Bug 434153 - ipa-server ends up requiring both openldap-clients and mozldap-tools
ipa-server ends up requiring both openldap-clients and mozldap-tools
Status: CLOSED NEXTRELEASE
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
unspecified
All Linux
low Severity low
: future release
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: 565950
  Show dependency treegraph
 
Reported: 2008-02-22 09:23 EST by W. Michael Petullo
Modified: 2015-01-04 18:30 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-09 13:43:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to replace usage of OpenLDAP with mozldap (10.28 KB, patch)
2008-02-24 09:06 EST, W. Michael Petullo
no flags Details | Diff
Patch to replace usage of OpenLDAP with mozldap (18.18 KB, patch)
2008-02-28 04:06 EST, W. Michael Petullo
no flags Details | Diff
Patch to replace use of OpenLDAP with mozldap in krbinstance.py (535 bytes, patch)
2008-12-08 20:43 EST, W. Michael Petullo
no flags Details | Diff
Patch to replace use of OpenLDAP with mozldap in dsinstance.py (524 bytes, patch)
2008-12-08 20:44 EST, W. Michael Petullo
no flags Details | Diff

  None (edit)
Description W. Michael Petullo 2008-02-22 09:23:27 EST
Description of problem:
ipa-server ends up requiring both openldap-clients and mozldap-tools

Version-Release number of selected component (if applicable):
ipa-server-0.99-9.fc9.ppc

How reproducible:
Every time

Steps to Reproduce:
Install ipa-tools
  
Actual results:
ipa-tools requires openldap-clients and fedora-ds-base
fedora-ds-base requires mozldap-tools
Furthermore, openldap-clients uses OpenSSL and mozldap-tools uses NSS.

Expected results:
ipa-tools could be modified to use mozldap-tools, eliminating the redundant
dependency on openldap-clients.

Additional info:
Comment 1 W. Michael Petullo 2008-02-24 09:06:49 EST
Created attachment 295739 [details]
Patch to replace usage of OpenLDAP with mozldap

I've attached a patch that begins the process of replacing OpenLDAP with
mozldap. FreeIPA relies on RedHat's Directory Server, which uses mozldap. A
FreeIPA build using mozldap would reduce the project's dependencies and
redundant code. In addition, mozldap uses NSS instead of OpenSSL. The is
beneficial for the reasons listed in [1].

[1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation
Comment 2 W. Michael Petullo 2008-02-28 04:06:33 EST
Created attachment 296172 [details]
Patch to replace usage of OpenLDAP with mozldap

This patch now allows one to specify --with-openldap if they want to continue
using OpenLDAP, otherwise mozldap is used. The exception is ipa-server's
ipa-slapi-plugins, which will not build against OpenLDAP.
Comment 3 Rob Crittenden 2008-05-29 16:14:44 EDT
This was committed by Simo to the master branch as changeset
29ddbc610ccc14eb70dcb7ffde7c1f5cc2b95203
Comment 4 W. Michael Petullo 2008-07-23 21:41:35 EDT
This would be fixed, except my patch breaks ipa-kpasswd.c. I am working on
fixing this.
Comment 5 W. Michael Petullo 2008-09-06 11:38:03 EDT
I submitted another patch that fixed the issue mentioned in comment #4. See https://www.redhat.com/archives/freeipa-devel/2008-July/msg00118.html. This bug should be resolved once Fedora packages the newest IPA source.
Comment 6 W. Michael Petullo 2008-11-22 19:18:24 EST
FreeIPA 1.2 no longer uses the OpenLDAP libraries. However, the RPM specification used by Fedora still BuildRequires openldap-devel. This build dependency should be removed.

Also, FreeIPA 1.2 still uses openldap-clients. As far as I can tell, this is only in dsinstance.py and krbinstance.py, which both use ldapmodify. This could easily be changed to use mozldap's ldapmodify (installed at /usr/lib/mozldap/ldapmodify). This would remove the OpenLDAP / mozldap redundancy from ipa-server.
Comment 7 Jenny Galipeau 2008-11-25 10:58:49 EST
This bug does not appear to be resolved.. Comment #6 states "This could
easily be changed to use mozldap's ldapmodify (installed at
/usr/lib/mozldap/ldapmodify). This would remove the OpenLDAP / mozldap
redundancy from ipa-server."

