In message <afrblueohuxah...@freefall.freebsd.org>, Lexi Winter writes:
>
> Cy Schubert:
> > In message <afrsquqsti4pr...@freefall.freebsd.org>, Lexi Winter writes:
> > > i'm hoping with MIT krb5 in base, we might be able to find a better
> > > solution to this, but i haven't had a chance to actually try it.
> > > it may be we have to go with a glib-style "bootstrap port" solution.
> =20
> > It may help bootstrap but you can't rely on it to supply your KDC needs a=
> s=20
> > it doesn't and will never use LDAP, unless we import OpenLDAP into base,=
> =20
> > and that's another matter of discussion.
>
> i am thinking purely in terms of ports here, e.g.:
>
> - krb5-ldap requires openldap26@bootstrap
> - openldap26@bootstrap builds OpenLDAP without Kerberos support
> - after building krb5-ldap you then build openldap26 with Kerberos
> support which is a drop-in replacement for openldap26@bootstrap.
>
> then you install krb5-ldap and openldap26-server and the
> openldap26@bootstrap port is never used after the package build is done.
>
> the exact details of how this works might be more complicated but my
> understanding is that this is how devel/glib20 and
> devel/gobject-introspection manage to depend on each other.
>
> i was hoping MIT krb5 in base would avoid the need for this, but i don't
> think it does: if ports openldap links to base krb5, and ports krb5
> links to ports openldap, you'd end up with the KDC binary linking to
> both base and ports krb5. so in practice, you'd still need to ignore
> base Kerberos entirely (other than for NFS) and build everything against
> ports krb5, like we do now.
This is the same problem we have with Heimdal currently. This is why
gssapi.mk was created in the first place. Considering the alternative it
does a fairly good job of insulating ports from whatever kerberos is in
base.
gssapi.mk should determine its default based on what it finds, whether it
be Heimdal in base or ports or MIT in base or ports. The changes made to
the kdc rc script detect the kerberos. We should be able to do the same in
gssapi.mk. This avoids people having to muck around with make.conf.
Currently with Heimdal 1.5.2 in 13 and 14, and in default in 15 (until the
default changes), users will need to use some kind of modern kerberos from
ports. And this will be the state of affairs until 14 is EOL. gssapi.mk
will need to account for this and the best way would be to test 1) if the
user has selected a default in make.conf, 2) test if one of the ports is
installed and use that, and 3) use whatever is in base (in 13, 14, or 15).
Testing for the kdc or krb5kdc binary in ${LOCALBASE} first, next in
/usr/libexec will tell gssapi.mk which version is installed.
Regardless, LDAP requires one of the ports be prebuilt.
--
Cheers,
Cy Schubert <cy.schub...@cschubert.com>
FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org
NTP: <c...@nwtime.org> Web: https://nwtime.org
e**(i*pi)+1=0
