Functional changes:

- Add a SASL port option

  - Fix the KERBEROS ports option - it was a no-op, setting a
    configure flag which modifies how Kerberos was used without
    setting the flag that actually enables it.

  - Use GSSAPI instead of $ENV{KRB5CCNAME} to set the credential
    cache.  The latter pollutes the unsuspecting application's
    environment and does not always work (for instance, it breaks when
    nss_ldap is invoked from OpenSSH, although I haven't quite
    determined why)

  - Add patches to support Heimdal in addition to MIT Kerberos.  Note
    that I tried to ensure that the code is unchanged in the
    non-Heimdal case, but that I have no way of testing with MIT
    Kerberos.

  With the above changes, I have successfully configured a FreeBSD 9.2
  server to authenticate users against a Microsoft Windows 2012 Active
  Directory server.

Non-functional changes:

  - Modernize and stagify

  - Remove text in pkg-message about a change that was made ten years ago

  - Take maintainership as current maintainer has been AWOL for 2+ years

  - Bump PORTREVISION

Approved by:	maintainer hasn't been heard of for 2+ years

net/nss_ldap/Makefile

@@ -3,13 +3,13 @@
 
 PORTNAME=	nss_ldap
 PORTVERSION=	1.${NSS_LDAP_VERSION}
-PORTREVISION=	7
+PORTREVISION=	8
 CATEGORIES=	net
 MASTER_SITES=	http://www.padl.com/download/ \
 		LOCAL/martymac
 DISTNAME=	${PORTNAME}-${NSS_LDAP_VERSION}
 
-MAINTAINER=	mikeg@bsd-box.net
+MAINTAINER=	des@FreeBSD.org
 COMMENT=	RFC 2307 NSS module
 
 LICENSE=	GPLv2
@@ -24,11 +24,13 @@ AUTOMAKE_ARGS=	--add-missing
 USE_LDCONFIG=	yes
 USE_OPENLDAP=	yes
 
-OPTIONS_DEFINE=	LCLASS KERBEROS
+OPTIONS_DEFINE=	LCLASS KERBEROS SASL
 OPTIONS_DEFAULT=LCLASS KERBEROS
 
 LCLASS_DESC=	Enable login classes via the loginClass attribute
 
+SASL_DESC=	Use the SASL-enabled version of OpenLDAP
+
 CPPFLAGS+=	-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib -Wl,-rpath,${LOCALBASE}/lib
 
@@ -41,17 +43,21 @@ MAN5=	nss_ldap.5
 
 SUB_FILES=	pkg-message
 
-NO_STAGE=	yes
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MKERBEROS}
-CONFIGURE_ARGS+=--enable-configurable-krb5-ccname-env
+CONFIGURE_ARGS+=--enable-configurable-krb5-ccname-gssapi \
+		--enable-configurable-krb5-keytab
 .endif
 
 .if ${PORT_OPTIONS:MLCLASS}
 CFLAGS+="-DHAVE_LOGIN_CLASSES"
 .endif
 
+.if ${PORT_OPTIONS:MSASL}
+WANT_OPENLDAP_SASL	 = YES
+.endif
+
 post-extract:
 	${CP} ${FILESDIR}/bsdnss.c ${WRKSRC}
 
@@ -73,16 +79,8 @@ post-configure:
 	@${ECHO} "#define HAVE_RESOLV_H 1" >> ${WRKSRC}/config.h
 
