-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
Is there any magic to be cast upon openldap to enable the MozNSS support when compiling it? Perhaps I'm missing something, but there doesn't seem to be a configure switch to enable NSS, like with Gnutls or OpenSSL.
Kind regards, Silvan
Silvan Marco Fin wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
Is there any magic to be cast upon openldap to enable the MozNSS support when compiling it? Perhaps I'm missing something, but there doesn't seem to be a configure switch to enable NSS, like with Gnutls or OpenSSL.
It is not yet supported by configure. In the meantime, you have to do something like this (I use 64-bit RHEL and Fedora, so your OS may vary): This assumes you have openldap from a source tarball or CVS in a directory called ol2.4.23: ls ol2.4.23/
mkdir build cd build # I don't build "in tree" - I build in a separate directory EXTRA_CFLAGS="-I/usr/include/nss3 -I/usr/include/nspr4 -DHAVE_TLS -DHAVE_MOZNSS" if [ ! -d include/nss ] ; then # openldap uses the #include <nss/file.h> style, but nspr and nss use the # #include <file.h> style - so we have to accommodate both styles mkdir include ; cd include ; ln -s /usr/include/nss3 nss ; cd .. fi if [ ! -d include/nspr ] ; then # openldap uses the #include <nss/file.h> style, but nspr and nss use the # #include <file.h> style - so we have to accommodate both styles mkdir include ; cd include ; ln -s /usr/include/nspr4 nspr ; cd .. fi TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" LIBS="$TLS_LIBS" CFLAGS="-g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic $EXTRA_CFLAGS" ../ol2.4.23/configure --with-tls=no ...other configure args...
Kind regards, Silvan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyc3wAACgkQ9s/B3wYT4543twCfcdYTtJyeKbtiJoT8yFZblvDb 8DQAmwfZpxpoaHic1ZIpovUeH+jqzo1d =ih5n -----END PGP SIGNATURE-----
Rich Megginson wrote:
Silvan Marco Fin wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
Is there any magic to be cast upon openldap to enable the MozNSS support when compiling it? Perhaps I'm missing something, but there doesn't seem to be a configure switch to enable NSS, like with Gnutls or OpenSSL.
It is not yet supported by configure. In the meantime, you have to do something like this (I use 64-bit RHEL and Fedora, so your OS may vary): This assumes you have openldap from a source tarball or CVS in a directory called ol2.4.23: ls ol2.4.23/
mkdir build cd build # I don't build "in tree" - I build in a separate directory EXTRA_CFLAGS="-I/usr/include/nss3 -I/usr/include/nspr4 -DHAVE_TLS -DHAVE_MOZNSS" if [ ! -d include/nss ] ; then # openldap uses the #include<nss/file.h> style, but nspr and nss use the # #include<file.h> style - so we have to accommodate both styles
Ah yes, I forgot to mention this detail. There is no standardized location for the MozNSS header files. Ubuntu/Debian puts them in a different place, and I seem to recall that OpenSuSE does as well. (And I originally started this work on Ubuntu...)
--On Friday, September 24, 2010 7:25 PM +0200 Silvan Marco Fin silvan@kernelconcepts.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
Is there any magic to be cast upon openldap to enable the MozNSS support when compiling it? Perhaps I'm missing something, but there doesn't seem to be a configure switch to enable NSS, like with Gnutls or OpenSSL.
There is no switch for it at this time.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Friday, September 24, 2010 7:25 PM +0200 Silvan Marco Fin silvan@kernelconcepts.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
Is there any magic to be cast upon openldap to enable the MozNSS support when compiling it? Perhaps I'm missing something, but there doesn't seem to be a configure switch to enable NSS, like with Gnutls or OpenSSL.
There is no switch for it at this time.
And that is because currently MozNSS cannot be used transparently as a drop-in replacement for OpenSSL or GnuTLS. Once the MozNSS folks get their PEM handler into their mainline code, it ought to work reasonably transparently, and at that point we may provide a configure switch for it. For now, we do not endorse or support it.
Thanks for your input, currently I'm trying to get it working with the description supplied here.
Am 27.09.2010 22:38, schrieb Howard Chu:
doesn't seem to be a configure switch to enable NSS, like with Gnutls or
There is no switch for it at this time.
And that is because currently MozNSS cannot be used transparently as a drop-in replacement for OpenSSL or GnuTLS. Once the MozNSS folks get their PEM handler into their mainline code, it ought to work reasonably transparently, and at that point we may provide a configure switch for it. For now, we do not endorse or support it.
Perhaps I can give you some additional reason to support NSS: MozNSS has the "certdb thing" and PKCS11 support. We (that is my company: kernel concepts) want to get evolution's ldap backend to support client side certificates from software and hardware tokens and that is exactly, what MozNSS provides out of the box. OpenSSL currently lacks PKCS11 support completely (AFAIK) and Gnutls support for PKCS11 is very new, so our goal is, to get everything we need out of NSS.
Kind regards, Silvan
Silvan Marco Fin wrote:
Thanks for your input, currently I'm trying to get it working with the description supplied here.
Am 27.09.2010 22:38, schrieb Howard Chu:
doesn't seem to be a configure switch to enable NSS, like with Gnutls or
There is no switch for it at this time.
And that is because currently MozNSS cannot be used transparently as a drop-in replacement for OpenSSL or GnuTLS. Once the MozNSS folks get their PEM handler into their mainline code, it ought to work reasonably transparently, and at that point we may provide a configure switch for it. For now, we do not endorse or support it.
Perhaps I can give you some additional reason to support NSS: MozNSS has the "certdb thing" and PKCS11 support. We (that is my company: kernel concepts) want to get evolution's ldap backend to support client side certificates from software and hardware tokens and that is exactly, what MozNSS provides out of the box. OpenSSL currently lacks PKCS11 support completely (AFAIK) and Gnutls support for PKCS11 is very new, so our goal is, to get everything we need out of NSS.
OpenSSL has had PKCS11 support since at least 2001. It's usually packaged by distros and ready to use, e.g.
https://launchpad.net/ubuntu/karmic/+package/libengine-pkcs11-openssl
MozNSS still has serious design problems wrt reentrancy and multiple independent code bases (programs and libraries) calling into it with different config requirements...
Am 28.09.2010 11:15, schrieb Howard Chu:
OpenSSL has had PKCS11 support since at least 2001. It's usually packaged by distros and ready to use, e.g.
Interesting! But the PKCS11-Engine is from the OpenSC project and not contained in the OpenSSL software. But anyway, it's worth a try, thanks for the hint!
openldap-technical@openldap.org
-
Howard Chu -
Quanah Gibson-Mount -
Rich Megginson -
Silvan Marco Fin