09.04.2016, 09:12, Ryan Tandy kirjoitti: > On Fri, Apr 08, 2016 at 08:41:01PM +0300, Timo Aaltonen wrote: > Are you planning to do this in unstable as well, or just in xenial (as > it sounds like it might be a temporary measure)? Luca and I talked about > binNEW a while back, and flagged the out-of-date debian/copyright and > remaining lintian errors as possible concerns that might slow that down.
I think it would be more permanent than that, as it's still useful for non-freeipa multimaster 389ds installations, and also test-suites using ldaps (both 389 & freeipa). > Adding libldap-common probably resolves #330695. I don't remember > whether there was anything else to be done for that one. Ah, I can look into that some more. > The dh_auto_configure invocation you have looks like it breaks stage1 > builds (unconditional --enable-slapd). Indeed, I'll fix that. > I notice the ITS#7373 patch hasn't been applied upstream yet. If we're > going to apply the NSS patches to both source trees, maybe you could > ping them for a review? Oh right, well for now this could be applied only to the nss tree. The other patches should only touch tls_n.c iirc.. will double-check that. > What happens if both copies of libldap somehow end up linked into the > same process? I don't know freeipa well enough to imagine a specific > scenario, but it probably involves PAM somehow... Looks like curl > handles this via renaming the symbol versions, we could probably do the > same, if needed. Hmm right, I didn't notice the symbol renaming in curl though I used it as an example for how to build separate versions.. so it just needs changes in .symbols? > I had anticipated a second out-of-tree build with the same source, so > now I'm curious: what required copying the source tree? It looks like > nss-build.patch is just changing the filename of the shared library, not > the SONAME or anything, right? (Should it? Or are they actually > ABI-compatible? From an earlier comment of yours, it sounded like they > might not be.) Well I used curl as an example.. but now that you mentioned it maybe it could just be configured without nss-build.diff and then again with it applied. Should be ABI compatible, which comment are you referring to? > What does the NSS build do with the TLS_CACERT setting we put in the > default ldap.conf? I notice #726116 is still open. Good point, didn't notice that until now.. > Best of luck getting freeipa working, by one approach or the other... it works great, just blocked on getting pkcs11 support in bind9, and native systemd units for apache2 & opendnssec... -- t
signature.asc
Description: OpenPGP digital signature
