This patch begins the process of replacing OpenLDAP with mozldap.

FreeIPA relies on RedHat's Directory Server, which uses mozldap.
A FreeIPA build using mozldap would reduce the project's dependencies and
redundant code. In addition, mozldap uses NSS instead of OpenSSL.
This is beneficial for the reasons listed in [1].

[1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation

ipa-client/Makefile.am

@@ -13,7 +13,8 @@ INCLUDES =							\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	$(KRB5_CFLAGS)						\
-	$(LDAP_CFLAGS)						\
+	$(OPENLDAP_CFLAGS)					\
+	$(MOZLDAP_CFLAGS)					\
 	$(SASL_CFLAGS)						\
 	$(POPT_CFLAGS)						\
 	$(WARN_CFLAGS)						\
@@ -29,7 +30,8 @@ ipa_getkeytab_SOURCES =		\
 
 ipa_getkeytab_LDADD = 		\
 	$(KRB5_LIBS)		\
-	$(LDAP_LIBS)		\
+	$(OPENLDAP_LIBS)	\
+	$(MOZLDAP_LIBS)		\
 	$(SASL_LIBS)		\
 	$(POPT_LIBS)		\
 	$(NULL)

ipa-client/configure.ac

@@ -82,42 +82,47 @@ fi
 AC_SUBST(KRB5_LIBS)
 
 dnl ---------------------------------------------------------------------------
-dnl - Check for LDAP
+dnl - Check for Mozilla LDAP or OpenLDAP SDK
 dnl ---------------------------------------------------------------------------
 
-LDAP_LIBS=
+AC_ARG_WITH(openldap, [  --with-openldap            Use OpenLDAP])
-AC_CHECK_HEADER(ldap.h)
-AC_CHECK_HEADER(lber.h)
 
-AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
+if test x$with_openldap = xyes; then
-dnl Check for other libraries we need to link with to get the main routines.
+        AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
+        dnl Check for other libraries we need to link with to get the main routines.
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
+        test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
+        test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
-dnl Recently, we need -lber even though the main routines are elsewhere,
+        test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
-dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
+        dnl Recently, we need -lber even though the main routines are elsewhere,
-dnl check for that (it's a variable not a fun but that doesn't seem to
+        dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
-dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
+        dnl check for that (it's a variable not a fun but that doesn't seem to
-dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
+        dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
-dnl #### understands LDAP needs to fix this properly.
+        dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
-test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
+        dnl #### understands LDAP needs to fix this properly.
+        test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
 
-if test "$with_ldap" = "yes"; then
+        if test "$with_ldap" = "yes"; then
-  if test "$with_ldap_des" = "yes" ; then
+          if test "$with_ldap_des" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -ldes"
+            OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes"
-  fi
+          fi
-  if test "$with_ldap_krb" = "yes" ; then
+          if test "$with_ldap_krb" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -lkrb"
+            OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb"
-  fi
+          fi
-  if test "$with_ldap_lber" = "yes" ; then
+          if test "$with_ldap_lber" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -llber"
+            OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
-  fi
+          fi
-  LDAP_LIBS="${LDAP_LIBS} -lldap"
+          OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
+        else
+          AC_MSG_ERROR([OpenLDAP not found])
+        fi
+
+        AC_SUBST(OPENLDAP_LIBS)
 else
-  AC_MSG_ERROR([LDAP not found])
+        PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
+	MOZLDAP_CFLAGS="${MOZLDAP_CFLAGS} -DWITH_MOZLDAP"
+	AC_SUBST(MOZLDAP_CFLAGS)
 fi
 
-AC_SUBST(LDAP_LIBS)
 
 dnl ---------------------------------------------------------------------------
 dnl - Check for POPT

ipa-client/ipa-getkeytab.c

@@ -31,7 +31,11 @@
 #include <errno.h>
 #include <time.h>
 #include <krb5.h>
+#ifdef WITH_MOZLDAP
+#include <mozldap/ldap.h>
+#else
 #include <ldap.h>
+#endif
 #include <sasl/sasl.h>
 #include <popt.h>
 
@@ -275,7 +279,6 @@ static int ldap_set_keytab(const char *servername,
 	BerElement *ctrl = NULL;
 	BerElement *sctrl = NULL;
 	struct berval *control = NULL;
-	char *ldap_uri = NULL;
 	struct berval **ncvals;
 	char *ldap_base = NULL;
 	char *retoid = NULL;
@@ -306,23 +309,16 @@ static int ldap_set_keytab(const char *servername,
 		goto error_out;
 	}
 
