[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5115) SASL authentication for AD

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5115) SASL authentication for AD
From: quanah@zimbra.com
Date: Thu, 30 Aug 2007 05:03:07 GMT

--On Wednesday, August 29, 2007 6:25 PM +0000 rbeckett@exelixis.com wrote:


> Any help would be appreciated.


The ITS system is for bugs, not for issues you have building OpenLDAP.  I 
suggest reading the OpenLDAP FAQ entries on linking, and becoming generally 
familiar with how to build software in non-standard paths.

The FAQ entry can be found at:

<http://www.openldap.org/faq/data/cache/1113.html>

My OpenSSL build looked like:
%configure
env CC=/usr/local/bin/gcc CFLAGS='-g -O2' CXXFLAGS='-g -O2' \
    PERL=/usr/bin/perl LD_RUN_PATH=/usr/local/lib \
./Configure --prefix=/usr/local --openssldir=/usr/local/openssl \
    shared linux-x86_64 -g -O2

%build
env LD_RUN_PATH="/usr/local/lib" make

%install
env LD_LIBRARY_PATH="/usr/local/lib" \
    LD_RUN_PATH="/usr/local/lib" \
    make install INSTALL_PREFIX=%package%


Note the use of LD_RUN_PATH.  My OpenLDAP build looked like:

%configure
LD_LIBRARY_PATH="/usr/local/lib" CC=/usr/local/bin/gcc 
CXX=/usr/local/bin/g++ CFLAGS='-g -O2 -DSLAP_LIGHTWEIGHT_DISPATCHER' 
CXXFLAGS='-g -O2' sh configure --datadir='${prefix}/lib' 
--libexecdir='${prefix}/lib' --sharedstatedir='${prefix}/lib' \
    --prefix=/usr/local \
    --disable-ipv6 \
    --with-cyrus-sasl \
    --with-tls \
    --enable-dynamic \
    --enable-slapd \
        --enable-modules \
        --enable-spasswd \
        --enable-rewrite \
        --enable-rlookups \
        --enable-wrappers \
    --enable-backends=mod \
        --disable-shell \
        --disable-sql \
    --enable-overlays=mod \
    --enable-slurpd=yes \
        --enable-slapi=yes
make depend

%build
make -j3

%check
make test

%install
make install DESTDIR=%package% STRIP=""

I'll also note that the error you are receiving from the SASL bind has 
nothing to do with SSL specifically.  All it notes is that the AD server 
has no SASL mechanisms presented that match the SASL mechanisms available 
to OpenLDAP.  If you are wanting to support SASL/EXTERNAL, you'll 
definitely need to fix your build with OpenSSL support.

I've compiled OpenSSL into /usr/local on many occassions without problem, 
but I use the correct flags to gcc, too, which I don't see indicated in 
your build.

You do not indicate whether or not you link OpenLDAP against cyrus-sasl, 
but that will be necessary for support of some of the other SASL 
mechanisms.  If you plan on doing SASL/GSSAPI binds to AD, you'll also need 
to build a Kerberos distribution for its libraries (I suggest Heimdal), and 
link cyrus-sasl against that before building OpenLDAP linked against 
cyrus-sasl.

You may also want to read:

<http://www.stanford.edu/services/directory/openldap/configuration/>


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Prev by Date: (ITS#5115) SASL authentication for AD
Next by Date: (ITS#5116) registeredAddress cannot be deleted
Index(es):
- Chronological
- Thread