23116175 Get the cyrus-sasl component ready for MIT-default Kerberos
authorJan Parcel <jan.parcel@oracle.com>
Wed, 27 Apr 2016 16:55:22 -0700
changeset 5866 683c5c035a79
parent 5865 3e9949415308
child 5867 445e2cf1c845
23116175 Get the cyrus-sasl component ready for MIT-default Kerberos 23041772 Reconcile redundancies between patches and Makefile 23044356 Unable to build openldap if cyrus-sasl requests -lldap_r for ldapdb 22928693 Now that libsasl2 is available, openldap should call it out as a dependency 23072799 fix dead/broken links in sasl html docs 23077448 Broken links with Net TI install with facet.devel=false - libsasl2
components/cyrus-sasl/Makefile
components/cyrus-sasl/libsasl2.p5m
components/cyrus-sasl/patches/102-sasldir-fix.patch
components/cyrus-sasl/patches/107-build-testsuite.patch
components/cyrus-sasl/patches/108-sample-test-tools.patch
components/cyrus-sasl/patches/110-solaris-configure.patch
components/cyrus-sasl/patches/111-fix-html-doc-links.patch
components/cyrus-sasl/test/TestSuite.conf
components/cyrus-sasl/test/setup-for-mit
components/cyrus-sasl/test/setup-for-seam
components/cyrus-sasl/test/setup_testsuite
components/openldap/openldap.p5m
--- a/components/cyrus-sasl/Makefile	Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/Makefile	Wed Apr 27 16:55:22 2016 -0700
@@ -54,7 +54,7 @@
 SASL_CONFDIR = $(ETCDIR)/sasl2
 PROTO_CONFDIR = $(PROTO_DIR)$(SASL_CONFDIR)
 
-TESTS_DIR=$(PROTO_DIR)/$(SASL2)/tests
+TESTS_DIR=$(PROTO_DIR)/tests
 TESTS_32_DIR=$(TESTS_DIR)/$(MACH32)
 
 # Migrated from ON in S12, including stuff from system/header, so this
@@ -73,11 +73,18 @@
 CPPFLAGS += -I$(USRINCDIR)/openldap
 LDFLAGS += $(CC_BITS)  -lscf -lresolv 
 
+# if there is no mediator, use MIT
+KRB5_API = $(shell pkg mediator -H kerberos5 2>/dev/null | nawk '{print $$4;}')
+
 CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR)
 CONFIGURE_OPTIONS += --enable-auth-sasldb
 CONFIGURE_OPTIONS += --with-dblib=berkeley
 CONFIGURE_OPTIONS += --with-saslauthd=$(USRSBINDIR)/saslauthd
+ifeq ($(KRB5_API), solaris)
 CONFIGURE_OPTIONS += --with-gss_impl=seam
+else
+CONFIGURE_OPTIONS += --with-gss_impl=mit
+endif
 CONFIGURE_OPTIONS += --without-gnu-ld
 CONFIGURE_OPTIONS.32 += --with-plugindir=$(SASL2.32)
 CONFIGURE_OPTIONS.64 += --with-plugindir=$(SASL2.64)
@@ -88,11 +95,7 @@
 CONFIGURE_OPTIONS += --enable-sample
 CONFIGURE_OPTIONS += --enable-login
 CONFIGURE_OPTIONS += --with-configdir=$(ETCDIR)/sasl2
-
-# 23044356 must be fixed before this can be enabled
-# bugzilla.cyrusimap.org 3926 must be fixed before this can be useful
-# except for testing
-# CONFIGURE_OPTIONS += --enable-ldapdb
+CONFIGURE_OPTIONS += --enable-ldapdb
 
 PKG_PROTO_DIRS += $(SOURCE_DIR)/doc $(COMPONENT_DIR)/Solaris
 
@@ -176,7 +179,8 @@
 CLEAN_PATHS += $(TARBALL_DIR)
 
 test_tarball:	sasltest.tgz
-TEST_SCRIPTS= setup_testsuite run_testsuite transform-results cleanup
+TEST_SCRIPTS= setup_testsuite run_testsuite transform-results cleanup \
+	setup-for-mit setup-for-seam
 
