John Marshall wrote:
On Sat, 19 Sep 2009, 09:31 +1000, John Marshall wrote:
On Fri, 18 Sep 2009, 17:38 -0400, Rick Macklem wrote:
When cyrus-sasl2 builds, it uses the little shell script
/usr/bin/krb5-config with the args. "--libs gssapi" to get the list of
libraries to link against. This doesn't return "-lgssapi_spnego" in the
list. (The list can be changed by editting line #96 of
/usr/bin/krb5-config.)
I think this sounds promising! It makes sense. Thanks for pointing us
in this direction.
This morning, on my 8.0-RC1 system, I did the following to confirm that
GSSAPI authentication to the LDAP server via SASL2 using the base
Heimdal was still broken:
- removed the heimdal-1.2.1 port
- rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
- started the openldap-sasl-server-2.4.18_1
- queried the LDAP server from a separate client using ldapsearch:
--------
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
--------
- and noted that the ldap server died at that point.
I edited line 96 of /usr/bin/krb5-config to include -lgssapi_krb5 in the
libraries list:
lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
and then did the following:
- rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
- started the openldap-sasl-server-2.4.18_1
- queried the LDAP server from a separate client using ldapsearch
--------
SASL/GSSAPI authentication started
SASL username: j...@example.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
--------
SUCCESS!
So, this fix obviates THAT reason for installing the Heimdal port. If
George meets with similar success adding -lgssapi_spnego for his spnego
problem, I suggest that both libraries be added to the list in line 96
of /usr/bin/krb5-config prior to release of FreeBSD 8.0.
It doesn't look like this fix is as simple as submitting a patch to
krb5-config. It looks like magic needs to happen somewhere in the base
kerberos build system.
I notice that the Heimdal port doesn't build the separate libraries and
everything seems to be included in libgssapi (which explains why sasl2
"works" when linked against the Heimdal port).
Guys,
I changed my /usr/bin/krb5-config's line 96 to include -lgssapi_spnego
and -lgssapi_krb5, and ever since both client and server work
correctly!! Of course I get some other error, but at least this must be
a configuration error :).
So, to sum up:
Still running on fbsd.8-BETA4, changed krb5-config to include the
missing libraries, recompiled cyrus-sasl-2.1.23 after I changed the
krb5-config, restarted openldap-sasl-server-2.4.18_1 and after
performing an ldapsearch, the client does not complain (and exits) about
missing libraries, NOR does the server crash on sasl authentication.
Great job guys, thank you all very very much for your help! I posted my
query on the 17th of Sep. and in four days (weekend inclusive!) someone
came up with an answer that resolves my issue! Great job, once more, and
thank you all again!
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
