[sudo-users] Compile Sudo 1.6.8p12 with Mozilla sdk 5.1.7
Macleod, Paul
paul.macleod at eds.com
Wed Jan 24 03:59:37 EST 2007
Hi Guys,
I've had several mails asking questions about this problem. No-one
replied to the distribution list with any advice, recommendations or
solutions but folks have approached me asking if I'd had success. What
I can tell you is, I've overcome the initial problem, it compiles clean
and does connect with an ldap directory, but I haven't had opportunity
to fully test things.
I'll write through what was done so you can have an opportunity to learn
from it and possibly highlight if there is a better way to do things as
well.
To recap this configure statement:
./configure --prefix=/export/home/macleodp/sudo-build \
--with-ldap=/export/home/macleodp/ldapcsdk-5.1.7 \
--with-pam --with-rpath
Has this undesirable result:
checking for LDAP libraries... -lldap
checking whether lber.h is needed... no
checking for ldap_initialize... no
checking for ldap_start_tls_s... no
and the config.log contains:
configure:30044: checking for ldap_start_tls_s
configure:30094: gcc -o conftest -O2 -D__EXTENSIONS__
-I/export/home/macleodp/ldapcsdk-5.1.7/include
-L/export/home/macleodp/ldapcsdk-5.1.7/lib
-R/export/home/macleodp/ldapcsdk-5.1.7/lib conftest.c -lsocket -lnsl
-lldap >&5
Undefined first referenced
symbol in file
ldap_start_tls_s /var/tmp//ccuoMRWb.o
This has been solved with four steps, none of which involve amendment of
source codes!
The objective I have is to create a sudo package, with ldap support that
can be bundled up and deployed to client Solaris environments wherever
they are needed. As there is requirement to have the Netscape security
and portable runtime libraries, there can be multiple copies of these of
different versions on the environment so felt it was important to have
them grouped together for sudo use.
1) Created a library directory that contains the binaries from NSS 3.11,
NSPR 4.6, and Mozilla LDAP sdk 5.1.7.
For this purpose, they were copied to /export/home/macleodp/commonlibs
$ ls /export/home/macleodp/commonlibs
cpu libfreebl_32int_3.so libldap50.a
libnssckbi.so libsmime3.so
libfreebl_32fpu_3.chk libiutil50.a libldap50.so
libplc4.a libsoftokn3.chk
libfreebl_32fpu_3.so libjss4.so libldif50.a
libplc4.so libsoftokn3.so
libfreebl_32int64_3.chk liblber50.a libnspr4.a
libplds4.a libssl3.so
libfreebl_32int64_3.so libldap.a libnspr4.so
libplds4.so libssldap50.so
libfreebl_32int_3.chk libldap.so libnss3.so
libprldap50.so
2) The configure script is now told two things, where to find the
libraries and to specifically use the libssldap50.s0 that contains the
ldap_start_tls_s function.
./configure --prefix=/export/home/macleodp/sudo-build \
--with-ldap=/export/home/macleodp/ldapcsdk-5.1.7 \
--with-libpath='/export/home/macleodp/commonlibs' \
--with-pam --with-libraries='ssldap50' \
--with-rpath
The results this time are:
checking for LDAP libraries... -lldap
checking whether lber.h is needed... no
checking for ldap_initialize... no
checking for ldap_start_tls_s... yes
Great!!! But wait, I said there were four things that need doing, and
that's only covered the first two.
3) When trying to execute the freshly built binary, it complains it
cant find libraries:
$ /export/home/macleodp/sudo-build/bin/sudo
ld.so.1: /export/home/macleodp/sudo-build/bin/sudo: fatal:
libssl3.so: open failed: No such file or directory
Killed
$ ldd /export/home/macleodp/sudo-build/bin/sudo
libpam.so.1 => /usr/lib/libpam.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libldap50.so =>
/export/home/macleodp/ldapcsdk-5.1.7/lib/libldap50.so
libssldap50.so =>
/export/home/macleodp/ldapcsdk-5.1.7/lib/libssldap50.so
libssl3.so => (file not found)
libnss3.so => (file not found)
libprldap50.so =>
/export/home/macleodp/ldapcsdk-5.1.7/lib/libprldap50.so
libsoftokn3.so => (file not found)
libplc4.so => (file not found)
libplds4.so => (file not found)
libnspr4.so => (file not found)
libnspr_flt4.so => (file not found)
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libc.so.1 => /usr/lib/libc.so.1
libcmd.so.1 => /usr/lib/libcmd.so.1
libssl3.so => (file not found)
libnss3.so => (file not found)
libsoftokn3.so => (file not found)
libplc4.so => (file not found)
libplds4.so => (file not found)
libnspr4.so => (file not found)
libplc4.so => (file not found)
libplds4.so => (file not found)
libnspr4.so => (file not found)
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Sun-Blade-1500/lib/libc_psr.so.1
I'm not wishing to enforce the use of LD_LIBRARY_PATH or such at
runtimes, at that could be messed up in folks profiles. Therefore, at
build time I want it to know how to find these:
libssl3.so, libnss3.so, libsoftokn3.so, libplc4.so, libplds4.so,
libnspr4.so, libnspr_flt4.so libprldap50.so
The configure statement now reads:
./configure --prefix=/export/home/macleodp/sudo-build \
--with-ldap=/export/home/macleodp/ldapcsdk-5.1.7 \
--with-libpath='/export/home/macleodp/commonlibs
/export/home/macleodp/commonlibs/cpu/sparcv8plus' \
--with-pam --with-libraries='ssldap50 ssl3 nss3
softokn3 plc4 plds4 nspr4 nspr_flt4 prldap50' \
--with-rpath
At this point, sudo now runs and talks to the ldap directory when logged
in as root but when logged in as myself, its not happy!