 sasltest.tgz:	install
 	$(MKDIR) $(TARBALL_DIR)
@@ -193,4 +197,7 @@
 REQUIRED_PACKAGES += developer/build/automake-115
 REQUIRED_PACKAGES += library/openldap
 REQUIRED_PACKAGES += library/security/openssl
+ifneq ($(KRB5_API), solaris)
+    REQUIRED_PACKAGES += security/kerberos-5
+endif
 REQUIRED_PACKAGES += system/library/security/gss
--- a/components/cyrus-sasl/libsasl2.p5m	Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/libsasl2.p5m	Wed Apr 27 16:55:22 2016 -0700
@@ -42,7 +42,7 @@
     value=org.opensolaris.category.2008:System/Libraries
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2015/194
+set name=org.opensolaris.arc-caseid value=PSARC/2015/194 value=PSARC/2016/158
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 dir  path=etc/sasl2 owner=root group=sys mode=0755
 file README path=etc/sasl2/README
@@ -58,9 +58,7 @@
 link path=usr/lib/$(MACH64)/libsasl2.so target=libsasl2.so.3.0.0
 link path=usr/lib/$(MACH64)/libsasl2.so.3 target=libsasl2.so.3.0.0
 file path=usr/lib/$(MACH64)/libsasl2.so.3.0.0
-link path=usr/lib/$(MACH64)/llib-lsasl target=../llib-lsasl2
 link path=usr/lib/$(MACH64)/llib-lsasl.ln target=llib-lsasl2.ln
-link path=usr/lib/$(MACH64)/llib-lsasl2 target=../llib-lsasl2
 file path=usr/lib/$(MACH64)/llib-lsasl2.ln
 link path=usr/lib/$(MACH64)/pkgconfig/libsasl.pc target=libsasl2.pc
 file path=usr/lib/$(MACH64)/pkgconfig/libsasl2.pc
@@ -134,6 +132,28 @@
 file advanced.html path=usr/share/doc/libsasl2/advanced.html
 file appconvert.html path=usr/share/doc/libsasl2/appconvert.html
 file components.html path=usr/share/doc/libsasl2/components.html
+file draft-burdis-cat-srp-sasl-xx.txt \
+    path=usr/share/doc/libsasl2/draft-burdis-cat-srp-sasl-xx.txt
+file draft-ietf-sasl-anon-xx.txt \
+    path=usr/share/doc/libsasl2/draft-ietf-sasl-anon-xx.txt
+file draft-ietf-sasl-crammd5-xx.txt \
+    path=usr/share/doc/libsasl2/draft-ietf-sasl-crammd5-xx.txt
+file draft-ietf-sasl-gssapi-xx.txt \
+    path=usr/share/doc/libsasl2/draft-ietf-sasl-gssapi-xx.txt
+file draft-ietf-sasl-plain-xx.txt \
+    path=usr/share/doc/libsasl2/draft-ietf-sasl-plain-xx.txt
+file draft-ietf-sasl-rfc2222bis-xx.txt \
+    path=usr/share/doc/libsasl2/draft-ietf-sasl-rfc2222bis-xx.txt
+file draft-ietf-sasl-rfc2831bis-xx.txt \
+    path=usr/share/doc/libsasl2/draft-ietf-sasl-rfc2831bis-xx.txt
+file draft-ietf-sasl-saslprep-xx.txt \
+    path=usr/share/doc/libsasl2/draft-ietf-sasl-saslprep-xx.txt
+file draft-murchison-sasl-login-xx.txt \
+    path=usr/share/doc/libsasl2/draft-murchison-sasl-login-xx.txt
+file draft-newman-sasl-c-api-xx.txt \
+    path=usr/share/doc/libsasl2/draft-newman-sasl-c-api-xx.txt
+file draft-newman-sasl-passdss-xx.txt \
+    path=usr/share/doc/libsasl2/draft-newman-sasl-passdss-xx.txt
 file gssapi.html path=usr/share/doc/libsasl2/gssapi.html
 file index.html path=usr/share/doc/libsasl2/index.html
 file install.html path=usr/share/doc/libsasl2/install.html
@@ -142,6 +162,19 @@
 file options.html path=usr/share/doc/libsasl2/options.html
 file plugprog.html path=usr/share/doc/libsasl2/plugprog.html
 file programming.html path=usr/share/doc/libsasl2/programming.html
+file rfc1321.txt path=usr/share/doc/libsasl2/rfc1321.txt
+file rfc1939.txt path=usr/share/doc/libsasl2/rfc1939.txt
+file rfc2104.txt path=usr/share/doc/libsasl2/rfc2104.txt
+file rfc2195.txt path=usr/share/doc/libsasl2/rfc2195.txt
+file rfc2222.txt path=usr/share/doc/libsasl2/rfc2222.txt
+file rfc2243.txt path=usr/share/doc/libsasl2/rfc2243.txt
+file rfc2245.txt path=usr/share/doc/libsasl2/rfc2245.txt
+file rfc2289.txt path=usr/share/doc/libsasl2/rfc2289.txt
+file rfc2444.txt path=usr/share/doc/libsasl2/rfc2444.txt
+file rfc2595.txt path=usr/share/doc/libsasl2/rfc2595.txt
+file rfc2831.txt path=usr/share/doc/libsasl2/rfc2831.txt
+file rfc2945.txt path=usr/share/doc/libsasl2/rfc2945.txt
+file rfc3174.txt path=usr/share/doc/libsasl2/rfc3174.txt
 file sysadmin.html path=usr/share/doc/libsasl2/sysadmin.html
 file upgrading.html path=usr/share/doc/libsasl2/upgrading.html
 file windows.html path=usr/share/doc/libsasl2/windows.html
--- a/components/cyrus-sasl/patches/102-sasldir-fix.patch	Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/patches/102-sasldir-fix.patch	Wed Apr 27 16:55:22 2016 -0700
@@ -1,5 +1,6 @@
-Developed in-house at Oracle 
-Bugzilla Bug 3401 sasldir and plugindir in Makefile.am
+# Developed in-house at Oracle 
+# Commented on bugzilla Bug 3401 sasldir and plugindir in Makefile.am
+# Upstream is considering multiple solutions, attached this patch to the bug.
 
