5 files changed, 60 insertions, 54 deletions
diff --git a/ipa-server/configure.ac b/ipa-server/configure.ac
index 8c610a86..a749098d 100644
--- a/ipa-server/configure.ac
+++ b/ipa-server/configure.ac
@@ -87,48 +87,55 @@ fi
 AC_SUBST(KRB5_LIBS)
 
 dnl ---------------------------------------------------------------------------
-dnl - Check for LDAP
+dnl - Check for Mozilla LDAP or OpenLDAP SDK
 dnl ---------------------------------------------------------------------------
 
-LDAP_LIBS=
-AC_CHECK_HEADER(ldap.h)
-AC_CHECK_HEADER(lber.h)
-
-AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
-dnl Check for other libraries we need to link with to get the main routines.
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
-dnl Recently, we need -lber even though the main routines are elsewhere,
-dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
-dnl check for that (it's a variable not a fun but that doesn't seem to
-dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
-dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
-dnl #### understands LDAP needs to fix this properly.
-test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
-
-if test "$with_ldap" = "yes"; then
-  if test "$with_ldap_des" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -ldes"
-  fi
-  if test "$with_ldap_krb" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -lkrb"
-  fi
-  if test "$with_ldap_lber" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -llber"
-  fi
-  LDAP_LIBS="${LDAP_LIBS} -lldap"
-else
-  AC_MSG_ERROR([LDAP not found])
-fi
+AC_ARG_WITH(openldap, [  --with-openldap            Use OpenLDAP])
 
-AC_SUBST(LDAP_LIBS)
+dnl The mozldap libraries are always needed because ipa-slapi-plugins/dna/ 
+dnl will not build against OpenLDAP.
+PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
 
-dnl ---------------------------------------------------------------------------
-dnl - Check for Mozilla LDAP SDK
-dnl ---------------------------------------------------------------------------
+if test x$with_openldap = xyes; then
+	AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
+	dnl Check for other libraries we need to link with to get the main routines.
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
+	dnl Recently, we need -lber even though the main routines are elsewhere,
+	dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
+	dnl check for that (it's a variable not a fun but that doesn't seem to
+	dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
+	dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
+	dnl #### understands LDAP needs to fix this properly.
+	test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
+	
+	if test "$with_ldap" = "yes"; then
+	  if test "$with_ldap_des" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -ldes"
+	  fi
+	  if test "$with_ldap_krb" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -lkrb"
+	  fi
+	  if test "$with_ldap_lber" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -llber"
+	  fi
+	  LDAP_LIBS="${LDAP_LIBS} -lldap"
+	else
+	  AC_MSG_ERROR([OpenLDAP not found])
+	fi
+	
+	AC_SUBST(LDAP_LIBS)
+
+	LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_OPENLDAP"
+	AC_SUBST(LDAP_CFLAGS)
+else
+	LDAP_LIBS="${MOZLDAP_LIBS}"
+	AC_SUBST(LDAP_LIBS)
 
-PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
+	LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_MOZLDAP"
+	AC_SUBST(LDAP_CFLAGS)
+fi
 
 dnl ---------------------------------------------------------------------------
 dnl - Check for OpenSSL Crypto library
diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
index 898cffa4..5782367a 100644
--- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c
+++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
@@ -39,13 +39,23 @@
 #include <arpa/inet.h>
 #include <time.h>
 #include <krb5.h>
+#ifdef WITH_MOZLDAP
+#include <mozldap/ldap.h>
+#else
 #include <ldap.h>
+#endif
 #include <sasl/sasl.h>
 
 #define DEFAULT_KEYTAB "FILE:/var/kerberos/krb5kdc/kpasswd.keytab"
 #define TMP_TEMPLATE "/var/cache/ipa/kpasswd/krb5_cc.XXXXXX"
 #define KPASSWD_PORT 464
 
