Description of problem: ipa-server ends up requiring both openldap-clients and mozldap-tools Version-Release number of selected component (if applicable): ipa-server-0.99-9.fc9.ppc How reproducible: Every time Steps to Reproduce: Install ipa-tools Actual results: ipa-tools requires openldap-clients and fedora-ds-base fedora-ds-base requires mozldap-tools Furthermore, openldap-clients uses OpenSSL and mozldap-tools uses NSS. Expected results: ipa-tools could be modified to use mozldap-tools, eliminating the redundant dependency on openldap-clients. Additional info:
Created attachment 295739 [details] Patch to replace usage of OpenLDAP with mozldap I've attached a patch that begins the process of replacing OpenLDAP with mozldap. FreeIPA relies on RedHat's Directory Server, which uses mozldap. A FreeIPA build using mozldap would reduce the project's dependencies and redundant code. In addition, mozldap uses NSS instead of OpenSSL. The is beneficial for the reasons listed in [1]. [1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation
Created attachment 296172 [details] Patch to replace usage of OpenLDAP with mozldap This patch now allows one to specify --with-openldap if they want to continue using OpenLDAP, otherwise mozldap is used. The exception is ipa-server's ipa-slapi-plugins, which will not build against OpenLDAP.
This was committed by Simo to the master branch as changeset 29ddbc610ccc14eb70dcb7ffde7c1f5cc2b95203
This would be fixed, except my patch breaks ipa-kpasswd.c. I am working on fixing this.
I submitted another patch that fixed the issue mentioned in comment #4. See https://www.redhat.com/archives/freeipa-devel/2008-July/msg00118.html. This bug should be resolved once Fedora packages the newest IPA source.
FreeIPA 1.2 no longer uses the OpenLDAP libraries. However, the RPM specification used by Fedora still BuildRequires openldap-devel. This build dependency should be removed. Also, FreeIPA 1.2 still uses openldap-clients. As far as I can tell, this is only in dsinstance.py and krbinstance.py, which both use ldapmodify. This could easily be changed to use mozldap's ldapmodify (installed at /usr/lib/mozldap/ldapmodify). This would remove the OpenLDAP / mozldap redundancy from ipa-server.
This bug does not appear to be resolved.. Comment #6 states "This could easily be changed to use mozldap's ldapmodify (installed at /usr/lib/mozldap/ldapmodify). This would remove the OpenLDAP / mozldap redundancy from ipa-server." The dependencies on installation still include openldap-client: --> Processing Dependency: perl-Mozilla-LDAP for package: redhat-ds-base --> Processing Dependency: perl(Mozilla::LDAP::Conn) for package: redhat-ds-base --> Processing Dependency: libsensors.so.3 for package: redhat-ds-base --> Processing Dependency: perl(Mozilla::LDAP::Utils) for package: redhat-ds-base --> Processing Dependency: perl(Mozilla::LDAP::API) for package: redhat-ds-base --> Processing Dependency: mozldap-tools for package: redhat-ds-base --> Processing Dependency: cyrus-sasl-md5 for package: redhat-ds-base --> Processing Dependency: perl(Mozilla::LDAP::LDIF) for package: redhat-ds-base ---> Package python-tgexpandingformwidget.noarch 0:0.1.3-5.el5ipa set to be updated ---> Package python-pyasn1.noarch 0:0.0.7a-4.el5ipa set to be updated ---> Package mod_nss.i386 0:1.0.3-6.el5ipa set to be updated ---> Package ipa-server-selinux.i386 0:1.1.0-2.20081124.el5ipa set to be updated ---> Package mod_auth_kerb.i386 0:5.1-3.el5 set to be updated ---> Package openldap-clients.i386 0:2.3.27-8.el5_2.4 set to be updated ---> Package TurboGears.noarch 0:1.0.3.2-7.el5ipa set to be updated --> Processing Dependency: python-sqlalchemy >= 0.3 for package: TurboGears --> Processing Dependency: python-tgfastdata for package: TurboGears --> Processing Dependency: python-turbocheetah >= 0.9.5 for package: TurboGears --> Processing Dependency: python-cherrypy >= 2.2.1 for package: TurboGears --> Processing Dependency: python-ruledispatch for package: TurboGears --> Processing Dependency: python-decoratortools >= 1.4 for package: TurboGears --> Processing Dependency: python-sqlobject >= 0.8 for package: TurboGears --> Processing Dependency: python-nose >= 0.9.1 for package: TurboGears --> Processing Dependency: python-turbokid >= 1.0.1 for package: TurboGears --> Processing Dependency: python-json >= 3.3 for package: TurboGears --> Processing Dependency: python-setuptools >= 0.6c2 for package: TurboGears --> Processing Dependency: python-psycopg2 for package: TurboGears --> Processing Dependency: python-simplejson >= 1.3 for package: TurboGears --> Processing Dependency: python-formencode >= 0.7.1 for package: TurboGears --> Processing Dependency: python-paste-script >= 0.9.7 for package: TurboGears --> Processing Dependency: python-kid >= 0.8 for package: TurboGears --> Processing Dependency: python-turbojson >= 0.9.9 for package: TurboGears
(In reply to comment #7) > This bug does not appear to be resolved.. Comment #6 states "This could > easily be changed to use mozldap's ldapmodify (installed at > /usr/lib/mozldap/ldapmodify). This would remove the OpenLDAP / mozldap > redundancy from ipa-server." > > The dependencies on installation still include openldap-client: Yes. The statement you quote above implies that there is still a little work to be done in the upstream source. After this is complete (if the IPA folks decide to accept this change), then the Fedora package may be updated to no longer require OpenLDAP.
I think openldap libs will still be required by python-ldap, although we might indeed remove any dependency on openldap-clients Mike if you want to provide a patch to replace the use of ldapmodify we can try to put it into 1.2.1
Created attachment 326239 [details] Patch to replace use of OpenLDAP with mozldap in krbinstance.py
Created attachment 326241 [details] Patch to replace use of OpenLDAP with mozldap in dsinstance.py
It may now be better to go the other direction (use OpenLDAP exclusively, instead of mozldap). The CVS version of OpenLDAP builds against Mozilla NSS. Furthermore, the 389 Directory Server may build against OpenLDAP in the future (see http://directory.fedoraproject.org/wiki/Use_OpenLDAP_Clients_In_389/). Also, there are many more Fedora packages that build against OpenLDAP than mozldap. The key is to ship one LDAP library (less code, less bugs, less auditing, etc.) and choosing OpenLDAP may be more realistic.
The source tip currently only builds with openldap. I haven't yet completely removed mozldap references but it will be done.
Any update?
For our standalone client utilities (ipa-getkeytab, etc) there is no longer an option, they must build against openldap. There are still a few random references to MOZLDAP in the automake files but they will never be populated. The 389-ds plugins still link against mozldap because that is what 389-ds uses. That will change very soon. So runtime there is no dependency on mozldap-tools, just mozldap-devel for building.
This will be fixed in IPA v2.