 diff -rupN old/configure.in new/configure.in
 --- old/configure.in	2015-01-16 16:06:51.953695234 -0800
--- a/components/cyrus-sasl/patches/107-build-testsuite.patch	Wed Apr 27 16:15:18 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-Developed in-house at Oracle
-Will file a bug upstream asking this to be an option for configure
-
-diff -rupN old/utils/Makefile.am new/utils/Makefile.am
---- old/utils/Makefile.am	2016-02-12 11:48:32.389775435 -0800
-+++ new/utils/Makefile.am	2016-02-12 11:51:08.007216490 -0800
[email protected]@ -48,7 +48,7 @@ all_sasl_static_libs = ../lib/.libs/libs
- sbin_PROGRAMS = @[email protected] @[email protected] pluginviewer
- EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer
- 
--noinst_PROGRAMS = dbconverter-2
-+noinst_PROGRAMS = dbconverter-2 testsuite
- 
- if NO_SASL_DB_MANS
- man_MANS = 
--- a/components/cyrus-sasl/patches/108-sample-test-tools.patch	Wed Apr 27 16:15:18 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-Developed in-house at Oracle
-Will file a bug upstream asking for this to be a configure option
-
-diff -rupN old/sample/Makefile.am new/sample/Makefile.am
---- old/sample/Makefile.am	2016-02-16 13:53:52.473628366 -0800
-+++ new/sample/Makefile.am	2016-02-16 14:14:10.022927698 -0800
[email protected]@ -44,7 +44,7 @@
- 
- INCLUDES=-I$(top_srcdir)/include
- 
--noinst_PROGRAMS = client server
-+noinst_PROGRAMS = client server sample-client sample-server
- EXTRA_PROGRAMS = sample-client sample-server
- CLEANFILES=sample-client sample-server ./.libs/*sample-client ./.libs/*sample-server
- 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cyrus-sasl/patches/110-solaris-configure.patch	Wed Apr 27 16:55:22 2016 -0700
@@ -0,0 +1,31 @@
+# Developed in-house at Oracle
+# File bug 3239 upstream asking for a configure option to give a path or name
+# for the openldap library.
+# http://bugzilla.cyrusimap.org/show_bug.cgi?id=3929
+
+diff -rupN old/configure.in new/configure.in
+--- old/configure.in	2016-02-23 19:24:33.185997552 -0800
++++ new/configure.in	2016-02-24 10:14:11.001802600 -0800
[email protected]@ -968,7 +968,7 @@ if test "$ldapdb" != no; then
+         CMU_OPENLDAP_API
+ 
+         if test "$cmu_cv_openldap_api" = yes; then
+-            AC_CHECK_LIB(ldap, ldap_initialize, [ cmu_link_openldap="-lldap -llber" ], [ cmu_link_openldap=no ],-llber)
++            AC_CHECK_LIB(ldap_r, ldap_initialize, [ cmu_link_openldap="-lldap_r -llber" ], [ cmu_link_openldap=no ],-llber)
+         fi
+     fi
+ 
+diff -rupN old/saslauthd/configure.in new/saslauthd/configure.in
+--- old/saslauthd/configure.in	2016-02-23 19:24:48.448493822 -0800
++++ new/saslauthd/configure.in	2016-02-24 06:26:13.041626875 -0800
[email protected]@ -138,8 +138,8 @@ fi
+ 
+ LDAP_LIBS=""
+ if test "$with_ldap" != no; then
+-  AC_CHECK_LIB(ldap, ldap_initialize, [ AC_DEFINE(HAVE_LDAP,[],[Support for LDAP?])
+-                                        LDAP_LIBS="-lldap -llber"
++  AC_CHECK_LIB(ldap_r, ldap_initialize, [ AC_DEFINE(HAVE_LDAP,[],[Support for LDAP?])
++                                        LDAP_LIBS="-lldap_r -llber"
+ 					if test "$with_openssl" != "no"; then
+ 					    LDAP_LIBS="$LDAP_LIBS -lcrypto $LIB_RSAREF"
+ 					fi],,-llber)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cyrus-sasl/patches/111-fix-html-doc-links.patch	Wed Apr 27 16:55:22 2016 -0700
@@ -0,0 +1,39 @@
+# This patch has been fed upstream.
+# Patch to remove links to documents that are no longer available, fix
+# changed links.
+# http://bugzilla.cyrusimap.org/show_bug.cgi?id=3930
+
+diff -rupN old/doc/index.html new/doc/index.html
+--- old/doc/index.html	2016-04-07 17:43:16.583489776 -0700
++++ new/doc/index.html	2016-04-12 11:01:09.353415779 -0700
[email protected]@ -40,7 +40,6 @@ library distribution</B></A>
+ <b>Special Platforms</b>
+ <ul>
+ <li> <a href="macosx.html"><b>Mac OS X Build Guide</b></a>
+-<li> <a href="os390.html"><b>OS/390 Build Guide</b></a>
+ <li> <a href="windows.html"><b>Win32 Build Guide</b></a>
+ </ul>
+ 
+diff -rupN old/doc/install.html new/doc/install.html
+--- old/doc/install.html	2016-04-07 17:43:16.597328339 -0700
++++ new/doc/install.html	2016-04-12 11:01:33.989542591 -0700
[email protected]@ -218,7 +218,6 @@ can be linked against other dynamic obje
+ library file extension is ".so", or where libtool creates the .la
+ files correctly.  There is also documentation for
+ <a href=windows.html>Win32</a>, <a href=macosx.html>MacOS X</a>, and
+-<a href=os390.html>OS/390</a>.
+ 
+ <hr>
+ Back to the <a href="index.html">index</a>
+diff -rupN old/doc/readme.html new/doc/readme.html
+--- old/doc/readme.html	2016-04-07 17:43:16.589392684 -0700
++++ new/doc/readme.html	2016-04-12 11:02:38.062666985 -0700
[email protected]@ -102,7 +102,7 @@ we only have static Krb5 libraries; the
+ these libraries in on platforms that support it (Solaris and Linux
+ among them) but it does not.  It also doesn't always get the runpath
+ of libraries correct.
+-<li>Also see our <A HREF=http://bugzilla.andrew.cmu.edu>bugzilla</A>.
++<li>Also see our <A HREF="http://bugzilla.cyrusimap.org/index.cgi">bugzilla</A>.
+ </ul>
+ 
+ <H2>AUTHORS</H2>
--- a/components/cyrus-sasl/test/TestSuite.conf	Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/test/TestSuite.conf	Wed Apr 27 16:55:22 2016 -0700
@@ -19,7 +19,7 @@
 #
 # Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
 