-	/* connect to ldap server */
-	ret = asprintf(&ldap_uri, "ldap://%s:389", servername);
-	if (ret == -1) {
-		fprintf(stderr, "Unable to determine server URI!\n");
-		goto error_out;
-	}
-
 	/* TODO: support referrals ? */
-	ret = ldap_initialize(&ld, ldap_uri);
+	ld = ldap_init(servername, 389);
-	if(ret != LDAP_SUCCESS) {
+	if(ld == NULL) {
 		fprintf(stderr, "Unable to initialize ldap library!\n");
 		goto error_out;
 	}
 
 	version = LDAP_VERSION3;
 	ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-        if (ret != LDAP_OPT_SUCCESS) {
+        if (ret != LDAP_SUCCESS) {
 		fprintf(stderr, "Unable to set ldap options!\n");
 		goto error_out;
 	}
@@ -427,8 +423,7 @@ static int ldap_set_keytab(const char *servername,
 	ber_free(sctrl, 1);
 	ldap_controls_free(srvctrl);
 	ldap_msgfree(res);
-	ldap_unbind_ext_s(ld, NULL, NULL);
+	ldap_unbind_ext(ld, NULL, NULL);
-	free(ldap_uri);
 	return kvno;
 
 error_out:
@@ -436,8 +431,7 @@ error_out:
 	if (srvctrl) ldap_controls_free(srvctrl);
 	if (err) ldap_memfree(err);
 	if (res) ldap_msgfree(res);
-	if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
+	if (ld) ldap_unbind_ext(ld, NULL, NULL);
-	if (ldap_uri) free(ldap_uri);
 	if (control) ber_bvfree(control);
 	if (encs) free(encs);
 	return 0;

ipa-server/configure.ac

@@ -87,49 +87,56 @@ fi
 AC_SUBST(KRB5_LIBS)
 
 dnl ---------------------------------------------------------------------------
-dnl - Check for LDAP
+dnl - Check for Mozilla LDAP or OpenLDAP SDK
 dnl ---------------------------------------------------------------------------
 
-LDAP_LIBS=
+AC_ARG_WITH(openldap, [  --with-openldap            Use OpenLDAP])
-AC_CHECK_HEADER(ldap.h)
-AC_CHECK_HEADER(lber.h)
-
-AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
-dnl Check for other libraries we need to link with to get the main routines.
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
-test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
-dnl Recently, we need -lber even though the main routines are elsewhere,
-dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
-dnl check for that (it's a variable not a fun but that doesn't seem to
-dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
-dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
-dnl #### understands LDAP needs to fix this properly.
-test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
-
-if test "$with_ldap" = "yes"; then
-  if test "$with_ldap_des" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -ldes"
-  fi
-  if test "$with_ldap_krb" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -lkrb"
-  fi
-  if test "$with_ldap_lber" = "yes" ; then
-    LDAP_LIBS="${LDAP_LIBS} -llber"
-  fi
-  LDAP_LIBS="${LDAP_LIBS} -lldap"
-else
-  AC_MSG_ERROR([LDAP not found])
-fi
-
-AC_SUBST(LDAP_LIBS)
-
-dnl ---------------------------------------------------------------------------
-dnl - Check for Mozilla LDAP SDK
-dnl ---------------------------------------------------------------------------
 
+dnl The mozldap libraries are always needed because ipa-slapi-plugins/dna/ 
+dnl will not build against OpenLDAP.
 PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
 
+if test x$with_openldap = xyes; then
+	AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
+	dnl Check for other libraries we need to link with to get the main routines.
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
+	dnl Recently, we need -lber even though the main routines are elsewhere,
+	dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
+	dnl check for that (it's a variable not a fun but that doesn't seem to
+	dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
+	dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
+	dnl #### understands LDAP needs to fix this properly.
+	test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
+	
+	if test "$with_ldap" = "yes"; then
+	  if test "$with_ldap_des" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -ldes"
+	  fi
+	  if test "$with_ldap_krb" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -lkrb"
+	  fi
+	  if test "$with_ldap_lber" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -llber"
+	  fi
+	  LDAP_LIBS="${LDAP_LIBS} -lldap"
+	else
+	  AC_MSG_ERROR([OpenLDAP not found])
+	fi
+	
+	AC_SUBST(LDAP_LIBS)
+
+	LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_OPENLDAP"
+	AC_SUBST(LDAP_CFLAGS)
+else
+	LDAP_LIBS="${MOZLDAP_LIBS}"
+	AC_SUBST(LDAP_LIBS)
+
+	LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_MOZLDAP"
+	AC_SUBST(LDAP_CFLAGS)
+fi
+
 dnl ---------------------------------------------------------------------------
 dnl - Check for OpenSSL Crypto library
 dnl ---------------------------------------------------------------------------

ipa-server/ipa-kpasswd/ipa_kpasswd.c

@@ -39,13 +39,23 @@
 #include <arpa/inet.h>
 #include <time.h>
 #include <krb5.h>
+#ifdef WITH_MOZLDAP
+#include <mozldap/ldap.h>
+#else
 #include <ldap.h>
+#endif
 #include <sasl/sasl.h>
 
