Closed bedroge closed 5 months ago
the relevant packages are:
sys-auth/nss-pam-ldapd
sys-auth/sssd
but neither install completely out of the box on Gentoo prefix. Centrify DC is a commercial solution, you can't go without symlinks there for libnss_centrifydc.so.2
.
For nss-pam-ldapd
, it needs --with-ldap-conf-file=${EPREFIX}/etc/nslcd.conf
. Without the daemon running that file is unused, it's just to avoid installing out of the prefix. libnss_ldap.so.2
reads from a socket, at /run/nslcd/socket
(set without ${EPREFIX}
in the ebuild).
For sssd
I had to disable the acl USE flag, otherwise it'll pull in Samba, and also use --with-xml-catalog-path="${EPREFIX}"/etc/xml/catalog
. Then the libnss_sss.so.2
reads from ${EPREFIX}"/var/lib/sss/pipes
so that needs to be symlinked, or otherwise overridden to use plain /var/lib/sss/pipes
in the ebuild (via --with-pipe-path
).
Fundamentally these two packages both install too much for us, as we only need the libnss component, and not the daemon.
The versions under https://github.com/ComputeCanada/gentoo-overlay/tree/main/sys-auth work but are a little out of date now.
I can help with what pertains to fixes in Gentoo prefix, but since glibc from prefix is used, it may be difficult to integrate well with the host authentication libraries. If ComputeCanada patched it to work, please submit pull requests with the fixes, we would like to get those in Gentoo.
@amadio I'll submit a pull request, but need some guidance to avoid doing something not generally applicable?
In actual fact if you look at:
https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-auth/sssd/sssd-2.6.0-r2.ebuild
you see that what we really need is the ! multilib_is_native_abi
path, i.e. just build the libraries but not the daemon. What we have is the CentOS/Rocky host daemon writing to /var/lib/sss
and the Gentoo Prefix client library reading from files in there.
I found some other packages that have a daemon
USE
flag so it may be reasonable to add that.
The next thing is then what USE
flag to use for
--with-pipe-path="${EPREFIX}"/var/lib/sss/pipes
--with-mcache-path="${EPREFIX}"/var/lib/sss/mc
we really need
--with-pipe-path=/var/lib/sss/pipes
--with-mcache-path=/var/lib/sss/mc
but if Gentoo Prefix provides the daemon (anyone doing that?), then obviously those paths do need to be prefixed.
Just wondering if there needs to be a more general USE flag since something similar happens with glibc, which prefixes e.g.
#define _PATH_UTMP "/cvmfs/soft.computecanada.ca/gentoo/2020/var/run/utmp"
in $EPREFIX/usr/include/paths.h
but this utmp
file is never written too. We symlink it but that seems sub-optimal, and does anyone use a prefix-ed systemd-update-utmp.service
to write to $EPREFIX/var/run/utmp
(where $EPREFIX
is not on an r/o cvmfs mount obviously)
@bedroge https://github.com/ComputeCanada/gentoo-overlay/tree/main/sys-auth/nss-pam-ldapd and https://github.com/ComputeCanada/gentoo-overlay/tree/main/sys-auth/sssd now have updated ebuilds that work with pristine Gentoo prefix bootstraps (ie. no pam, no kerberos installed).
You'll need to install them with a USE flag though:
USE="-nslcd" emerge nss-pam-ldapd
USE="-daemon -man" emerge sssd
the nss-pam-ldapd ebuild is fairly clean vs upstream Gentoo, as upstream nss-pam-ldapd lets you simply pass --disable-nslcd
to configure, but sssd is a different story, so that ebuild has a ton of hacks to fool configure.
The NSS plugins don't really on symlinks, but glibc still does to use them, that is, the $EPREFIX/etc/nsswitch.conf -> /etc/nsswitch.conf
symlink is still needed.
As reported by Bart, the symlink will not work if the host library is too new for the compatibility layer.