summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ipa-client/Makefile.am6
-rw-r--r--ipa-client/configure.ac67
-rw-r--r--ipa-client/ipa-getkeytab.c24
-rw-r--r--ipa-server/configure.ac81
-rw-r--r--ipa-server/ipa-kpasswd/ipa_kpasswd.c30
-rw-r--r--ipa-server/ipa-slapi-plugins/dna/Makefile.am1
-rw-r--r--ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am1
-rw-r--r--ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am1
8 files changed, 109 insertions, 102 deletions
diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am
index 3379eea8c..639dbb813 100644
--- a/ipa-client/Makefile.am
+++ b/ipa-client/Makefile.am
@@ -13,7 +13,8 @@ INCLUDES = \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
$(KRB5_CFLAGS) \
- $(LDAP_CFLAGS) \
+ $(OPENLDAP_CFLAGS) \
+ $(MOZLDAP_CFLAGS) \
$(SASL_CFLAGS) \
$(POPT_CFLAGS) \
$(WARN_CFLAGS) \
@@ -29,7 +30,8 @@ ipa_getkeytab_SOURCES = \
ipa_getkeytab_LDADD = \
$(KRB5_LIBS) \
- $(LDAP_LIBS) \
+ $(OPENLDAP_LIBS) \
+ $(MOZLDAP_LIBS) \
$(SASL_LIBS) \
$(POPT_LIBS) \
$(NULL)
diff --git a/ipa-client/configure.ac b/ipa-client/configure.ac
index 5718f8fe0..c9dbdfae3 100644
--- a/ipa-client/configure.ac
+++ b/ipa-client/configure.ac
@@ -82,42 +82,47 @@ fi
AC_SUBST(KRB5_LIBS)
dnl ---------------------------------------------------------------------------
-dnl - Check for LDAP
+dnl - Check for Mozilla LDAP or OpenLDAP SDK
dnl ---------------------------------------------------------------------------
-LDAP_LIBS=
-AC_CHECK_HEADER(ldap.h)
-AC_CHECK_HEADER(lber.h)
-
-AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
-dnl Check for other libraries we need to link with to get the main routines.
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
-dnl Recently, we need -lber even though the main routines are elsewhere,
-dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just
-dnl check for that (it's a variable not a fun but that doesn't seem to
-dnl matter in these checks) and stick in -lber if so. Can't hurt (even to
-dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
-dnl #### understands LDAP needs to fix this properly.
-test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
-
-if test "$with_ldap" = "yes"; then
- if test "$with_ldap_des" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -ldes"
- fi
- if test "$with_ldap_krb" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -lkrb"
- fi
- if test "$with_ldap_lber" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -llber"
- fi
- LDAP_LIBS="${LDAP_LIBS} -lldap"
+AC_ARG_WITH(openldap, [ --with-openldap Use OpenLDAP])
+
+if test x$with_openldap = xyes; then
+ AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
+ dnl Check for other libraries we need to link with to get the main routines.
+ test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
+ test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
+ test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
+ dnl Recently, we need -lber even though the main routines are elsewhere,
+ dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just
+ dnl check for that (it's a variable not a fun but that doesn't seem to
+ dnl matter in these checks) and stick in -lber if so. Can't hurt (even to
+ dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
+ dnl #### understands LDAP needs to fix this properly.
