OK, I know I'm missing something since I know people are building OpenLDAP with OpenSSL for TLS/SSL, but when I add the --with-tls flag to configure, it all goes pear shaped.
I'm starting with freshly downloaded tarballs of openssl-1.1.0c and openldap-2.4.44 on CentOS 7.2.1511. I've install the packages using yum: yum -y install tcp_wrappers tcp_wrappers-devel tcp_wrappers-libs libtool-ltdl-devel
I've built/installed openssl with: ./config shared --prefix=/usr/local;make;make test; make install
I then successfully build openldap with: ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes (without TLS support) make depend; make; make distclean
I now add the "--with-tls=openssl" option to configure it fails with: ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl <snip> checking for sys/un.h... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_library_init in -lssl... no checking for ssl3_accept in -lssl... no configure: error: Could not locate TLS/SSL package
In looking at config.log: configure:15466: checking openssl/ssl.h usability configure:15466: cc -c -g -O2 -I/usr/local/include conftest.c >&5 configure:15466: $? = 0 configure:15466: result: yes configure:15466: checking openssl/ssl.h presence configure:15466: cc -E -I/usr/local/include conftest.c configure:15466: $? = 0 configure:15466: result: yes configure:15466: checking for openssl/ssl.h configure:15466: result: yes configure:15478: checking for SSL_library_init in -lssl configure:15503: cc -o conftest -g -O2 -I/usr/local/include -L/usr/local/lib -L/usr/local/lib64 -Wl,-rpath,/usr/local/lib conftest.c -lssl -lcrypto -lresolv >&5 /tmp/ccpvG28c.o: In function `main': /usr/local/src/openldap-2.4.44/conftest.c:107: undefined reference to `SSL_library_init' collect2: error: ld returned 1 exit status configure:15503: $? = 1
The source for OpenSSL 1.1.0c no longer has SSL_library_init in either the ssl or crypto libraries. It's now a macro in ssh.h which references OPENSSL_init_ssl. Since the OpenLDAP configure script doesn't pull in ssh.h in it's test, it doesn't find SSL_library_init and that test fails. As a hack, I changed the test in configure to use OPENSSL_init_ssl instead of SSL_library_init and OpenLDAP successfully configured but that blows up during make with a whole host of errors.
I've also tried adding "-I/usr/local/include/openssl" to the CPPFLAGS environment but that doesn't change anything (as I expected): ./configure CPPFLAGS="-I/usr/local/include -I/usr/local/include/openssl" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl
So, is my next step to pull the dev version of 2.4.45 from git or am I just being a moron? Tom Leach
So, as a followup to anyone else who may hit this issue, OpenLDAP 2.4.44 won't build (without a set of patches) using OpenSSL 1.1.0c. I downloaded the older OpenSSL 1.0.2j and everything built fine. Hopefully the patches that allow OpenSSL 1.1.0 will be rolled into OpenLDAP 2.4.45 but it may be longer as there seem to be a number of OpenSSL API changes. Tom
On 12/01/2016 02:26 PM, Tom Leach wrote:
OK, I know I'm missing something since I know people are building OpenLDAP with OpenSSL for TLS/SSL, but when I add the --with-tls flag to configure, it all goes pear shaped.
I'm starting with freshly downloaded tarballs of openssl-1.1.0c and openldap-2.4.44 on CentOS 7.2.1511. I've install the packages using yum: yum -y install tcp_wrappers tcp_wrappers-devel tcp_wrappers-libs libtool-ltdl-devel
I've built/installed openssl with: ./config shared --prefix=/usr/local;make;make test; make install
I then successfully build openldap with: ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes (without TLS support) make depend; make; make distclean
I now add the "--with-tls=openssl" option to configure it fails with: ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl
<snip> checking for sys/un.h... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_library_init in -lssl... no checking for ssl3_accept in -lssl... no configure: error: Could not locate TLS/SSL package
In looking at config.log: configure:15466: checking openssl/ssl.h usability configure:15466: cc -c -g -O2 -I/usr/local/include conftest.c >&5 configure:15466: $? = 0 configure:15466: result: yes configure:15466: checking openssl/ssl.h presence configure:15466: cc -E -I/usr/local/include conftest.c configure:15466: $? = 0 configure:15466: result: yes configure:15466: checking for openssl/ssl.h configure:15466: result: yes configure:15478: checking for SSL_library_init in -lssl configure:15503: cc -o conftest -g -O2 -I/usr/local/include -L/usr/local/lib -L/usr/local/lib64 -Wl,-rpath,/usr/local/lib conftest.c -lssl -lcrypto -lresolv >&5 /tmp/ccpvG28c.o: In function `main': /usr/local/src/openldap-2.4.44/conftest.c:107: undefined reference to `SSL_library_init' collect2: error: ld returned 1 exit status configure:15503: $? = 1
The source for OpenSSL 1.1.0c no longer has SSL_library_init in either the ssl or crypto libraries. It's now a macro in ssh.h which references OPENSSL_init_ssl. Since the OpenLDAP configure script doesn't pull in ssh.h in it's test, it doesn't find SSL_library_init and that test fails. As a hack, I changed the test in configure to use OPENSSL_init_ssl instead of SSL_library_init and OpenLDAP successfully configured but that blows up during make with a whole host of errors.
I've also tried adding "-I/usr/local/include/openssl" to the CPPFLAGS environment but that doesn't change anything (as I expected): ./configure CPPFLAGS="-I/usr/local/include -I/usr/local/include/openssl" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers --enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes --enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes --enable-modules --enable-mdb --enable-debug=yes --enable-syslog --enable-slapd --enable-cleartext --enable-monitor --enable-overlays -with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl
So, is my next step to pull the dev version of 2.4.45 from git or am I just being a moron? Tom Leach
openldap-technical@openldap.org