-# Default test parameters
+# Default test parameters, NOT default production parameters.
 auxprop_plugin: sasldb
 canon_user_plugin: INTERNAL
 mech_list:  LOGIN PLAIN EXTERNAL OTP CRAM-MD5 DIGEST-MD5 ANONYMOUS GSSAPI SCRAM-SHA-1
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cyrus-sasl/test/setup-for-mit	Wed Apr 27 16:55:22 2016 -0700
@@ -0,0 +1,212 @@
+#!/bin/ksh93 -p
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+# have to use longer string because the end of security/kerberos5 matches
+# 2 packages, old and new.
+PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \
+	pkg://solaris/security/kerberos-5 \
+	security/kerberos-5/kdc "
+
+pkg list $PACKAGES_NEEDED > /dev/null
+if (( $? != 0 ))
+then
+	pkg install $PACKAGES_NEEDED
+fi
+
+pkg list $PACKAGES_NEEDED > /dev/null
+if (( $? != 0 ))
+then
+	echo "One or more packages failed to install"
+	exit 1
+fi
+
+passwd="1234"
+
+trap "echo 'A command failed, aborting.'; exit 1" ERR
+
+if ! $force
+then
+	ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
+fi
+
+trap - ERR # in kdcmgr destroy fails, run it again
+yes | /usr/sbin/kdcmgr destroy > /dev/null
+if (( $? != 0 ))
+then
+	yes | /usr/sbin/kdcmgr destroy > /dev/null
+fi
+print "Existing KDC config destroyed."
+trap "echo 'A command failed, aborting.'; exit 1" ERR
+
+passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
+
+print $passwd > $passwd_file
+
+# create the master KDC
+if [[ -n $master_kdc ]]
+then
+	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
+else
+	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
+fi
+
+rm -f $passwd_file
+
+# Optional stuff follows...
+
+# Note, this next section is adding various service principals local to
+# this system.  If you have servers running on other systems, edit this
+# section to add the services using the FQDN hostnames of those systems
+# and ouput the keytab to a non-default filename.
+# You will then either copy the non-default filename created on the
+# system you ran this script on or login to the other system and do a
+# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
+# located on that server.
+
+# addprincs if not in slave mode
+if [[ -z $master_kdc ]]
+then
+	if [[ -n "$kt_config_file" ]]
+	then
+		if ! $force
+		then
+			ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
+		fi
+		while read host services
+		do
+			if [[ "$host" == "#*" ]]
+			then
+				# skip comments
+				continue
+			fi
+			if [[ "$host" != "localhost" ]]
+			then
+				hostkeytab="/var/run/${host}.keytab"
+				rm -f $hostkeytab
+				kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
+			fi
+			for service in $services
+			do
+				if [[ "$host" == "localhost" ]]
+				then
+					# add service to KDC's keytab
+					kadmin.local -q "addprinc -randkey $service/$fqdn"
+					kadmin.local -q "ktadd $service/$fqdn"
+					print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
+				else
+					# add service to $host's keytab
+					kadmin.local -q "addprinc -randkey $service/$host"
+					kadmin.local -q "ktadd -k $hostkeytab $service/$host"
+					print "\nAdded $service/$host to $hostkeytab"
+				fi
+			done
+			((num_keytabs = num_keytabs + 1))
+		done < $kt_config_file
+	fi
+
+	if [[ -n "$crossrealm" ]]
+	then
+		# Setup  Cross-realm auth.
+		kadmin.local -q "addprinc -pw $passwd krbtgt/[email protected]$crossrealm"
+		kadmin.local -q "addprinc -pw $passwd krbtgt/[email protected]$realm"
+		print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
+	fi
+
+	# Optional, Add service principals on KDC
+	for srv in nfs ldap smtp imap cifs
+	do
+		# randomizes the key anyway so use the -randkey option for addprinc).
+		kadmin.local -q "addprinc -randkey $srv/$fqdn"
+		kadmin.local -q "ktadd $srv/$fqdn"
+	done
+
+
+	# "tester" needed for setup
+	kadmin.local -q "addprinc -pw $passwd tester"
+
+	# "ken" needed for test