+ test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
+
+ if test "$with_ldap" = "yes"; then
+ if test "$with_ldap_des" = "yes" ; then
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes"
+ fi
+ if test "$with_ldap_krb" = "yes" ; then
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb"
+ fi
+ if test "$with_ldap_lber" = "yes" ; then
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
+ fi
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
+ else
+ AC_MSG_ERROR([OpenLDAP not found])
+ fi
+
+ AC_SUBST(OPENLDAP_LIBS)
else
- AC_MSG_ERROR([LDAP not found])
+ PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
+ MOZLDAP_CFLAGS="${MOZLDAP_CFLAGS} -DWITH_MOZLDAP"
+ AC_SUBST(MOZLDAP_CFLAGS)
fi
-AC_SUBST(LDAP_LIBS)
dnl ---------------------------------------------------------------------------
dnl - Check for POPT
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 28859a7f6..96426509a 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -31,7 +31,11 @@
#include <errno.h>
#include <time.h>
#include <krb5.h>
+#ifdef WITH_MOZLDAP
+#include <mozldap/ldap.h>
+#else
#include <ldap.h>
+#endif
#include <sasl/sasl.h>
#include <popt.h>
@@ -275,7 +279,6 @@ static int ldap_set_keytab(const char *servername,
BerElement *ctrl = NULL;
BerElement *sctrl = NULL;
struct berval *control = NULL;
- char *ldap_uri = NULL;
struct berval **ncvals;
char *ldap_base = NULL;
char *retoid = NULL;
@@ -306,23 +309,16 @@ static int ldap_set_keytab(const char *servername,
goto error_out;
}
- /* connect to ldap server */
- ret = asprintf(&ldap_uri, "ldap://%s:389", servername);
- if (ret == -1) {
- fprintf(stderr, "Unable to determine server URI!\n");
- goto error_out;
- }
-
/* TODO: support referrals ? */
- ret = ldap_initialize(&ld, ldap_uri);
- if(ret != LDAP_SUCCESS) {
+ ld = ldap_init(servername, 389);
+ if(ld == NULL) {
fprintf(stderr, "Unable to initialize ldap library!\n");
goto error_out;
}
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
- if (ret != LDAP_OPT_SUCCESS) {
+ if (ret != LDAP_SUCCESS) {
fprintf(stderr, "Unable to set ldap options!\n");
goto error_out;
}
@@ -427,8 +423,7 @@ static int ldap_set_keytab(const char *servername,
ber_free(sctrl, 1);
ldap_controls_free(srvctrl);
ldap_msgfree(res);
- ldap_unbind_ext_s(ld, NULL, NULL);
- free(ldap_uri);
+ ldap_unbind_ext(ld, NULL, NULL);
return kvno;
error_out:
@@ -436,8 +431,7 @@ error_out:
if (srvctrl) ldap_controls_free(srvctrl);
if (err) ldap_memfree(err);
if (res) ldap_msgfree(res);
- if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
- if (ldap_uri) free(ldap_uri);
+ if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
if (encs) free(encs);
return 0;
diff --git a/ipa-server/configure.ac b/ipa-server/configure.ac
index 8c610a860..a749098dc 100644
--- a/ipa-server/configure.ac
+++ b/ipa-server/configure.ac
@@ -87,48 +87,55 @@ fi
AC_SUBST(KRB5_LIBS)
dnl ---------------------------------------------------------------------------
-dnl - Check for LDAP
+dnl - Check for Mozilla LDAP or OpenLDAP SDK
dnl ---------------------------------------------------------------------------
-LDAP_LIBS=
-AC_CHECK_HEADER(ldap.h)
-AC_CHECK_HEADER(lber.h)
-
-AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
-dnl Check for other libraries we need to link with to get the main routines.
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
-dnl Recently, we need -lber even though the main routines are elsewhere,
-dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just
-dnl check for that (it's a variable not a fun but that doesn't seem to
-dnl matter in these checks) and stick in -lber if so. Can't hurt (even to
-dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
-dnl #### understands LDAP needs to fix this properly.
-test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
-
-if test "$with_ldap" = "yes"; then
- if test "$with_ldap_des" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -ldes"
- fi
- if test "$with_ldap_krb" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -lkrb"
- fi
- if test "$with_ldap_lber" = "yes" ; then
- LDAP_LIBS="${LDAP_LIBS} -llber"
- fi
- LDAP_LIBS="${LDAP_LIBS} -lldap"
-else
- AC_MSG_ERROR([LDAP not found])
-fi
+AC_ARG_WITH(openldap, [ --with-openldap Use OpenLDAP])
-AC_SUBST(LDAP_LIBS)
+dnl The mozldap libraries are always needed because ipa-slapi-plugins/dna/
+dnl will not build against OpenLDAP.
+PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
-dnl ---------------------------------------------------------------------------
-dnl - Check for Mozilla LDAP SDK
-dnl ---------------------------------------------------------------------------
+if test x$with_openldap = xyes; then
+ AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
+ dnl Check for other libraries we need to link with to get the main routines.
+ test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
+ test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
+ test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
+ dnl Recently, we need -lber even though the main routines are elsewhere,
+ dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just
+ dnl check for that (it's a variable not a fun but that doesn't seem to
+ dnl matter in these checks) and stick in -lber if so. Can't hurt (even to
+ dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
+ dnl #### understands LDAP needs to fix this properly.