 #define DEFAULT_KEYTAB "FILE:/var/kerberos/krb5kdc/kpasswd.keytab"
 #define TMP_TEMPLATE "/var/cache/ipa/kpasswd/krb5_cc.XXXXXX"
 #define KPASSWD_PORT 464
 
+#ifdef WITH_MOZLDAP
+/* From OpenLDAP's ldap.h */
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID  ((ber_tag_t) 0x80U)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
+#endif
+
 /* blacklist entries are released only BLCAKLIST_TIMEOUT seconds
  * after the children performing the noperation has finished.
  * this is to avoid races */
@@ -310,7 +320,6 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 	struct berval control;
 	struct berval newpw;
 	char hostname[1024];
-	char *ldap_uri = NULL;
 	struct berval **ncvals;
 	char *ldap_base = NULL;
 	char *filter;
@@ -367,17 +376,10 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 		goto done;
 	}
 
-	ret = asprintf(&ldap_uri, "ldap://%s:389", hostname);
-	if (ret == -1) {
-		syslog(LOG_ERR, "Out of memory!");
-		ret = KRB5_KPASSWD_HARDERROR;
-		goto done;
-	}
-
 	/* connect to ldap server */
 	/* TODO: support referrals ? */
-	ret = ldap_initialize(&ld, ldap_uri);
+	ld = ldap_init(hostname, 389);
-	if(ret != LDAP_SUCCESS) {
+	if(ld == NULL) {
 		syslog(LOG_ERR, "Unable to connect to ldap server");
 		ret = KRB5_KPASSWD_HARDERROR;
 		goto done;
@@ -385,7 +387,7 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 
 	version = LDAP_VERSION3;
 	ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-        if (ret != LDAP_OPT_SUCCESS) {
+        if (ret != LDAP_SUCCESS) {
 		syslog(LOG_ERR, "Unable to set ldap protocol version");
 		ret = KRB5_KPASSWD_HARDERROR;
 		goto done;
@@ -480,11 +482,12 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 		ret = KRB5_KPASSWD_HARDERROR;
 		goto done;
 	}
+
 	ber_printf(ctrl, "{tstON}",
 		   LDAP_TAG_EXOP_MODIFY_PASSWD_ID, userdn,
 		   LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &newpw);
 
-	ret = ber_flatten2(ctrl, &control, 0);
+	ret = ber_flatten(ctrl, &control);
 	if (ret < 0) {
 		syslog(LOG_ERR, "ber flattening failed!");
 		ret = KRB5_KPASSWD_HARDERROR;
@@ -645,8 +648,7 @@ done:
 	if (exterr1) free(exterr1);
 	if (exterr2) free(exterr2);
 	if (userdn) free(userdn);
-	if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
+	if (ld) ldap_unbind_ext(ld, NULL, NULL);
-	if (ldap_uri) free(ldap_uri);
 	if (tmp_file) {
 		unlink(tmp_file);
 		free(tmp_file);

ipa-server/ipa-slapi-plugins/dna/Makefile.am

@@ -9,7 +9,6 @@ INCLUDES =							\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	$(MOZLDAP_CFLAGS)					\
-	$(LDAP_CFLAGS)						\
 	$(KRB5_CFLAGS)						\
 	$(WARN_CFLAGS)						\
 	$(NULL)

ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am

@@ -9,7 +9,6 @@ INCLUDES =							\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	$(MOZLDAP_CFLAGS)					\
-	$(LDAP_CFLAGS)						\
 	$(KRB5_CFLAGS)						\
 	$(WARN_CFLAGS)						\
 	$(NULL)

ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

@@ -9,7 +9,6 @@ INCLUDES =							\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	$(MOZLDAP_CFLAGS)					\
-	$(LDAP_CFLAGS)						\
 	$(KRB5_CFLAGS)						\
 	$(SSL_CFLAGS)						\
 	$(WARN_CFLAGS)						\