+	echo "$passwd" | saslpasswd2 -c -p -f ./sasldb ken
+	kadmin.local -q "addprinc -pw $passwd ken"
+
+fi # addprincs if not in slave mode
+
+# turn off err trap because svcadm below may return an unimportant error
+trap "" ERR
+
+if ! egrep '^[ 	]*krb5[ 	]+390003' /etc/nfssec.conf > /dev/null
+then
+	tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
+	[[ -n $tmpnfssec ]] || exit 1
+	sed  -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
+	mv -f $tmpnfssec /etc/nfssec.conf
+	print 'Enabled krb5 sec in /etc/nfssec.conf.'
+	print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
+	print
+fi
+
+# get time and DNS running
+
+if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
+then
+	cp /etc/inet/ntp.client /etc/inet/ntp.conf
+fi
+if [[ -f /etc/inet/ntp.conf ]]
+then
+	svcadm enable -s svc:/network/ntp:default
+fi
+
+svcadm enable -s svc:/network/security/ktkt_warn:default
+
+if ! svcadm enable -s svc:/network/rpc/gss:default
+then
+        svcs -x svc:/network/rpc/gss:default
+    cat <<-EOF
+
+Error, the gss service did not start.  You will not be able to do nfssec with sec=krb5*
+
+EOF
+    exit 1
+fi
+
+tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
+[[ -n $tmpccache ]] || exit 1
+if ! print "$passwd" | kinit -c $tmpccache tester
+then
+        print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
+        exit 1
+fi
+
+integer i=0
+while ((i < num_keytabs))
+do
+        if ((i == 0))
+        then
+                print "\nRun the following commands to transfer generated keytabs:"
+        fi
+        print ${kt_transfer_command[i]}
+        ((i = i + 1))
+done
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cyrus-sasl/test/setup-for-seam	Wed Apr 27 16:55:22 2016 -0700
@@ -0,0 +1,241 @@
+#!/bin/ksh93 -p
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \
+	service/security/kerberos-5 \
+	system/security/kerberos-5 "
+
+pkg list $PACKAGES_NEEDED > /dev/null
+if (( $? != 0 ))
+then
+	pkg install $PACKAGES_NEEDED
+fi
+
+pkg list $PACKAGES_NEEDED > /dev/null
+if (( $? != 0 ))
+then
+	echo "One or more packages failed to install"
+	exit 1
+fi
+
+
+passwd="1234"
+
+trap "echo 'A command failed, aborting.'; exit 1" ERR
+
+svcadm disable -s svc:/network/security/krb5kdc:default
+svcadm disable -s svc:/network/security/kadmin:default
+svcadm disable -s svc:/network/security/krb5_prop:default
+
+if ! $force
+then
+	ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
+fi
+
+trap - ERR # in kdcmgr destroy fails, run it again
+yes | /usr/sbin/kdcmgr destroy > /dev/null
+if (( $? != 0 ))
+then
+	yes | /usr/sbin/kdcmgr destroy > /dev/null
+fi
+print "Existing KDC config destroyed."
+trap "echo 'A command failed, aborting.'; exit 1" ERR
+
+passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
+
+print $passwd > $passwd_file
+
+# create the master KDC
+if [[ -n $master_kdc ]]
+then
+	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
+else
+	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
+fi
+
+rm -f $passwd_file
+
+# Optional stuff follows...
+
+# Note, this next section is adding various service principals local to
+# this system.  If you have servers running on other systems, edit this
+# section to add the services using the FQDN hostnames of those systems
+# and ouput the keytab to a non-default filename.
+# You will then either copy the non-default filename created on the
+# system you ran this script on or login to the other system and do a
+# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
+# located on that server.
+
+# addprincs if not in slave mode
+if [[ -z $master_kdc ]]
+then
+	if [[ -n "$kt_config_file" ]]
+	then
+		if ! $force
+		then
+			ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
+		fi
+		while read host services
+		do
+			if [[ "$host" == "#*" ]]
+			then
+				# skip comments
+				continue
+			fi
