[evolution-patches] remove support for unhacked openldap

From: Dan Winship <danw novell com>
To: evolution-patches ximian com
Subject: [evolution-patches] remove support for unhacked openldap
Date: Mon, 04 Oct 2004 14:50:35 -0400

This removes the support for building Connector with an unhacked copy of
OpenLDAP, because (a) using the unhacked OpenLDAP results in the user's
password being sent in cleartext without any warning, (b) it doesn't
work for some people anyway, (c) the people it doesn't work for end up
seeing various other bugs because they don't have a working GC
connection, (d) this ends up wasting our time as we try and fail to
reproduce those bugs.

Index: ChangeLog
===================================================================
RCS file: /cvs/gnome/evolution-exchange/ChangeLog,v
retrieving revision 1.139.2.13
diff -u -r1.139.2.13 ChangeLog
--- ChangeLog	4 Oct 2004 15:14:50 -0000	1.139.2.13
+++ ChangeLog	4 Oct 2004 18:40:09 -0000
@@ -1,5 +1,20 @@
 2004-10-04  Dan Winship  <danw novell com>
 
+	* configure.in: Error out if OpenLDAP is built without NTLM
+	support; using plaintext exposes the user's password, and
+	sometimes doesn't work anyway, causing various other random bugs
+	for some users and creating support headaches for us. (Also remove
+	some dead code related to the old licensing stuff.)
+
+	* lib/e2k-global-catalog.c (ntlm_bind): Remove "#ifndef
+	HAVE_LDAP_NTLM_BIND" around this
+	(ldap_connect): Always use ntlm_bind.
+
+	* lib/e2k-autoconfig.c (e2k_autoconfig_check_global_catalog):
+	Remove "#ifndef HAVE_LDAP_NTLM_BIND"
+
+2004-10-04  Dan Winship  <danw novell com>
+
 	* mail/mail-stub-exchange.c (send_message): Remove code that was
 	setting the message to use HTTP 1.0, which isn't needed with
 	libsoup 2.2, and which was causing 65685.
Index: configure.in
===================================================================
RCS file: /cvs/gnome/evolution-exchange/configure.in,v
retrieving revision 1.37.2.11
diff -u -r1.37.2.11 configure.in
--- configure.in	3 Oct 2004 16:51:37 -0000	1.37.2.11
+++ configure.in	4 Oct 2004 18:40:09 -0000
@@ -137,25 +137,6 @@
 AC_SUBST(LIBEXCHANGE_LIBS)
 
 dnl *********************
-dnl Pilot license support
-dnl *********************
-# This does not take leap years into account, but that's not
-# important: having the build time be slightly too early is good
-# to support slight clock skew anyway.
-# 946684800 is 2000-01-01T00:00:00Z.
-# Don't change this without testing under /bin/sh on Solaris.
-abt=`eval expr \`date '+\( \( %y \* 365 \) + %j - 1 \) \* 24 \* 60 \* 60 + 946684800'\``
-case $abt in
-"")
-	echo "Warning: build time check failed. (Are you on OS X?)."
-	echo "Pilot licenses won't work."
-	abt="0"
-	;;
-esac
-AC_DEFINE_UNQUOTED(E2K_APPROX_BUILD_TIME, $abt, [Used to prevent clock-setting attacks against pilot licenses])
-
-
-dnl *********************
 dnl OpenLDAP NTLM support
 dnl *********************
 EVO_LDAP_CHECK(yes)
@@ -173,6 +154,20 @@
 CFLAGS="$SAVE_CFLAGS"
 LIBS="$SAVE_LIBS"
 
+if test "$ac_cv_func_ldap_ntlm_bind" = "no"; then
+	AC_ERROR([
+
+NTLM support in OpenLDAP is required for proper Connector functioning.
+You must build OpenLDAP with the patch in docs/openldap-ntlm.diff and
+build Connector against that copy of OpenLDAP. (That file also includes
+instructions for if you want to statically link Connector against the
+patched OpenLDAP, to avoid creating a dependency on the patched
+package.)
+
+])
+fi
+   
+
 dnl ********
 dnl Kerberos
 dnl ********
@@ -247,17 +242,3 @@
 docs/reference/Makefile
 po/Makefile.in
 ])
-
-case $ac_cv_func_ldap_ntlm_bind in
-no)
-	echo ""
-	AC_MSG_WARN([
-No NTLM support in OpenLDAP; Plaintext password authentication will be
-used when connecting to the Global Catalog server. Consider installing
-the evo-openldap package, or building OpenLDAP with the patch in
-docs/openldap-ntlm.diff
-])
-	;;
-esac
-		
-
Index: docs/ChangeLog
===================================================================
RCS file: /cvs/gnome/evolution-exchange/docs/ChangeLog,v
retrieving revision 1.3
diff -u -r1.3 ChangeLog
--- docs/ChangeLog	19 Aug 2004 18:08:22 -0000	1.3
+++ docs/ChangeLog	4 Oct 2004 18:40:09 -0000
@@ -1,3 +1,8 @@
+2004-10-04  Dan Winship  <danw novell com>
+
+	* openldap-ntlm.diff: Mention how to build OpenLDAP so that
+	Connector can link statically against it
+
 2004-08-19  Dan Winship  <danw novell com>
 
