Go back to using AC_TRY_COMPILE to detect <ldap_ssl.h>, which requires that <ldap.h> be included before it. Use the draft-specified value "0" instead of a preprocessor define which mozldap doesn't provide (LDAP_OPT_SUCCESS). Don't fail to compile if libldap doesn't provide ldap_create_control(), just fail at run-time if we try to use it. Only try to set non-portable options that the libldap which is being used supports. Don't depend on ldap_alloc_ber_with_options() being there; fall back to either ber_alloc_t() or the deprecated der_alloc(). Learn about Mozilla LDAP 6. Prefer </usr/include/nss.h> to <nss.h>, because <nss.h> can also be the security toolkit used by Mozilla's LDAP SDK rather than libc's nsswitch header, and if we've set the include path, we could be screwed. Strip off any '/' which appears in our hostname before passing it to ldap_init(). diff -up nss_ldap/configure.in nss_ldap/configure.in --- nss_ldap/configure.in 2007-11-14 14:21:54.000000000 -0500 +++ nss_ldap/configure.in 2007-11-14 15:01:32.000000000 -0500 @@ -41,7 +41,7 @@ dnl AC_ARG_ENABLE(configurable-krb5-ccname-env, [ --enable-configurable-krb5-ccname-env enable configurable Kerberos V credentials cache name (putenv method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_ENV)]) AC_ARG_ENABLE(configurable-krb5-ccname-gssapi, [ --enable-configurable-krb5-ccname-gssapi enable configurable Kerberos V credentials cache name (gssapi method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_GSSAPI)]) -AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]]) +AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|mozilla|netscape5|netscape4|netscape3|umich|openldap]]) AC_ARG_WITH(ldap-dir, [ --with-ldap-dir=DIR base directory of LDAP SDK]) AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file], [ NSS_LDAP_PATH_CONF="$with_ldap_conf_file" ], @@ -132,17 +132,18 @@ AC_SUBST(NSS_LDAP_LDFLAGS) AC_CHECK_HEADERS(lber.h) AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>)) -AC_CHECK_HEADERS(ldap_ssl.h) +dnl AC_CHECK_HEADERS(ldap_ssl.h) -dnl AC_MSG_CHECKING(for ldap_ssl.h) -dnl AC_TRY_COMPILE([#include <sys/types.h> -dnl #include <ldap.h> -dnl #include <ldap_ssl.h>], , -dnl [ -dnl AC_MSG_RESULT(yes), -dnl AC_DEFINE(HAVE_LDAP_SSL_H, 1) -dnl ], -dnl AC_MSG_RESULT(no)) +AC_MSG_CHECKING(for ldap_ssl.h) +AC_TRY_COMPILE([ + #include <sys/types.h> + #include <ldap.h> + #include <ldap_ssl.h>],[], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_LDAP_SSL_H,1,[Define if you have <ldap_ssl.h>.]) + ], + AC_MSG_RESULT(no)) # For HP-UX and AIX we use private API, the headers for which # are included locally. We need to do something to stop both @@ -150,7 +151,8 @@ dnl AC_MSG_RESULT(no)) case "$target_os" in aix*) AC_CHECK_HEADERS(irs.h usersec.h) ;; hpux*) AC_CHECK_HEADERS(nsswitch.h) ;; - *) AC_CHECK_HEADERS(nss.h) + *) AC_CHECK_HEADERS(/usr/include/nss.h) + AC_CHECK_HEADERS(nss.h) AC_CHECK_HEADERS(nsswitch.h) AC_CHECK_HEADERS(irs.h) ;; esac @@ -297,6 +299,9 @@ if test -z "$found_ldap_lib" -a \( $with AC_CHECK_LIB(lber, main) AC_CHECK_LIB(ldap, main, [LIBS="-lldap $LIBS" found_ldap_lib=yes],,$LIBS) fi +if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = mozilla \); then +AC_CHECK_LIB(ldap60, main, LIBS="-lssldap60 -lprldap60 -lldap60 -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) +fi if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) fi @@ -331,6 +336,7 @@ AC_CHECK_FUNCS(ldap_init ldap_get_lderrn AC_CHECK_FUNCS(ldap_ld_free ldap_explode_rdn ldap_set_option ldap_get_option) AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext) AC_CHECK_FUNCS(ldap_create_control ldap_create_page_control ldap_parse_page_control) +AC_CHECK_FUNCS(ldap_alloc_ber_with_options ber_alloc_t der_alloc) if test "$enable_ssl" \!