+			if [[ "$host" != "localhost" ]]
+			then
+				hostkeytab="/var/run/${host}.keytab"
+				rm -f $hostkeytab
+				kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
+			fi
+			for service in $services
+			do
+				if [[ "$host" == "localhost" ]]
+				then
+					# add service to KDC's keytab
+					kadmin.local -q "addprinc -randkey $service/$fqdn"
+					kadmin.local -q "ktadd $service/$fqdn"
+					print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
+				else
+					# add service to $host's keytab
+					kadmin.local -q "addprinc -randkey $service/$host"
+					kadmin.local -q "ktadd -k $hostkeytab $service/$host"
+					print "\nAdded $service/$host to $hostkeytab"
+				fi
+			done
+			((num_keytabs = num_keytabs + 1))
+		done < $kt_config_file
+	fi
+
+	if [[ -n "$crossrealm" ]]
+	then
+		# Setup  Cross-realm auth.
+		kadmin.local -q "addprinc -pw $passwd krbtgt/[email protected]$crossrealm"
+		kadmin.local -q "addprinc -pw $passwd krbtgt/[email protected]$realm"
+		print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
+	fi
+
+	# Optional, Add service principals on KDC
+	for srv in nfs ldap smtp imap cifs
+	do
+		# randomizes the key anyway so use the -randkey option for addprinc).
+		kadmin.local -q "addprinc -randkey $srv/$fqdn"
+		kadmin.local -q "ktadd $srv/$fqdn"
+	done
+
+
+	# "tester" needed for setup
+	kadmin.local -q "addprinc -pw $passwd tester"
+
+	# "ken" needed for test
+	echo "$passwd" | saslpasswd2 -c -p -f ./sasldb ken
+	kadmin.local -q "addprinc -pw $passwd ken"
+
+fi # addprincs if not in slave mode
+
+# turn off err trap because svcadm below may return an unimportant error
+trap "" ERR
+
+if ! egrep '^[ 	]*krb5[ 	]+390003' /etc/nfssec.conf > /dev/null
+then
+	tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
+	[[ -n $tmpnfssec ]] || exit 1
+	sed  -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
+	mv -f $tmpnfssec /etc/nfssec.conf
+	print 'Enabled krb5 sec in /etc/nfssec.conf.'
+	print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
+	print
+fi
+
+# get time and DNS running
+
+if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
+then
+	cp /etc/inet/ntp.client /etc/inet/ntp.conf
+fi
+if [[ -f /etc/inet/ntp.conf ]]
+then
+	svcadm enable -s svc:/network/ntp:default
+fi
+
+
+svcadm enable svc:/network/security/ktkt_warn:default
+
+if ! svcadm enable -s svc:/network/security/krb5kdc:default
+then
+	svcs -x svc:/network/security/krb5kdc:default
+    cat <<-EOF
+
+Error, the krb5kdc daemon did not start.  You will not be able to do Kerberos
+authentication.  Check your kerberos config and rerun this script.
+
+	EOF
+    exit 1
+fi
+
+if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default
+then
+	svcs -x svc:/network/security/kadmin:default
+    cat <<-EOF
+
+Error, the kadmind daemon did not start.  You will not be able to change
+passwords or run the kadmin command.  Make sure /etc/krb5/kadm5.acl is
+configured properly and rerun this script.
+
+	EOF
+    exit 1
+fi
+
+if ! svcadm enable -s svc:/network/rpc/gss:default
+then
+	svcs -x svc:/network/rpc/gss:default
+    cat <<-EOF
+
+Error, the gss service did not start.  You will not be able to do nfssec with sec=krb5*
+
+	EOF
+    exit 1
+fi
+
+tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
+[[ -n $tmpccache ]] || exit 1
+if ! print "$passwd" | kinit -c $tmpccache tester
+then
+	print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
+	exit 1
+fi
+
+integer i=0
+while ((i < num_keytabs))
+do
+	if ((i == 0))
+	then
+		print "\nRun the following commands to transfer generated keytabs:"
+	fi
+	print ${kt_transfer_command[i]}
+	((i = i + 1))
+done
+
--- a/components/cyrus-sasl/test/setup_testsuite	Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/test/setup_testsuite	Wed Apr 27 16:55:22 2016 -0700
@@ -29,10 +29,6 @@
 # -- create/recreate the KDC principal DB
 # -- create a sasldb
 