 	* service-packs: Document what version/build numbers of Exchange
Index: docs/openldap-ntlm.diff
===================================================================
RCS file: /cvs/gnome/evolution-exchange/docs/openldap-ntlm.diff,v
retrieving revision 1.2
diff -u -r1.2 openldap-ntlm.diff
--- docs/openldap-ntlm.diff	4 Aug 2004 19:31:18 -0000	1.2
+++ docs/openldap-ntlm.diff	4 Oct 2004 18:40:09 -0000
@@ -7,6 +7,11 @@
 
 This is a patch against OpenLDAP 2.2.6. Apply with -p0
 
+If you want to link Connector statically against OpenLDAP with this
+patch, build OpenLDAP with
+
+    --disable-shared --disable-slapd --without-cyrus-sasl --without-tls
+
 
 --- include/ldap.h.orig	2004-01-01 13:16:28.000000000 -0500
 +++ include/ldap.h	2004-07-14 11:58:49.000000000 -0400
Index: lib/e2k-autoconfig.c
===================================================================
RCS file: /cvs/gnome/evolution-exchange/lib/e2k-autoconfig.c,v
retrieving revision 1.3
diff -u -r1.3 e2k-autoconfig.c
--- lib/e2k-autoconfig.c	19 Aug 2004 18:10:03 -0000	1.3
+++ lib/e2k-autoconfig.c	4 Oct 2004 18:40:09 -0000
@@ -879,11 +879,6 @@
 		result = E2K_AUTOCONFIG_OK;
 	} else if (status == E2K_GLOBAL_CATALOG_CANCELLED)
 		result = E2K_AUTOCONFIG_CANCELLED;
-#ifndef HAVE_LDAP_NTLM_BIND
-	else if (status == E2K_GLOBAL_CATALOG_AUTH_FAILED &&
-		 !ac->nt_domain)
-		result = E2K_AUTOCONFIG_AUTH_ERROR_TRY_DOMAIN;
-#endif
 	else if (status == E2K_GLOBAL_CATALOG_ERROR)
 		result = E2K_AUTOCONFIG_FAILED;
 	else
Index: lib/e2k-global-catalog.c
===================================================================
RCS file: /cvs/gnome/evolution-exchange/lib/e2k-global-catalog.c,v
retrieving revision 1.5
diff -u -r1.5 e2k-global-catalog.c
--- lib/e2k-global-catalog.c	27 Aug 2004 18:00:14 -0000	1.5
+++ lib/e2k-global-catalog.c	4 Oct 2004 18:40:09 -0000
@@ -31,10 +31,7 @@
 #include <sys/time.h>
 
 #include <ldap.h>
-
-#ifdef HAVE_LDAP_NTLM_BIND
 #include "xntlm.h"
-#endif
 
 #ifdef E2K_DEBUG
 static gboolean e2k_gc_debug = FALSE;
@@ -233,7 +230,6 @@
 	return LDAP_SERVER_DOWN;
 }
 
-#ifdef HAVE_LDAP_NTLM_BIND
 static int
 ntlm_bind (E2kGlobalCatalog *gc, E2kOperation *op, LDAP *ldap)
 {
@@ -308,26 +304,14 @@
 
 	return err;
 }
-#endif
 
 static int
 ldap_connect (E2kGlobalCatalog *gc, E2kOperation *op, LDAP *ldap)
 {
 	int ldap_error;
-#ifndef HAVE_LDAP_NTLM_BIND
-	char *nt_name;
-#endif
 
 	/* authenticate */
-#ifdef HAVE_LDAP_NTLM_BIND
 	ldap_error = ntlm_bind (gc, op, ldap);
-#else
-	nt_name = gc->priv->nt_domain ?
-		g_strdup_printf ("%s\\%s", gc->priv->nt_domain, gc->priv->user) :
-		g_strdup (gc->priv->user);
-	ldap_error = ldap_simple_bind_s (ldap, nt_name, gc->priv->password);
-	g_free (nt_name);
-#endif
 	if (ldap_error != LDAP_SUCCESS)
 		g_warning ("LDAP authentication failed (0x%02x)", ldap_error);
 	else

Follow-Ups:
- Re: [evolution-patches] remove support for unhacked openldap
  - From: Rodney Dawes

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]