= "no"; then AC_CHECK_FUNCS(ldapssl_client_init ldap_start_tls_s ldap_pvt_tls_set_option ldap_start_tls) fi diff -up nss_ldap/ldap-nss.h nss_ldap/ldap-nss.h --- nss_ldap/ldap-nss.h 2007-11-14 14:21:54.000000000 -0500 +++ nss_ldap/ldap-nss.h 2007-11-14 15:05:57.000000000 -0500 @@ -58,6 +58,8 @@ #include <nss_common.h> #include <nss_dbdefs.h> #include <nsswitch.h> +#elif defined(HAVE__USR_INCLUDE_NSS_H) +#include </usr/include/nss.h> #elif defined(HAVE_NSS_H) #include <nss.h> #elif defined(HAVE_IRS_H) diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c --- nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500 +++ nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500 @@ -1069,6 +1069,23 @@ do_init_session (LDAP ** ld, const char defport = atoi (p + 1); uri = uribuf; } + else + { + size_t urilen = strlen(uri); + + if (urilen >= sizeof (uribuf)) + { + return NSS_UNAVAIL; + } + + memcpy (uribuf, uri, urilen); + uribuf[urilen] = '\0'; + + if ((urilen > 0) && (uribuf[urilen - 1] == '/')) + uribuf[urilen - 1] = '\0'; + + uri = uribuf; + } # ifdef HAVE_LDAP_INIT *ld = ldap_init (uri, defport); @@ -1537,7 +1554,7 @@ do_open (void) if (ldap_get_option (__session.ls_conn, LDAP_OPT_PROTOCOL_VERSION, - &version) == LDAP_OPT_SUCCESS) + &version) == 0) { if (version < LDAP_VERSION3) { @@ -1697,6 +1714,7 @@ do_ssl_options (ldap_config_t * cfg) } #endif /* LDAP_OPT_X_TLS_RANDOM_FILE */ +#ifdef LDAP_OPT_X_TLS_CACERTFILE if (cfg->ldc_tls_cacertfile != NULL) { /* ca cert file */ @@ -1709,7 +1727,9 @@ do_ssl_options (ldap_config_t * cfg) return LDAP_OPERATIONS_ERROR; } } +#endif +#ifdef LDAP_OPT_X_TLS_CACERTDIR if (cfg->ldc_tls_cacertdir != NULL) { /* ca cert directory */ @@ -1722,7 +1742,9 @@ do_ssl_options (ldap_config_t * cfg) return LDAP_OPERATIONS_ERROR; } } +#endif +#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT /* require cert? */ if (cfg->ldc_tls_checkpeer > -1) { @@ -1735,7 +1757,9 @@ do_ssl_options (ldap_config_t * cfg) return LDAP_OPERATIONS_ERROR; } } +#endif +#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE if (cfg->ldc_tls_ciphers != NULL) { /* set cipher suite, certificate and private key: */ @@ -1748,7 +1772,9 @@ do_ssl_options (ldap_config_t * cfg) return LDAP_OPERATIONS_ERROR; } } +#endif +#ifdef LDAP_OPT_X_TLS_CERTFILE if (cfg->ldc_tls_cert != NULL) { rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE, cfg->ldc_tls_cert); @@ -1759,7 +1785,9 @@ do_ssl_options (ldap_config_t * cfg) return LDAP_OPERATIONS_ERROR; } } +#endif +#ifdef LDAP_OPT_X_TLS_CERTFILE if (cfg->ldc_tls_key != NULL) { rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE, cfg->ldc_tls_key); @@ -1770,6 +1798,7 @@ do_ssl_options (ldap_config_t * cfg) return LDAP_OPERATIONS_ERROR; } } +#endif debug ("<== do_ssl_options"); diff -up nss_ldap/pagectrl.c nss_ldap/pagectrl.c --- nss_ldap/pagectrl.c 2007-08-03 00:51:09.000000000 -0400 +++ nss_ldap/pagectrl.c 2007-11-14 14:21:54.000000000 -0500 @@ -38,6 +38,17 @@ static char rcsId[] = "$Id: pagectrl.c,v #define LDAP_CONTROL_PAGE_OID "1.2.840.113556.1.4.319" #endif +#ifndef HAVE_LDAP_CREATE_CONTROL +#define ldap_create_control _nss_ldap_fail_to_create_control +static int +ldap_create_control(const char *oid, BerElement *value, + int iscritical, LDAPControl ** ctrlp) +{ + *ctrlp = NULL; + return LDAP_ENCODING_ERROR; +} +#endif + #ifndef HAVE_LDAP_CREATE_PAGE_CONTROL /*--- ldap_create_page_control @@ -78,9 +89,6 @@ static char rcsId[] = "$Id: pagectrl.c,v ---*/ -#ifndef HAVE_LDAP_CREATE_CONTROL -#error LDAP client library does not support ldap_create_control() -#else int ldap_create_page_control (LDAP * ld, unsigned long pagesize, @@ -97,10 +105,24 @@ ldap_create_page_control (LDAP * ld, return (LDAP_PARAM_ERROR); } +#ifdef HAVE_LDAP_ALLOC_BER_WITH_OPTIONS if ((ber = ldap_alloc_ber_with_options (ld)) == NULL) { return (LDAP_NO_MEMORY); } +#elif defined(HAVE_BER_ALLOC_T) && defined(LBER_USE_DER) + if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) + { + return (LDAP_NO_MEMORY); + } +#elif defined(HAVE_DER_ALLOC) + if ((ber = der_alloc()) == NULL) + { + return (LDAP_NO_MEMORY); + } +#else + return (LDAP_NO_MEMORY); +#endif tag = ber_printf (ber, "{i", pagesize); if (tag == LBER_ERROR) @@ -126,7 +148,6 @@ exit: ber_free (ber, 1); return (LDAP_ENCODING_ERROR); } -#endif /* HAVE_LDAP_CREATE_CONTROL */ #endif /* HAVE_LDAP_CREATE_PAGE_CONTROL */ #ifndef HAVE_LDAP_PARSE_PAGE_CONTROL @@ -154,9 +175,6 @@ exit: ---*/ -#ifndef HAVE_LDAP_CREATE_CONTROL -#error LDAP client library does not support ldap_create_control() -#else int ldap_parse_page_control (LDAP * ld, LDAPControl ** ctrls, @@ -222,5 +240,4 @@ foundPageControl: return (LDAP_SUCCESS); } -#endif /* HAVE_LDAP_CREATE_CONTROL */ #endif /* HAVE_LDAP_PARSE_PAGE_CONTROL */