Skip Menu |

Subject: LDAP KDB module does not build against Solaris native LDAP library
kdb_ldap_conn.c fails to build because LDAP_SASL_QUIET is not
defined. We pass this value to ldap_sasl_interactive_bind_s() in the
flags parameter.

The semantics of this parameter seem to be rather poorly defined
across implementations. OpenLDAP defines and documents three values,
LDAP_SASL_{AUTOMATIC,INTERACTIVE,QUIET}. The documentation says they
determine when prompting is performed. However, it only seems to
respond to LDAP_SASL_QUIET, and prints informational messages to
stderr if that value is not used.

Solaris defines only LDAP_SASL_INTERACTIVE, and its implementation of
ldap_sasl_interactive_bind_s() simply errors out if that flag is not
specified. The man page at
interactive-bind-s-3ldap.html just says "The LDAP_SASL_INTERACTIVE
option flag is passed to the libldap API through the flags argument
of the API. The flag tells the API to use the SASL interactive mode
and to have the API request SASL authentication data through the
LDAP_SASL_INTERACTIVE_PROC callback as needed."
replace_rdn() (added by ticket 8065) also does not work with the Solaris
LDAP, because it depends on ldap_str2dn(). The approach taken in
krb5_ldap_policydn_to_name() is to have one implementation using
ldap_str2dn() and one using ldap_explode_dn(), but that may not work here
because there is no obvious inverse of ldap_explode_dn().
After discussion with the Solaris team, we have decided not to support the
old Mozilla LDAP library any more, and to remove the compatibility code
that was already present. Solaris 12 will be making OpenLDAP the default
LDAP library.