$ /export/home/macleodp/sudo-build/bin/sudo
ld.so.1: /export/home/macleodp/sudo-build/bin/sudo: fatal:
libnspr4.so: version `NSPR_4.3' not found (required by file
/export/home/macleodp/commonlibs/libnss3.so)
Killed
The final step to sort this out is coming!
4) By default, can't use ldd on the sudo binary as permissions deny
this. With a simple chmod +r later:
$ ldd /export/home/macleodp/sudo-build/bin/sudo
libpam.so.1 => /usr/lib/libpam.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libldap50.so =>
/export/home/macleodp/ldapcsdk-5.1.7/lib/libldap50.so
libssldap50.so =>
/export/home/macleodp/ldapcsdk-5.1.7/lib/libssldap50.so
libssl3.so =>
/export/home/macleodp/commonlibs/libssl3.so
libnss3.so =>
/export/home/macleodp/commonlibs/libnss3.so
libsoftokn3.so =>
/export/home/macleodp/commonlibs/libsoftokn3.so
libplc4.so =>
/export/home/macleodp/commonlibs/libplc4.so
libplds4.so =>
/export/home/macleodp/commonlibs/libplds4.so
libnspr4.so =>
/export/home/macleodp/commonlibs/libnspr4.so
libnspr_flt4.so =>
/export/home/macleodp/commonlibs/cpu/sparcv8plus/libnspr_flt4.so
libprldap50.so =>
/export/home/macleodp/ldapcsdk-5.1.7/lib/libprldap50.so
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libc.so.1 => /usr/lib/libc.so.1
libcmd.so.1 => /usr/lib/libcmd.so.1
libthread.so.1 => /usr/lib/libthread.so.1
librt.so.1 => /usr/lib/librt.so.1
libplc4.so => /usr/lib/mps/secv1/libplc4.so
libplds4.so => /usr/lib/mps/secv1/libplds4.so
libnspr4.so => /usr/lib/mps/secv1/libnspr4.so
libnspr4.so (NSPR_4.3) => (version not found)
libpthread.so.1 => /usr/lib/libpthread.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libaio.so.1 => /usr/lib/libaio.so.1
libmd5.so.1 => /usr/lib/libmd5.so.1
/usr/platform/SUNW,Sun-Blade-1500/lib/libc_psr.so.1
/usr/platform/SUNW,Sun-Blade-1500/lib/libmd5_psr.so.1
How strange! Look and see in the list there are two references to
libnspr4.so, and the first is in my commonlibs directory. Why is there
reference to 4.3, I've made 4.6 available!
$ strings /export/home/macleodp/commonlibs/libnspr4.so | grep
"@(#)"
@(#)NSPR 4.6 2005-05-26 11:37:25
This is to do with security in the OS and the way the binaries for NSS
and NSPR have been made. They aren't trusted in my commonlibs directory
and so this needs to be corrected with the "crle" command. On an
environment where this hasn't been changed the output is:
$ crle
Default configuration file (/var/ld/ld.config) not found
Default Library Path (ELF): /usr/lib (system default)
Trusted Directories (ELF): /usr/lib/secure (system
default)
So as root user, I issue this command to set the path of trusted
directories. Note, this is just like setting the "PATH" environment
where you tell it everything it will be set to and not just to append
something. Please make sure only the root user is only account that can
put libraries in the 'commonlibs' directory to keep security as tight as
possible!
crle -s /usr/lib/secure:/export/home/macleodp/commonlibs
$ crle
Configuration file [3]: /var/ld/ld.config
Default Library Path (ELF): /usr/lib (system default)
Trusted Directories (ELF):
/usr/lib/secure:/export/home/macleodp/commonlibs
Command line:
crle -c /var/ld/ld.config -s
/usr/lib/secure:/export/home/macleodp/commonlibs
Now when I run sudo as a regular user it works just as it did with the
root account.