-#TODO
-# -- create a TestSuite.conf file for a default simple test
-
-#PATH=/usr/bin:/usr/sbin:/usr/gnu/bin
 
 export THIRTYTWO
 case `uname -p` in
@@ -50,7 +46,7 @@
 
 
 # realm used as default, edit if a different realm is desired.
-realm="SASLTEST.NET"
+export realm="SASLTEST.NET"
 # realm for cross-realm auth.
 crossrealm=
 
@@ -61,7 +57,8 @@
 # Be default you would do: "kadmin -p kdc/admin" and use the passwd above.
 admin_princ="kdc/admin"
 
-# used to determine if in batch/non-intera/home/willf/app_support/etc/krb5/templates/db2ctive mode
+# used to determine if in
+# batch/non-intera/home/willf/app_support/etc/krb5/templates/db2ctive mode
 force='false'
 check_leaks='false'
 
@@ -70,8 +67,6 @@
 num_keytabs=0
 set -A kt_transfer_command
 
-ldap_ds=
-
 # should be null if seting up master kdc
 master_kdc=
 
@@ -147,7 +142,7 @@
 
 if [[ -f .setup ]]
 then
-	print -u2 "Notice: $me alread run"
+	print -u2 "Notice: $me already run"
 	exit 0
 fi
 
@@ -167,24 +162,10 @@
 fi
 ln -s $THIRTYTWO 32
 
-PACKAGES_NEEDED="service/security/kerberos-5 \
-	system/security/kerberos-5 \
-	system/library/security/sasl/crammd5 \
+export SASL_PACKAGES_NEEDED="system/library/security/sasl/crammd5 \
 	system/library/security/sasl/digestmd5 \
 	system/library/security/sasl/anonymous "
 
-pkg list $PACKAGES_NEEDED > /dev/null
-if (( $? != 0 ))
-then
-	pkg install $PACKAGES_NEEDED
-fi
-
-pkg list $PACKAGES_NEEDED > /dev/null
-if (( $? != 0 ))
-then
-	echo "One or more packages failed to install"
-	exit 1
-fi
 
 export MYLOC=`pwd`
 if [[ ! -f /etc/sasl2/TestSuite.conf ]] ; then
@@ -224,134 +205,6 @@
     exit 1
 fi
 
-passwd="1234"
-
-trap "echo 'A command failed, aborting.'; exit 1" ERR
-
-svcadm disable -s svc:/network/security/krb5kdc:default
-svcadm disable -s svc:/network/security/kadmin:default
-svcadm disable -s svc:/network/security/krb5_prop:default
-
-if ! $force
-then
-	ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
-fi
-
-trap - ERR # in kdcmgr destroy fails, run it again
-yes | /usr/sbin/kdcmgr destroy > /dev/null
-if (( $? != 0 ))
-then
-	yes | /usr/sbin/kdcmgr destroy > /dev/null
-fi
-print "Existing KDC config destroyed."
-trap "echo 'A command failed, aborting.'; exit 1" ERR
-
-passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
-
-print $passwd > $passwd_file
-
-# create the master KDC
-if [[ -n $master_kdc ]]
-then
-	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
-else
-	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
-fi
-
-rm -f $passwd_file
-
-# Optional stuff follows...
-
-# Note, this next section is adding various service principals local to
-# this system.  If you have servers running on other systems, edit this
-# section to add the services using the FQDN hostnames of those systems
-# and ouput the keytab to a non-default filename.
-# You will then either copy the non-default filename created on the
-# system you ran this script on or login to the other system and do a
-# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
-# located on that server.
-
-# addprincs if not in slave mode
-if [[ -z $master_kdc ]]
-then
-	if [[ -n "$kt_config_file" ]]
-	then
-		if ! $force
-		then
-			ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
-		fi
-		while read host services
-		do
-			if [[ "$host" == "#*" ]]
-			then
-				# skip comments
-				continue
-			fi
-			if [[ "$host" != "localhost" ]]
-			then
-				hostkeytab="/var/run/${host}.keytab"
-				rm -f $hostkeytab
-				kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
-			fi
-			for service in $services
-			do
-				if [[ "$host" == "localhost" ]]
-				then
-					# add service to KDC's keytab
-					kadmin.local -q "addprinc -randkey $service/$fqdn"
-					kadmin.local -q "ktadd $service/$fqdn"
-					print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
-				else
-					# add service to $host's keytab
-					kadmin.local -q "addprinc -randkey $service/$host"
-					kadmin.local -q "ktadd -k $hostkeytab $service/$host"
-					print "\nAdded $service/$host to $hostkeytab"
-				fi
-			done
-			((num_keytabs = num_keytabs + 1))
-		done < $kt_config_file
-	fi
-
-	if [[ -n "$crossrealm" ]]
-	then
-		# Setup  Cross-realm auth.
-		kadmin.local -q "addprinc -pw $passwd krbtgt/[email protected]$crossrealm"
-		kadmin.local -q "addprinc -pw $passwd krbtgt/[email protected]$realm"
-		print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
-	fi
-
-	# Optional, Add service principals on KDC
-	for srv in nfs ldap smtp imap cifs
-	do
-		# randomizes the key anyway so use the -randkey option for addprinc).
-		kadmin.local -q "addprinc -randkey $srv/$fqdn"
-		kadmin.local -q "ktadd $srv/$fqdn"
-	done
-
-
-	# "tester" needed for setup
-	kadmin.local -q "addprinc -pw $passwd tester"
-
-	# "ken" needed for test
-	echo "1234" | saslpasswd2 -c -p -f ./sasldb ken
-	kadmin.local -q "addprinc -pw $passwd ken"
-
-fi # addprincs if not in slave mode
-
-# turn off err trap because svcadm below may return an unimportant error
-trap "" ERR
-
-if ! egrep '^[ 	]*krb5[ 	]+390003' /etc/nfssec.conf > /dev/null
-then
-	tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
-	[[ -n $tmpnfssec ]] || exit 1
-	sed  -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
-	mv -f $tmpnfssec /etc/nfssec.conf
-	print 'Enabled krb5 sec in /etc/nfssec.conf.'
-	print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
-	print
-fi
-
 # get time and DNS running
 