+ test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
+
+ if test "$with_ldap" = "yes"; then
+ if test "$with_ldap_des" = "yes" ; then
+ LDAP_LIBS="${LDAP_LIBS} -ldes"
+ fi
+ if test "$with_ldap_krb" = "yes" ; then
+ LDAP_LIBS="${LDAP_LIBS} -lkrb"
+ fi
+ if test "$with_ldap_lber" = "yes" ; then
+ LDAP_LIBS="${LDAP_LIBS} -llber"
+ fi
+ LDAP_LIBS="${LDAP_LIBS} -lldap"
+ else
+ AC_MSG_ERROR([OpenLDAP not found])
+ fi
+
+ AC_SUBST(LDAP_LIBS)
+
+ LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_OPENLDAP"
+ AC_SUBST(LDAP_CFLAGS)
+else
+ LDAP_LIBS="${MOZLDAP_LIBS}"
+ AC_SUBST(LDAP_LIBS)
-PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
+ LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_MOZLDAP"
+ AC_SUBST(LDAP_CFLAGS)
+fi
dnl ---------------------------------------------------------------------------
dnl - Check for OpenSSL Crypto library
diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
index 898cffa47..5782367a0 100644
--- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c
+++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
@@ -39,13 +39,23 @@
#include <arpa/inet.h>
#include <time.h>
#include <krb5.h>
+#ifdef WITH_MOZLDAP
+#include <mozldap/ldap.h>
+#else
#include <ldap.h>
+#endif
#include <sasl/sasl.h>
#define DEFAULT_KEYTAB "FILE:/var/kerberos/krb5kdc/kpasswd.keytab"
#define TMP_TEMPLATE "/var/cache/ipa/kpasswd/krb5_cc.XXXXXX"
#define KPASSWD_PORT 464
+#ifdef WITH_MOZLDAP
+/* From OpenLDAP's ldap.h */
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
+#endif
+
/* blacklist entries are released only BLCAKLIST_TIMEOUT seconds
* after the children performing the noperation has finished.
* this is to avoid races */
@@ -310,7 +320,6 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
struct berval control;
struct berval newpw;
char hostname[1024];
- char *ldap_uri = NULL;
struct berval **ncvals;
char *ldap_base = NULL;
char *filter;
@@ -367,17 +376,10 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
goto done;
}
- ret = asprintf(&ldap_uri, "ldap://%s:389", hostname);
- if (ret == -1) {
- syslog(LOG_ERR, "Out of memory!");
- ret = KRB5_KPASSWD_HARDERROR;
- goto done;
- }
-
/* connect to ldap server */
/* TODO: support referrals ? */
- ret = ldap_initialize(&ld, ldap_uri);
- if(ret != LDAP_SUCCESS) {
+ ld = ldap_init(hostname, 389);
+ if(ld == NULL) {
syslog(LOG_ERR, "Unable to connect to ldap server");
ret = KRB5_KPASSWD_HARDERROR;
goto done;
@@ -385,7 +387,7 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
- if (ret != LDAP_OPT_SUCCESS) {
+ if (ret != LDAP_SUCCESS) {
syslog(LOG_ERR, "Unable to set ldap protocol version");
ret = KRB5_KPASSWD_HARDERROR;
goto done;
@@ -480,11 +482,12 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
ret = KRB5_KPASSWD_HARDERROR;
goto done;
}
+
ber_printf(ctrl, "{tstON}",
LDAP_TAG_EXOP_MODIFY_PASSWD_ID, userdn,
LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &newpw);
- ret = ber_flatten2(ctrl, &control, 0);
+ ret = ber_flatten(ctrl, &control);
if (ret < 0) {
syslog(LOG_ERR, "ber flattening failed!");
ret = KRB5_KPASSWD_HARDERROR;
@@ -645,8 +648,7 @@ done:
if (exterr1) free(exterr1);
if (exterr2) free(exterr2);
if (userdn) free(userdn);
- if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
- if (ldap_uri) free(ldap_uri);
+ if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (tmp_file) {
unlink(tmp_file);
free(tmp_file);
diff --git a/ipa-server/ipa-slapi-plugins/dna/Makefile.am b/ipa-server/ipa-slapi-plugins/dna/Makefile.am
index 57a99764b..4a54b8d5d 100644
--- a/ipa-server/ipa-slapi-plugins/dna/Makefile.am
+++ b/ipa-server/ipa-slapi-plugins/dna/Makefile.am
@@ -9,7 +9,6 @@ INCLUDES = \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
$(MOZLDAP_CFLAGS) \
- $(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am b/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am
index 54ddd538a..cf084aae0 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am
+++ b/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am
@@ -9,7 +9,6 @@ INCLUDES = \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
$(MOZLDAP_CFLAGS) \
- $(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index fea48fdd7..540646f06 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -9,7 +9,6 @@ INCLUDES = \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
$(MOZLDAP_CFLAGS) \
- $(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(SSL_CFLAGS) \
$(WARN_CFLAGS) \
generated by cgit (git 2.34.1) at 2024-11-12 08:39:42 +0000