With the LDAP SDK removed from /export/home/macleodp/ldapcsdk-5.1.7, the
final ldd reports as:
$ ldd /export/home/macleodp/sudo-build/bin/sudo
libpam.so.1 => /usr/lib/libpam.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libldap50.so =>
/export/home/macleodp/commonlibs/libldap50.so
libssldap50.so =>
/export/home/macleodp/commonlibs/libssldap50.so
libssl3.so =>
/export/home/macleodp/commonlibs/libssl3.so
libnss3.so =>
/export/home/macleodp/commonlibs/libnss3.so
libsoftokn3.so =>
/export/home/macleodp/commonlibs/libsoftokn3.so
libplc4.so =>
/export/home/macleodp/commonlibs/libplc4.so
libplds4.so =>
/export/home/macleodp/commonlibs/libplds4.so
libnspr4.so =>
/export/home/macleodp/commonlibs/libnspr4.so
libnspr_flt4.so =>
/export/home/macleodp/commonlibs/cpu/sparcv8plus/libnspr_flt4.so
libprldap50.so =>
/export/home/macleodp/commonlibs/libprldap50.so
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libc.so.1 => /usr/lib/libc.so.1
libcmd.so.1 => /usr/lib/libcmd.so.1
libthread.so.1 => /usr/lib/libthread.so.1
librt.so.1 => /usr/lib/librt.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libaio.so.1 => /usr/lib/libaio.so.1
libmd5.so.1 => /usr/lib/libmd5.so.1
/usr/platform/SUNW,Sun-Blade-1500/lib/libc_psr.so.1
/usr/platform/SUNW,Sun-Blade-1500/lib/libmd5_psr.so.1
I hope this efforts helps more of you progress forward in your attempts
with using sudo 1.6.8p12 and the Mozilla SDK on Solaris platform.
Regards,
-Paul MacLeod.
-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Macleod, Paul
Sent: 05 December 2006 09:14
To: sudo-users at sudo.ws
Subject: [sudo-users] Compile Sudo 1.6.8p12 with Mozilla sdk 5.1.7
Hi Guys,
I'm having some trouble building sudo 1.6.8p12 and having it pick up the
Mozilla sdk 5.1.7, so there is support for the "ldap_start_tls_s"
function.
The website notes for ldap mention:
If your ldap libraries and headers are in a non standard place,
you will need
to specify them at configure time.
$ ./configure --with-ldap=/usr/local/ldapsdk --with-pam
Therefore I've specified where the sdk lives as follows:
./configure --with-ldap=/export/home/macleodp/ldapcsdk-5.1.7
--with-pam
The results from the configure script don't mention finding the function
though.
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking for LDAP libraries... -lldap
checking whether lber.h is needed... no
checking for ldap_initialize... no
checking for ldap_start_tls_s... no
The config.log shows the following:
configure:30044: checking for ldap_start_tls_s
configure:30094: gcc -o conftest -O2 -D__EXTENSIONS__
-I/export/home/macleodp/ldapcsdk-5.1.7/include
-L/export/home/macleodp/ldapcsdk-5.1.7/lib
-R/export/home/macleodp/ldapcsdk-5.1.7/lib conftest.c
-lsocket -lnsl -lldap >&5
Undefined first referenced
symbol in file
ldap_start_tls_s /var/tmp//ccgQ5cZo.o
ld: fatal: Symbol referencing errors. No output written to
conftest
The libraries from the SDK are as follows:
# ls -al /export/home/macleodp/ldapcsdk-5.1.7/lib
total 1920
drwxr-xr-x 2 8799 1116 512 Dec 5 09:01 .
drwxr-xr-x 6 root other 512 Dec 5 07:52 ..
-rw-r--r-- 1 8799 1116 2100 Feb 17 2006
libiutil50.a
-rw-r--r-- 1 8799 1116 37444 Feb 17 2006
liblber50.a
lrwxrwxrwx 1 root other 11 Dec 5 09:01 libldap.a
-> libldap50.a
lrwxrwxrwx 1 root other 12 Dec 5 09:01 libldap.so
-> libldap50.so
-rw-r--r-- 1 8799 1116 440404 Feb 17 2006
libldap50.a
-rwxr-xr-x 1 8799 1116 384836 Feb 17 2006
libldap50.so
-rw-r--r-- 1 8799 1116 9924 Feb 17 2006
libldif50.a
-rwxr-xr-x 1 8799 1116 32672 Feb 17 2006
libprldap50.so
-rwxr-xr-x 1 8799 1116 50796 Feb 17 2006
libssldap50.so
Where you can see I introduced links thinking they may be necessary to
help the compile after the first failure.
Also, the header files do define the function:
# grep ldap_start_tls_s
/export/home/macleodp/ldapcsdk-5.1.7/include/*
/export/home/macleodp/ldapcsdk-5.1.7/include/ldap_ssl.h:int
LDAP_CALL ldap_start_tls_s( LDAP *ld, LDAPControl **serverctrls,
I would therefore appreciate your help if you have suggestions where I'm
going wrong.
Thanks in advance,
-Paul.
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information,
options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list