The dependencies on installation still include openldap-client:

--> Processing Dependency: perl-Mozilla-LDAP for package: redhat-ds-base
--> Processing Dependency: perl(Mozilla::LDAP::Conn) for package: redhat-ds-base
--> Processing Dependency: libsensors.so.3 for package: redhat-ds-base
--> Processing Dependency: perl(Mozilla::LDAP::Utils) for package: redhat-ds-base
--> Processing Dependency: perl(Mozilla::LDAP::API) for package: redhat-ds-base
--> Processing Dependency: mozldap-tools for package: redhat-ds-base
--> Processing Dependency: cyrus-sasl-md5 for package: redhat-ds-base
--> Processing Dependency: perl(Mozilla::LDAP::LDIF) for package: redhat-ds-base
---> Package python-tgexpandingformwidget.noarch 0:0.1.3-5.el5ipa set to be updated
---> Package python-pyasn1.noarch 0:0.0.7a-4.el5ipa set to be updated
---> Package mod_nss.i386 0:1.0.3-6.el5ipa set to be updated
---> Package ipa-server-selinux.i386 0:1.1.0-2.20081124.el5ipa set to be updated
---> Package mod_auth_kerb.i386 0:5.1-3.el5 set to be updated
---> Package openldap-clients.i386 0:2.3.27-8.el5_2.4 set to be updated
---> Package TurboGears.noarch 0:1.0.3.2-7.el5ipa set to be updated
--> Processing Dependency: python-sqlalchemy >= 0.3 for package: TurboGears
--> Processing Dependency: python-tgfastdata for package: TurboGears
--> Processing Dependency: python-turbocheetah >= 0.9.5 for package: TurboGears
--> Processing Dependency: python-cherrypy >= 2.2.1 for package: TurboGears
--> Processing Dependency: python-ruledispatch for package: TurboGears
--> Processing Dependency: python-decoratortools >= 1.4 for package: TurboGears
--> Processing Dependency: python-sqlobject >= 0.8 for package: TurboGears
--> Processing Dependency: python-nose >= 0.9.1 for package: TurboGears
--> Processing Dependency: python-turbokid >= 1.0.1 for package: TurboGears
--> Processing Dependency: python-json >= 3.3 for package: TurboGears
--> Processing Dependency: python-setuptools >= 0.6c2 for package: TurboGears
--> Processing Dependency: python-psycopg2 for package: TurboGears
--> Processing Dependency: python-simplejson >= 1.3 for package: TurboGears
--> Processing Dependency: python-formencode >= 0.7.1 for package: TurboGears
--> Processing Dependency: python-paste-script >= 0.9.7 for package: TurboGears
--> Processing Dependency: python-kid >= 0.8 for package: TurboGears
--> Processing Dependency: python-turbojson >= 0.9.9 for package: TurboGears
Comment 8 W. Michael Petullo 2008-11-29 12:45:50 EST
(In reply to comment #7)
> This bug does not appear to be resolved.. Comment #6 states "This could
> easily be changed to use mozldap's ldapmodify (installed at
> /usr/lib/mozldap/ldapmodify). This would remove the OpenLDAP / mozldap
> redundancy from ipa-server."
> 
> The dependencies on installation still include openldap-client:

Yes. The statement you quote above implies that there is still a little work to be done in the upstream source. After this is complete (if the IPA folks decide to accept this change), then the Fedora package may be updated to no longer require OpenLDAP.
Comment 9 Simo Sorce 2008-12-01 11:23:11 EST
I think openldap libs will still be required by python-ldap, although we might indeed remove any dependency on openldap-clients

Mike if you want to provide a patch to replace the use of ldapmodify we can try to put it into 1.2.1
Comment 10 W. Michael Petullo 2008-12-08 20:43:38 EST
Created attachment 326239 [details]
Patch to replace use of OpenLDAP with mozldap in krbinstance.py
Comment 11 W. Michael Petullo 2008-12-08 20:44:19 EST
Created attachment 326241 [details]
Patch to replace use of OpenLDAP with mozldap in dsinstance.py
Comment 13 W. Michael Petullo 2009-08-30 15:17:43 EDT
It may now be better to go the other direction (use OpenLDAP exclusively, instead of mozldap). The CVS version of OpenLDAP builds against Mozilla NSS. Furthermore, the 389 Directory Server may build against OpenLDAP in the future (see http://directory.fedoraproject.org/wiki/Use_OpenLDAP_Clients_In_389/). Also, there are many more Fedora packages that build against OpenLDAP than mozldap.

The key is to ship one LDAP library (less code, less bugs, less auditing, etc.) and choosing OpenLDAP may be more realistic.
Comment 14 Rob Crittenden 2009-08-31 09:09:07 EDT
The source tip currently only builds with openldap. I haven't yet completely removed mozldap references but it will be done.
Comment 16 W. Michael Petullo 2010-08-04 22:07:08 EDT
Any update?
Comment 17 Rob Crittenden 2010-08-04 22:42:08 EDT
For our standalone client utilities (ipa-getkeytab, etc) there is no longer an option, they must build against openldap. There are still a few random references to MOZLDAP in the automake files but they will never be populated.

The 389-ds plugins still link against mozldap because that is what 389-ds uses. That will change very soon.

So runtime there is no dependency on mozldap-tools, just mozldap-devel for building.
Comment 18 Rob Crittenden 2010-09-09 13:43:28 EDT
This will be fixed in IPA v2.

Note You need to log in before you can comment on or make changes to this bug.