Drop Mozilla LDAP SDK detection, update --with-ldap code

[yadij]

Mozilla has not maintained their LDAP SDK since 2017:
https://wiki.mozilla.org/LDAP_C_SDK#Latest_News_-_10.2F13.2F2017

Admin needing to use that SDK can ./configure Squid with:

--with-ldap=/path/to/sdk CPPFLAGS=-I/path/to/sdk/mozldap

[kinkie]

Ok to test

[kinkie]

It seems that centos-8 and centos-stream-8 do not ship openldap's pkg-config file :\

[rousskov]

It seems that centos-8 and centos-stream-8 do not ship openldap's pkg-config file :\

AFAICT,

• CentOS Linux 8 reached EOL on December 31st, 2021.
• CentOS Stream 8 will stop being maintained in May 2024.

Perhaps we can treat LDAP SDKs on those two platforms the same way this PR currently treats Mozilla LDAP SDK (i.e. document how to build with those (arguably deficient) SDKs instead of hard-coding those instructions into Squid master/v7)?

[kinkie]

That's a fair point; should we drop CentOS 8 as a target platform now?
RHEL 8 is still supported

[rousskov]

should we drop CentOS 8 as a target platform now?

I do not know what that would mean, so I cannot answer that question. My comment was specific to Squid LDAP auto-detection code and to the desire to make that specific automation/convenience feature require pkg-config files (among other "standard" things in modern environments), assuming PR Squid can still build (using custom ./configure parameters) with LDAP support on all the exceptional/older platforms where official Squid builds with LDAP support now (by default).

[yadij]

Yes to Dropping CentOS 8 - should have happened with v6 release.

I am on the fence about the "Stream" flavours since they are RHEL now which we already support separately.

[kinkie]

Yes to Dropping CentOS 8 - should have happened with v6 release.

I am on the fence about the "Stream" flavours since they are RHEL now which we already support separately.

Let me try to be clearer:
This PR fails merge testing becasue centos-8 and centos-stream-8 lack a proper pkg-config file for libldap.

This means that the only ways to not regress our merge testing are to drop both or to do some platform-specific shenanigans in our jenkins (and github actions, if we migrate to them fully or partly) harnesses.

Which should it be?

[rousskov]

This PR fails merge testing becasue centos-8 and centos-stream-8 lack a proper pkg-config file for libldap.

Our options include:

1. Stop requiring¹ LDAP support in CI testing (on any platform).
2. Stop requiring¹ LDAP support in CI testing (on CentOs 8² platforms).
3. Stop requiring¹ LDAP support in CI testing (on CentOs 8 CI nodes).
4. Provide custom ./configure options (or some such) to work around the lack of CentOS-provided package files (on CentOS 8 CI nodes).
5. Do not run CI tests on CentOs 8 platforms.

My preferences, from the most to the least preferred, are 1 ("universal"), 4 ("eat our own dog food"), and 5 ("simple").

Footnotes

1. There are several ways to do that, and we would need to agree on the best way, but it is obvious that we do not have to require that LDAP is supported on every platform we may be interested in for CI testing purposes. ↩ ↩² ↩³

2. In this message, "CentOS 8" stands for centos-8 and/or centos-stream-8, whatever is left in CI after this discussion. ↩

[kinkie]

I have retired centos-8 from the build farm.
Running test-builds.sh with LIBLDAP_LIBS='-lldap -llber' is successful on Centos Stream 8, but that's not the correct solution; we currently accept to not mandate tests for features that have external dependencies (see comments in layer-02-maximus), so what we need to do is to have a better detection of functional requirements to build helpers.

[kinkie]

Commit 558b388 implements the stricter requirements checking for helpers; it passes the build on Centos Stream 8 and 9; a diff of the build log output for the two releases is attached

maximus-build-log.diff.gz

[kinkie]

@yadij this seems good to go; I'll approve it after my own changes, but please do recheck it

[rousskov]

I do not insist on this polishing, but it may help avoid the false implication that Squid no longer works with Mozilla LDAP SDK:

Suggested change

	<p>Removed special support for outdated Mozilla LDAP SDK.
	<em>--with-ldap=/path/to/sdk CPPFLAGS="-I/path/to/sdk/mozldap"</em>
	can be used if needed.
	<p>Removed workarounds for outdated Mozilla LDAP SDK. Use
	<em>--with-ldap=/path/to/sdk CPPFLAGS="-I/path/to/sdk/mozldap"</em>
	to ./configure Squid to build with that SDK.

[yadij]

Implication is correct: Squid default builds will not work with Mozilla LDAP SDK after this patch is applied.

The custom path and CPPFLAGS are required for that LDAP SDK to be working at all.

[rousskov]

Implication is correct: Squid default builds will not work with Mozilla LDAP SDK after this patch is applied.

The above implication is not the false implication I recommend avoiding in my change request.

[yadij]

Then why did you use those words? "false implication that Squid no longer works with Mozilla LDAP SDK"

[rousskov]

Then why did you use those words? "false implication that Squid no longer works with Mozilla LDAP SDK"

I used the words I used because I believed they accurately described the problem. I still believe that they do.

There is obviously a difference between my description and the description in your response. The two phrases do not describe the same thing. The description in your response is about whether "default builds" work with Mozilla LDAP SDK. The concept of "support" goes beyond default builds, of course -- Squid may support X even though Squid default build does not support X. My description is about that general "support" concept.

[rousskov]

Feels wrong to change LIBLDAP_LIBS that was set by admin. Should this be conditional on LIBLDAP_LIBS being empty?

[yadij]

Maybe, for now I am leaving the logic inside this case as-was. Testing changes to it need some testing on MinGW which we are not quite up to doing (yet)

[rousskov]

That excuse itself is very weak, but when combined with the fact that this PR does change the condition, it becomes invalid.

AFAICT, the PRs in this series routinely introduce untested changes. That is just the nature of this work, given our current CI limitations. IMO, we should not apply "need some testing before I modify this further" logic when dealing with changes that appear to violate basic rules. Given the two evils, I recommend increasing the risk of breaking MinGW build instead of committing such violations. These changes should be moving us forward as far as code quality is concerned. We can fix marginal builds later, as needed.

[rousskov]

Why do we have to place this special code outside of SQUID_CHECK_LIB_WORKS()?

[yadij]

To extract it for now outside the other logic. I would like to later (n the MinGW work) identify whether it is actually needed, or if we should have a completely separate library option+check for the Windows LDAP.

[rousskov]

Alex: Why do we have to place this special code outside of SQUID_CHECK_LIB_WORKS()?

Amos: To extract it for now outside the other logic

That sentence does not appear to answer the "why" question. It essentially restates the fact accepted by the question.

Amos: I would like to later identify whether it is actually needed, or if we should have a completely separate library option+check for the Windows LDAP.

I see no reason to move this special code to accomplish the stated "identify the need" and associated possible refactoring goals. AFAICT, the move itself contradicts the intent behind SQUID_CHECK_LIB_WORKS() approach. We should not move unless there is a very compelling argument for doing so. No such argument has been provided AFAICT.

[yadij]

Replaced by PR #1736