blueszhangsh / serf

Automatically exported from code.google.com/p/serf
Apache License 2.0
0 stars 0 forks source link

Serf build should auto-detect krb5-config to enable GSSAPI on Linux #131

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Most Subversion 1.8.x binary releases include serf without GSSAPI enabled on 
Linux, whereas serf automatically enables SSPI on Windows platform.

If GSSAPI support in serf is considered as stable, it should be enabled by 
default if "krb5-config" is available in PATH, without having to explicitly set 
"GSSAPI=/usr/bin/krb5-config" in scons environment.

Thank you for your great job
Yves

Original issue reported on code.google.com by ymartin1040 on 1 Oct 2013 at 8:32

GoogleCodeExporter commented 9 years ago
Of course, it is not a defect but a 10-minutes "enhancement" :)

Original comment by ymartin1040 on 1 Oct 2013 at 8:36

GoogleCodeExporter commented 9 years ago
I don't see how that's going to solve your specific problem. Assuming that the 
person who made the serf package does that in a clean staging area, (s)he has 
to explicitly choose to build serf with kerberos support, because (s)he has to  
install the kerberos libraries in the staging area first. I don't think adding 
the GSSAPI flag to the scons build is an extra overhead or possible bottleneck 
here.

So you'll probably have to send a mail to the serf packager for your 
distribution.

I'm wondering if there are situations where you explicitly don't want to build 
serf with kerberos, even it is installed on your system. 

Lieven

Original comment by lieven.govaerts@gmail.com on 1 Oct 2013 at 9:52

GoogleCodeExporter commented 9 years ago
I agree I have to contact WanDisco packager to get GSSAPI enabled in their 
Debian packages...

By the way, my request aims to get "negotiate" feature compiled "by default" 
consistently between Windows and Linux platforms. Similarly the SCons build 
detects "openssl".

Original comment by ymartin1040 on 3 Oct 2013 at 7:28

GoogleCodeExporter commented 9 years ago
One major difference is that you can not find a Windows NT based platform 
without SSPI support DLLs, while kerberos on *nix is 100% optional and requires 
extensive configuration to get it working.

Original comment by b...@qqmail.nl on 3 Oct 2013 at 7:37

GoogleCodeExporter commented 9 years ago
I agree SSPI is available on any windows. It does not mean Kerberos and 
negotiate will work without a Kerberos server (ActiveDirectory, the workstation 
joined in the domain) and an IIS server properly configured with a SPN.

The same way on Linux, you can compile with krb5.h and gssapi.h and link to 
related shared libraries without having configured anything else than the 
compile chain. On Debian it is as easy as "aptitude install libkrb5-dev" and 
serf will compile with GSSAPI without any trouble.

Original comment by ymartin1040 on 3 Oct 2013 at 7:45

GoogleCodeExporter commented 9 years ago
For the particular case of OS X, I believe Kerberos is always installed; in any 
case, I think it's not unreasonable to treat GSS/Kerberos much as openssl is 
automatically detected and used (as pointed out in #3.)

Original comment by secretag...@gmail.com on 9 Oct 2013 at 12:44

GoogleCodeExporter commented 9 years ago
It may be also possible to compile with GSSAPI support as soon as headers file 
are available, but use runtime library loading with error handling (instead of 
compile-time linkage).
So authentication phase may ignore "negotiate" if GSSAPI lacks at runtime. But 
then work as soon as that optional dependency is added to the system.

Original comment by ymartin1040 on 9 Oct 2013 at 10:50