From 2623cee389b6a93b2096f494456490b5cf1f55ec Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Tue, 24 May 2016 15:49:48 -0500
Subject: [PATCH] Do not search system paths for non-ccapi plugins

On OS X anyways, since Heimdal cannot be built to replace the system
Kerberos implementation in OS X (even though it's based on Heimdal).

Heimdal plugins other than the CCAPI plugins have private ABIs with
strong coupling to the internals of the Heimdal libraries, thus using
system plugins in a non-system Heimdal is likely to end in tears (e.g.,
segfaults).

This means, for example, that OS X's plugins for PAC creation and
verification cannot be used by Heimdal.
---
 lib/krb5/context.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/krb5/context.c b/lib/krb5/context.c
index e4a70796d..5cd8e0f69 100644
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -348,8 +348,10 @@ static const char *sysplugin_dirs[] =  {
 #endif
 #ifdef __APPLE__
     LIBDIR "/plugin/krb5",
+#ifdef HEIM_PLUGINS_SEARCH_SYSTEM
     "/Library/KerberosPlugins/KerberosFrameworkPlugins",
     "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
+#endif
 #endif
     NULL
 };