld = ldap_init(servername, 389);
+	if(ld == NULL) {
 		fprintf(stderr, "Unable to initialize ldap library!\n");
 		goto error_out;
 	}
 
 	version = LDAP_VERSION3;
 	ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-        if (ret != LDAP_OPT_SUCCESS) {
+        if (ret != LDAP_SUCCESS) {
 		fprintf(stderr, "Unable to set ldap options!\n");
 		goto error_out;
 	}
@@ -427,8 +423,7 @@ static int ldap_set_keytab(const char *servername,
 	ber_free(sctrl, 1);
 	ldap_controls_free(srvctrl);
 	ldap_msgfree(res);
-	ldap_unbind_ext_s(ld, NULL, NULL);
-	free(ldap_uri);
+	ldap_unbind_ext(ld, NULL, NULL);
 	return kvno;
 
 error_out:
@@ -436,8 +431,7 @@ error_out:
 	if (srvctrl) ldap_controls_free(srvctrl);
 	if (err) ldap_memfree(err);
 	if (res) ldap_msgfree(res);
-	if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
-	if (ldap_uri) free(ldap_uri);
+	if (ld) ldap_unbind_ext(ld, NULL, NULL);
 	if (control) ber_bvfree(control);
 	if (encs) free(encs);
 	return 0;