Red Hat Bugzilla – Bug 1442133
Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA
Last modified: 2017-08-01 05:48:56 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6846 The libkrad, liblber, libldap_r and libsss_nss_idmap libraries are uncoditionally linked in every binary and library built in IPA, even where they are not used. This creates a lot of unnecessary dependencies everywhere. Stop doing this to remote the unnecessary dependencies.
Upstream ticket: https://pagure.io/freeipa/issue/6846
Fixed upstream master: https://pagure.io/freeipa/c/4322b57e313105611df39e99097993ba4161ab42 ipa-4-5: https://pagure.io/freeipa/c/207864a61a748a9032e67bf0f1782379e44fb5aa
Verified. Version :: ipa-server-4.5.0-13.el7.x86_64 Result :: [root@rhel7-3 ~]# cat linktest.sh for rpm in ipa-server ipa-client; do echo echo "++++++++++++++ $rpm +++++++++++++++" echo for file in $(rpm -ql $rpm|egrep "/sbin/|/bin/|lib.*.so$"); do file $file|grep -q ELF if [ $? -eq 0 ]; then echo " ============= $file ===============" ldd $file |sort | egrep "libkrad|liblber|libldap_r|libsss_nss_idmap"|awk '{print " " $1 " " $2 " " $3}' fi done done [root@rhel7-3 ~]# rpm -q ipa-server ipa-server-4.5.0-13.el7.x86_64 [root@rhel7-3 ~]# sh linktest.sh > ipa450_linktest.out # Then on a RHEL7.3 server: [root@ipa1 ~]# sh linktest > ipa440_linktest.out [root@ipa1 ~]# scp ipa440_linktest.out root@192.168.122.73:/root Password: ipa440_linktest.out 100% 4034 3.9KB/s 00:00 # Now to compare and see what's changed: [root@rhel7-3 ~]# diff ipa440_linktest.out ipa450_linktest.out 5d4 < libkrad.so.0 => /lib64/libkrad.so.0 9d7 < libkrad.so.0 => /lib64/libkrad.so.0 13d10 < libkrad.so.0 => /lib64/libkrad.so.0 17d13 < libkrad.so.0 => /lib64/libkrad.so.0 22d17 < libkrad.so.0 => /lib64/libkrad.so.0 26d20 < libkrad.so.0 => /lib64/libkrad.so.0 30d23 < libkrad.so.0 => /lib64/libkrad.so.0 34d26 < libkrad.so.0 => /lib64/libkrad.so.0 38d29 < libkrad.so.0 => /lib64/libkrad.so.0 42d32 < libkrad.so.0 => /lib64/libkrad.so.0 46d35 < libkrad.so.0 => /lib64/libkrad.so.0 50d38 < libkrad.so.0 => /lib64/libkrad.so.0 54d41 < libkrad.so.0 => /lib64/libkrad.so.0 58d44 < libkrad.so.0 => /lib64/libkrad.so.0 62d47 < libkrad.so.0 => /lib64/libkrad.so.0 64d48 < libkrad.so.0 => /lib64/libkrad.so.0 66d49 < libkrad.so.0 => /lib64/libkrad.so.0 73a57 > libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2 75a60 > libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2 You can see that most of the differences above are that the libkrad links are no longer included in the ipa4.5 binaries.
Created attachment 1282267 [details] ipa 4.5 linktest output
Created attachment 1282269 [details] ipa 4.4 linktest output
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304