FS#54186 - [libldap] openldap is linked against gnutls instead of openssl
Attached to Project:
Arch Linux
Opened by viq (viq) - Thursday, 25 May 2017, 15:28 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 11:36 GMT
Opened by viq (viq) - Thursday, 25 May 2017, 15:28 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 11:36 GMT
|
Details
Description:
Following chain of dependencies, reading commit messages, and remembering how things used to be, I'd expect OpenLDAP to be linked against OpenSSL. I finally started looking why it doesn't accept the cert for my LDAP server anymore, and it's because it's linked against GnuTLS, which has completely different directives for working with certs (and often just doesn't accept directory of certs). Additional info: pacman -Q openldap openldap 2.4.44-4 pacmatic -Ql openldap | grep usr/bin | grep -v /$ | cut -d' ' -f2 | xargs ldd | egrep '(^/|tls|ssl)' /usr/bin/ldapadd: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f24f043e000) /usr/bin/ldapcompare: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fa564ed3000) /usr/bin/ldapdelete: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007eff59633000) /usr/bin/ldapexop: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f3b524e4000) /usr/bin/ldapmodify: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f71df85d000) /usr/bin/ldapmodrdn: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fd6f0d2d000) /usr/bin/ldappasswd: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fb8ad780000) /usr/bin/ldapsearch: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fae7d1e0000) /usr/bin/ldapurl: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f53b1569000) /usr/bin/ldapwhoami: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f6cdd886000) /usr/bin/slapacl: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f7b2c0db000) /usr/bin/slapadd: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f89aa3e8000) /usr/bin/slapauth: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f6da469c000) /usr/bin/slapcat: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007feecac77000) /usr/bin/slapd: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f933ae09000) /usr/bin/slapdn: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fe5701a4000) /usr/bin/slapindex: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fb3801ef000) /usr/bin/slappasswd: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fc93bbb3000) /usr/bin/slapschema: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007ff8a8880000) /usr/bin/slaptest: libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fbe21f2c000) Steps to reproduce: Install openldap, have LDAP server with TLS enabled, tell openldap to trust the cert, try to search for something: $ egrep '(^SSL|^TLS)' /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/ssl SSL start_tls $ ldapseatch -x -ZZ -LLL -h ldap.example.com uid=someone ldap_start_tls: Connect error (-11) additional info: (unknown error code) |
This task depends upon
Closed by Jan de Groot (JGC)
Tuesday, 15 August 2017, 11:36 GMT
Reason for closing: Fixed
Additional comments about closing: Updated to 2.4.45, uses OpenSSL 1.1 now.
Tuesday, 15 August 2017, 11:36 GMT
Reason for closing: Fixed
Additional comments about closing: Updated to 2.4.45, uses OpenSSL 1.1 now.
1) Update the OpenLDAP package to 2.4.45 which supports the new OpenSSL API. See https://www.openldap.org/software/release/changes.html for confirmation of this.
2) Modify the PKGBUILD to use --with-tls=openssl to force it to build against OpenSSL and fail if it's not available.
This is what I'm currently doing with my own package (https://github.com/CtrlC-Root/pkg-openldap) in a private repository. I see the OpenLDAP package is currently abandoned. I'd be willing to maintain it but I'm not sure what the process is to do that (i.e. who do I talk to, etc). In the meantime if anyone else finds this you should be able to download and build my package.