 do-install:
-	${INSTALL_PROGRAM} ${WRKSRC}/nss_ldap.so ${PREFIX}/lib/nss_ldap.so.1
-	${INSTALL_DATA} ${WRKSRC}/ldap.conf ${PREFIX}/etc/nss_ldap.conf.sample
-	${INSTALL_MAN} ${WRKSRC}/${MAN5} ${MAN5PREFIX}/man/man5
-
-post-install:
-	@if [ ! -f ${PREFIX}/etc/nss_ldap.conf ]; then \
-		${CP} -pv ${PREFIX}/etc/nss_ldap.conf.sample ${PREFIX}/etc/nss_ldap.conf ; \
-	fi
-.if !defined(PACKAGE_BUILDING)
-	@${CAT} ${PKGMESSAGE}
-.endif
+	${INSTALL_PROGRAM} ${WRKSRC}/nss_ldap.so ${STAGEDIR}/${PREFIX}/lib/nss_ldap.so.1
+	${INSTALL_DATA} ${WRKSRC}/ldap.conf ${STAGEDIR}/${PREFIX}/etc/nss_ldap.conf.sample
+	${INSTALL_MAN} ${WRKSRC}/${MAN5} ${STAGEDIR}/${MAN5PREFIX}/man/man5
 
 .include <bsd.port.mk>

net/nss_ldap/files/patch-configure.in

@@ -1,6 +1,6 @@
---- configure.in.orig	2007-10-29 06:30:12.000000000 -0700
-+++ configure.in	2008-09-26 20:38:20.000000000 -0700
-@@ -96,11 +96,15 @@
+--- configure.in.orig
++++ configure.in
+@@ -97,11 +97,15 @@
  linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;;
  *) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic" ;;
  esac
@@ -16,7 +16,7 @@
  
  AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$nss_ldap_so_LD")
  
-@@ -152,7 +156,6 @@
+@@ -153,7 +157,6 @@
    aix*) AC_CHECK_HEADERS(irs.h usersec.h) ;;
    hpux*) AC_CHECK_HEADERS(nsswitch.h) ;;
    *) AC_CHECK_HEADERS(nss.h)
@@ -24,7 +24,21 @@
       AC_CHECK_HEADERS(irs.h) ;;
  esac
  AC_CHECK_HEADERS(thread.h)
-@@ -227,7 +230,6 @@
+@@ -188,6 +191,13 @@
+ AC_CHECK_HEADERS(gssapi/gssapi_krb5.h gssapi.h)
+ AC_CHECK_HEADERS(krb5.h)
+ 
++AC_MSG_CHECKING([if Kerberos is Heimdal])
++AC_TRY_LINK([#include <krb5.h>],
++	    [const char hv = heimdal_version;],
++	    [AC_MSG_RESULT(yes)
++	     AC_DEFINE(HEIMDAL,1,[Define if Kerberos is Heimdal])],
++	    [AC_MSG_RESULT(no)])
++
+ AC_CHECK_LIB(resolv, main)
+ AC_CHECK_LIB(nsl, main)
+ AC_CHECK_LIB(socket, main)
+@@ -230,7 +240,6 @@
  AC_CHECK_FUNCS(gethostbyname)
  AC_CHECK_FUNCS(nsdispatch)
  AC_CHECK_LIB(pthread_nonshared, main)

