From c06d234b77c136df9d7b7c89f3f10669d9ce08f2 Mon Sep 17 00:00:00 2001
From: Dmitry Ivanov <ivadmi5@gmail.com>
Date: Mon, 24 Jul 2023 19:08:37 +0300
Subject: [PATCH] fix: Establish LDAP connections implicitly

Unfortunately, Centos 7 provides only openssl 1.0.2 (at lest if we
disregard epel), so we can't build the bundled libldap & libsasl2.
"Okay", one might think, "we can link against the distro's libs".
Well, turns out libldap 2.4, which is what we have to deal with in
that case, doesn't have ldap_connect!

Luckily, we don't have to connect explicitly. According to man pages:

```
ldap_init() acts just like ldap_open(), but does not open a connection
to the LDAP server.  The actual connection open will occur when the
first operation is attempted.

ldap_initialize()  acts  like ldap_init()...
```

This is still true for libldap up to and including version 2.6.

NO_DOC=picodata internal patch
NO_CHANGELOG=picodata internal patch
NO_TEST=picodata internal patch
---
 rpm/tarantool-picodata.spec |  9 +++++++++
 src/box/auth_ldap.c         | 16 +++++++---------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/rpm/tarantool-picodata.spec b/rpm/tarantool-picodata.spec
index 8c50d8dfa7..d48bdc5a24 100644
--- a/rpm/tarantool-picodata.spec
+++ b/rpm/tarantool-picodata.spec
@@ -49,6 +49,12 @@ Requires(pre): %{_sbindir}/groupadd
 BuildRequires: zlib-devel
 Requires: zlib
 
+# for LDAP support
+%if 0%{?rhel} >= 7
+BuildRequires: cyrus-sasl-devel
+BuildRequires: openldap-devel
+%endif
+
 %if %{with systemd}
 Requires(post): systemd
 Requires(preun): systemd
@@ -225,6 +231,9 @@ C and Lua/C modules.
 %endif
 %if %{_gc64} == "true"
          -DLUAJIT_ENABLE_GC64:BOOL=ON \
+%endif
+%if 0%{?rhel} >= 7
+         -DENABLE_BUNDLED_LDAP:BOOL=OFF \
 %endif
          -DENABLE_WERROR:BOOL=ON \
          -DENABLE_DIST:BOOL=ON
diff --git a/src/box/auth_ldap.c b/src/box/auth_ldap.c
index 1eae02e3e1..0675835c8f 100644
--- a/src/box/auth_ldap.c
+++ b/src/box/auth_ldap.c
@@ -97,7 +97,13 @@ coio_ldap_check_password(va_list ap)
 	if (format_dn(dn_fmt, user, dn, sizeof(dn)) != 0)
 		goto cleanup;
 
-	/** Initialize the context, but don't connect just yet */
+	/**
+	 * Initialize the context, but don't connect just yet.
+	 * According to the documentation, the actual connection open
+	 * will occur when the first operation is attempted.
+	 * Previosly we used to call ldap_connect() after this,
+	 * but it's not available in libldap 2.4 (centos 7).
+	 */
 	ret = ldap_initialize(&ldp, url);
 	if (ret != LDAP_SUCCESS) {
 		say_error("failed to initialize LDAP connection: %s",
@@ -114,14 +120,6 @@ coio_ldap_check_password(va_list ap)
 		goto cleanup;
 	}
 
-	say_info("connecting to LDAP server at '%s'", url);
-	ret = ldap_connect(ldp);
-	if (ret != LDAP_SUCCESS) {
-		say_error("failed to connect to LDAP server at '%s': %s",
-			  url, ldap_err2string(ret));
-		goto cleanup;
-	}
-
 	/** Check user's credentials by binding to the server on their behalf */
 	say_info("attempting LDAP BIND as '%s'", dn);
 	struct berval cred = {
-- 
GitLab