pkg/41634: Kerberos for openldap doesn't install kerberos support

[lloyd%must-have-coffee.gen.nz@localhost]

>Number:         41634
>Category:       pkg
>Synopsis:       Kerberos for openldap doesn't install kerberos support
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 25 00:00:00 +0000 2009
>Originator:     Lloyd Parkes
>Release:        5.0
>Organization:
Must Have Coffee
>Environment:
NetBSD archangel.must-have-coffee.gen.nz 5.0 NetBSD 5.0 (GENERIC) #0: Sat May  
2 23:18:37 NZST 2009  
lloyd%rhox.must-have-coffee.gen.nz@localhost:/vol/scratch/obj5/sparc64/sys/arch/sparc64/compile/GENERIC
 sparc64
>Description:
When you build and install databases/openldap-server, with the "kerberos" 
package option, the resulting system doesn't actually use Kerberos. The 
Kerberos option merely switches on the "sasl" option, which in turn creates a 
dependency on security/cyrus-sasl and adds the correct configure flag. None of 
these bits supply Kerberos authentication. cyrus-sasl is only a framework, and 
doesn't supply an authentication mechanism. 
>How-To-Repeat:
Build and install openldap and then wonder why you aren't offered 
GSSAPI/Kerberos authentication.
>Fix:
Add security/cy2-gssapi as a runtime dependency for the openldap packages if 
the kerberos option is set. I know that this isn't a normal runtime dependency 
in that the program will run without cy2-gssapi, but if the sysadmin builds 
with the kerberos option set, then that have made a clear statement that they 
expect the resulting package to use Kerberos.

If the sysadmin doesn't want to install cy2-gssapi when they install 
openldap-server, then they should build with the sasl option and not the 
kerberos option.