net/nss_ldap/files/patch-ldap-init-krb5-cache.c

@@ -0,0 +1,62 @@
+--- ldap-init-krb5-cache.c.orig
++++ ldap-init-krb5-cache.c
+@@ -109,6 +109,10 @@
+ #include <gssapi/gssapi.h>
+ #include <gssapi/gssapi_krb5.h>
+ 
++#ifndef HOST_NAME_MAX
++#define HOST_NAME_MAX 1024
++#endif
++
+ #define MAX_RENEW_TIME "365d"
+ 
+ #define KT_PATH_MAX 256
+@@ -213,14 +217,25 @@
+ {
+   krb5_error_code code = 0;
+   krb5_keytab __keytab;
++#ifdef HEIMDAL
++  char kttypebuf[KRB5_KT_PREFIX_MAX_LEN];
++  size_t kttypesize = sizeof kttypebuf;
++#endif
++  char *kttype;
+ 
+   debug ("==> krb5_cache_kt_is_accessible: ktname %s", __ktname);
+   assert (context != NULL);
+   if (!(code = krb5_kt_resolve (context, __ktname, &__keytab)))
+     {
++#ifdef HEIMDAL
++      krb5_kt_get_type (context, __keytab, kttypebuf, kttypesize);
++      kttype = kttypebuf;
++#else
++      kttype = krb5_kt_get_type (context, __keytab);
++#endif
+       debug ("==> krb5_cache_kt_is_accessible: resolved ktname %s - %s",
+-	     __ktname, krb5_kt_get_type (context, __keytab));
+-      if (strcmp ("FILE", krb5_kt_get_type (context, __keytab)) == 0)
++	     __ktname, kttype);
++      if (strcmp ("FILE", kttype) == 0)
+ 	{
+ 	  debug ("==> krb5_cache_kt_is_accessible: kt type = FILE");
+ 	  uid_t ruid = getuid ();
+@@ -542,7 +557,7 @@
+     }
+   profile_release (profile);
+ #else
+-  skew = context->max_skew;
++  /* skew = context->max_skew; */
+ #endif
+   ccname = krb5_cache_get_ccname (config);
+   debug ("==> krb5_cache_setup: credential cache name %s",
+@@ -671,7 +686,11 @@
+ 		     ccname ? ccname : "NULL");
+ 		}
+ 	    }
++#ifdef HEIMDAL
++	  free (principal_name);
++#else
+ 	  krb5_free_unparsed_name (context, principal_name);
++#endif
+ 	}
+     }
+ 

net/nss_ldap/files/patch-ldap-nss.c

@@ -1,5 +1,5 @@
---- ldap-nss.c.orig	Sat May 27 16:23:40 2006
-+++ ldap-nss.c	Sat May 27 16:23:52 2006
+--- ldap-nss.c.orig
++++ ldap-nss.c
 @@ -69,7 +69,7 @@
  #endif
  
@@ -9,3 +9,18 @@
  #include <sasl/sasl.h>
  #elif defined(HAVE_SASL_H)
  #include <sasl.h>
+@@ -78,11 +78,11 @@
+ #ifndef HAVE_SNPRINTF
+ #include "snprintf.h"
+ #endif
+-#ifdef HAVE_GSSAPI_H
+-#include <gssapi.h>
+-#elif defined(HAVE_GSSAPI_GSSAPI_KRB5_H)
++#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H
+ #include <gssapi/gssapi.h>
+ #include <gssapi/gssapi_krb5.h>
++#elif defined(HAVE_GSSAPI_H)
++#include <gssapi.h>
+ #endif
+ #ifdef CONFIGURE_KRB5_CCNAME
+ #include <krb5.h>

net/nss_ldap/files/patch-ldap-nss.h

@@ -0,0 +1,12 @@
+--- ldap-nss.h.orig
++++ ldap-nss.h
+@@ -923,6 +923,8 @@
+ int _nss_ldap_get_ld_errno (char **m, char **s);
+ 
+ #ifdef CONFIGURE_KRB5_KEYTAB
+-int do_init_krb5_cache(ldap_config_t *config);
++int do_init_krb5_cache (ldap_config_t *config);
++int do_select_krb5_cache (ldap_config_t * config);
++int do_restore_krb5_cache (ldap_config_t * config);
+ #endif /* CONFIGURE_KRB5_KEYTAB */
+ #endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */

net/nss_ldap/files/pkg-message.in

@@ -4,12 +4,4 @@ following paths:
 
 LDAP configuration:     %%PREFIX%%/etc/nss_ldap.conf
 LDAP secret (optional): %%PREFIX%%/etc/nss_ldap.secret
-
-
-WARNING: For users of previous versions of this port:
-WARNING:
-WARNING: Previous versions of this port expected configuration files
-WARNING: to be located at /etc/ldap.conf and /etc/ldap.secret.  You
-WARNING: may need to move these configuration files to their new
-WARNING: location specified above.
 =====================================================================