OK, I know I'm missing something since I know people are building
OpenLDAP with OpenSSL for TLS/SSL, but when I add the --with-tls flag
to configure, it all goes pear shaped.
I'm starting with freshly downloaded tarballs of openssl-1.1.0c and
openldap-2.4.44 on CentOS 7.2.1511.
I've install the packages using yum: yum -y install tcp_wrappers
tcp_wrappers-devel tcp_wrappers-libs libtool-ltdl-devel
I've built/installed openssl with: ./config shared
--prefix=/usr/local;make;make test; make install
I then successfully build openldap with: ./configure
CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib
-Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers
--enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes
--enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes
--enable-modules --enable-mdb --enable-debug=yes --enable-syslog
--enable-slapd --enable-cleartext --enable-monitor --enable-overlays
-with-threads --enable-rewrite --enable-syncprov=yes
(without TLS support)
make depend; make; make distclean
I now add the "--with-tls=openssl" option to configure it fails with:
./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib
-Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers
--enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes
--enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes
--enable-modules --enable-mdb --enable-debug=yes --enable-syslog
--enable-slapd --enable-cleartext --enable-monitor --enable-overlays
-with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl
<snip>
checking for sys/un.h... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for SSL_library_init in -lssl... no
checking for ssl3_accept in -lssl... no
configure: error: Could not locate TLS/SSL package
In looking at config.log:
configure:15466: checking openssl/ssl.h usability
configure:15466: cc -c -g -O2 -I/usr/local/include conftest.c >&5
configure:15466: $? = 0
configure:15466: result: yes
configure:15466: checking openssl/ssl.h presence
configure:15466: cc -E -I/usr/local/include conftest.c
configure:15466: $? = 0
configure:15466: result: yes
configure:15466: checking for openssl/ssl.h
configure:15466: result: yes
configure:15478: checking for SSL_library_init in -lssl
configure:15503: cc -o conftest -g -O2 -I/usr/local/include
-L/usr/local/lib -L/usr/local/lib64 -Wl,-rpath,/usr/local/lib
conftest.c -lssl -lcrypto -lresolv >&5
/tmp/ccpvG28c.o: In function `main':
/usr/local/src/openldap-2.4.44/conftest.c:107: undefined reference to
`SSL_library_init'
collect2: error: ld returned 1 exit status
configure:15503: $? = 1
The source for OpenSSL 1.1.0c no longer has SSL_library_init in either
the ssl or crypto libraries. It's now a macro in ssh.h which
references OPENSSL_init_ssl. Since the OpenLDAP configure script
doesn't pull in ssh.h in it's test, it doesn't find SSL_library_init
and that test fails. As a hack, I changed the test in configure to
use OPENSSL_init_ssl instead of SSL_library_init and OpenLDAP
successfully configured but that blows up during make with a whole
host of errors.
I've also tried adding "-I/usr/local/include/openssl" to the CPPFLAGS
environment but that doesn't change anything (as I expected):
./configure CPPFLAGS="-I/usr/local/include
-I/usr/local/include/openssl" LDFLAGS="-L/usr/local/lib
-Wl,-rpath,/usr/local/lib" --prefix=/usr/local --enable-wrappers
--enable-syncprov=yes --enable-crypt=yes --enable-accesslog=yes
--enable-auditlog=yes --enable-constraint=yes --enable-ppolicy=yes
--enable-modules --enable-mdb --enable-debug=yes --enable-syslog
--enable-slapd --enable-cleartext --enable-monitor --enable-overlays
-with-threads --enable-rewrite --enable-syncprov=yes --with-tls=openssl
So, is my next step to pull the dev version of 2.4.45 from git or am I
just being a moron?
Tom Leach