+#ifdef WITH_MOZLDAP
+/* From OpenLDAP's ldap.h */
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID  ((ber_tag_t) 0x80U)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
+#endif
+
 /* blacklist entries are released only BLCAKLIST_TIMEOUT seconds
  * after the children performing the noperation has finished.
  * this is to avoid races */
@@ -310,7 +320,6 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 	struct berval control;
 	struct berval newpw;
 	char hostname[1024];
-	char *ldap_uri = NULL;
 	struct berval **ncvals;
 	char *ldap_base = NULL;
 	char *filter;
@@ -367,17 +376,10 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 		goto done;
 	}
 
-	ret = asprintf(&ldap_uri, "ldap://%s:389", hostname);
-	if (ret == -1) {
-		syslog(LOG_ERR, "Out of memory!");
-		ret = KRB5_KPASSWD_HARDERROR;
-		goto done;
-	}
-
 	/* connect to ldap server */
 	/* TODO: support referrals ? */
-	ret = ldap_initialize(&ld, ldap_uri);
-	if(ret != LDAP_SUCCESS) {
+	ld = ldap_init(hostname, 389);
+	if(ld == NULL) {
 		syslog(LOG_ERR, "Unable to connect to ldap server");
 		ret = KRB5_KPASSWD_HARDERROR;
 		goto done;
@@ -385,7 +387,7 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 
 	version = LDAP_VERSION3;
 	ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-        if (ret != LDAP_OPT_SUCCESS) {
+        if (ret != LDAP_SUCCESS) {
 		syslog(LOG_ERR, "Unable to set ldap protocol version");
 		ret = KRB5_KPASSWD_HARDERROR;
 		goto done;
@@ -480,11 +482,12 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 		ret = KRB5_KPASSWD_HARDERROR;
 		goto done;
 	}
+
 	ber_printf(ctrl, "{tstON}",
 		   LDAP_TAG_EXOP_MODIFY_PASSWD_ID, userdn,
 		   LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &newpw);
 
-	ret = ber_flatten2(ctrl, &control, 0);
+	ret = ber_flatten(ctrl, &control);
 	if (ret < 0) {
 		syslog(LOG_ERR, "ber flattening failed!");
 		ret = KRB5_KPASSWD_HARDERROR;
@@ -645,8 +648,7 @@ done:
 	if (exterr1) free(exterr1);
 	if (exterr2) free(exterr2);
 	if (userdn) free(userdn);
-	if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
-	if (ldap_uri) free(ldap_uri);
+	if (ld) ldap_unbind_ext(ld, NULL, NULL);
 	if (tmp_file) {
 		unlink(tmp_file);
 		free(tmp_file);
diff --git a/ipa-server/ipa-slapi-plugins/dna/Makefile.am b/ipa-server/ipa-slapi-plugins/dna/Makefile.am
index 57a99764..4a54b8d5 100644
--- a/ipa-server/ipa-slapi-plugins/dna/Makefile.am
+++ b/ipa-server/ipa-slapi-plugins/dna/Makefile.am
@@ -9,7 +9,6 @@ INCLUDES =							\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	$(MOZLDAP_CFLAGS)					\
-	$(LDAP_CFLAGS)						\
 	$(KRB5_CFLAGS)						\
 	$(WARN_CFLAGS)						\
 	$(NULL)
diff --git a/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am b/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am
index 54ddd538..cf084aae 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am
+++ b/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am
@@ -9,7 +9,6 @@ INCLUDES =							\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	$(MOZLDAP_CFLAGS)					\
-	$(LDAP_CFLAGS)						\
 	$(KRB5_CFLAGS)						\
 	$(WARN_CFLAGS)						\
 	$(NULL)
diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index fea48fdd..540646f0 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -9,7 +9,6 @@ INCLUDES =							\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	$(MOZLDAP_CFLAGS)					\
-	$(LDAP_CFLAGS)						\
 	$(KRB5_CFLAGS)						\
 	$(SSL_CFLAGS)						\
 	$(WARN_CFLAGS)						\