OK, I know I'm missing something since I know people are building OpenLDAP with OpenSSL for TLS/SSL, but when I add the --with-tls flag to configure, it all goes pear shaped.
I'm starting with freshly downloaded tarballs of openssl-1.1.0c and openldap-2.4.44 on CentOS 7.2.1511. I've install the packages using yum: yum -y install tcp_wrappers tcp_wrappers-devel tcp_wrappers-libs libtool-ltdl-devel
I've built/installed openssl with: ./config shared --prefix=/usr/local;make;make test; make install
I then successfully build openldap with: ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes (without TLS support) make depend; make; make distclean
I now add the "--with-tls=openssl" option to configure it fails with: ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl <snip> checking for sys/un.h... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_library_init in -lssl... no checking for ssl3_accept in -lssl... no configure: error: Could not locate TLS/SSL package
In looking at config.log: configure:15466: checking openssl/ssl.h usability configure:15466: cc -c -g -O2 -I/usr/local/include conftest.c >&5 configure:15466: $? = 0 configure:15466: result: yes configure:15466: checking openssl/ssl.h presence configure:15466: cc -E -I/usr/local/include conftest.c configure:15466: $? = 0 configure:15466: result: yes configure:15466: checking for openssl/ssl.h configure:15466: result: yes configure:15478: checking for SSL_library_init in -lssl configure:15503: cc -o conftest -g -O2 -I/usr/local/include -L/usr/local/lib -L/usr/local/lib64 -Wl,-rpath,/usr/local/lib conftest.c -lssl -lcrypto -lresolv >&5 /tmp/ccpvG28c.o: In function `main': /usr/local/src/openldap-2.4.44/conftest.c:107: undefined reference to `SSL_library_init' collect2: error: ld returned 1 exit status configure:15503: $? = 1
The source for OpenSSL 1.1.0c no longer has SSL_library_init in either the ssl or crypto libraries. It's now a macro in ssh.h which references OPENSSL_init_ssl. Since the OpenLDAP configure script doesn't pull in ssh.h in it's test, it doesn't find SSL_library_init and that test fails. As a hack, I changed the test in configure to use OPENSSL_init_ssl instead of SSL_library_init and OpenLDAP successfully configured but that blows up during make with a whole host of errors.
I've also tried adding "-I/usr/local/include/openssl" to the CPPFLAGS environment but that doesn't change anything (as I expected): ./configure CPPFLAGS="-I/usr/local/include -I/usr/local/include/openssl" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl
So, is my next step to pull the dev version of 2.4.45 from git or am I just being a moron? Tom Leach