 if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
@@ -363,63 +216,27 @@
 	svcadm enable -s svc:/network/ntp:default
 fi
 
-
-svcadm enable svc:/network/security/ktkt_warn:default
+export KMODE="mit"
+set -A MEDIATOR `pkg mediator -H kerberos5`
 
-if ! svcadm enable -s svc:/network/security/krb5kdc:default
-then
-	svcs -x svc:/network/security/krb5kdc:default
-    cat <<-EOF
+case ${MEDIATOR[3]} in
 
-Error, the krb5kdc daemon did not start.  You will not be able to do Kerberos
-authentication.  Check your kerberos config and rerun this script.
+	"solaris" )   # old kerberos configured
+		KMODE="seam"
+		;;
 
-	EOF
-    exit 1
-fi
+	*)	# "MIT" or mediator does not exist
+		KMODE="mit"
+		;;
+esac
 
-if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default
+. ./setup-for-$KMODE
+if (( $? != 0 ))
 then
-	svcs -x svc:/network/security/kadmin:default
-    cat <<-EOF
-
-Error, the kadmind daemon did not start.  You will not be able to change
-passwords or run the kadmin command.  Make sure /etc/krb5/kadm5.acl is
-configured properly and rerun this script.
-
-	EOF
-    exit 1
+        print -u2 "Setup failed"
+        exit 1
 fi
 
-if ! svcadm enable -s svc:/network/rpc/gss:default
-then
-	svcs -x svc:/network/rpc/gss:default
-    cat <<-EOF
 
-Error, the gss service did not start.  You will not be able to do nfssec with sec=krb5*
-
-	EOF
-    exit 1
-fi
-
-tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
-[[ -n $tmpccache ]] || exit 1
-if ! print "$passwd" | kinit -c $tmpccache tester
-then
-	print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
-	exit 1
-fi
-
-integer i=0
-while ((i < num_keytabs))
-do
-	if ((i == 0))
-	then
-		print "\nRun the following commands to transfer generated keytabs:"
-	fi
-	print ${kt_transfer_command[i]}
-	((i = i + 1))
-done
-
-print 1234 | kinit ken
+print "$passwd" | kinit ken
 touch .setup
--- a/components/openldap/openldap.p5m	Wed Apr 27 16:15:18 2016 -0700
+++ b/components/openldap/openldap.p5m	Wed Apr 27 16:55:22 2016 -0700
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 <transform file path=usr.*/man/.+ -> default mangler.man.stability committed>
@@ -513,10 +513,6 @@
     uid=75
 license openldap.license license="openldap license"
 # This dependency is because we are building against cyrus-sasl from its proto
-# area and bypassing the auto-generated dependency.  When libsasl is updated,
-# this version number really should be adjusted, but the userland-incorporation
-# will force the cyrus-sasl packaging and openldap packaging to be from the same
-# build and not just this version or later.
-# The strange version number is caused by historical versioning in ON and will
-# go away when the libsasl package name is changed to libsasl2
-depend type=require fmri=pkg:/system/library/security/[email protected]
+# area and bypassing the auto-generated dependency.  When upstream libsasl
+# is updated, this version number must be adjusted.
+depend type=require fmri=pkg:/system/library/security/[email protected]