ppolicy: unable to assign default policy to an individual user account
by Scott Phelps
Environment:
===============
* OS:
Ubuntu Feisty 7.04
* Slapd Version:
slapd 2.3.30
* Apt-Package Compile Options (per launchpadlibrarian.net):
--prefix=/usr --libexecdir='${prefix}/lib'
--sysconfdir=/etc --localstatedir=/var
--mandir='${prefix}/share/man'
--enable-debug --enable-dynamic
--enable-syslog
--enable-proctitle
--enable-ipv6
--enable-local
--enable-slapd
--enable-aci
--enable-cleartext
--enable-crypt
--enable-spasswd
--enable-modules
--enable-rewrite
--enable-rlookups
--enable-slp
--enable-wrappers
--enable-backends=mod
--enable-ldbm=no
--enable-overlays=mod
--enable-slurpd
--with-subdir=ldap
--with-cyrus-sasl
--with-threads
--with-tls
* slapd.conf (abbridged)
=============
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/sudo.schema
include /etc/ldap/schema/autofs.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/authldap.schema
include /etc/ldap/schema/solaris.schema
include /etc/ldap/schema/solaris-nis.schema
include /etc/ldap/schema/solarisdua.schema
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload ppolicy
schemacheck on
TLSCipherSuite #####SECRET######
TLSCertificateFile #####SECRET######
TLSCertificateKeyFile #####SECRET######
TLSCACertificateFile #####SECRET######
database bdb
# Overlay Directives
overlay ppolicy
ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######"
ppolicy_use_lockout
directory "/var/lib/ldap"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
access to dn.children="ou=people,#####SECRET######" attrs=userPassword
by group/groupOfNames/member="#####SECRET######" write
by self write
by * auth
* defaultPolicy.ldif
========================
dn: cn=defaultPolicy,ou=policies,#####SECRET######
cn: defaultPolicy
objectClass: organizationalRole
objectClass: pwdPolicy
objectClass: top
pwdLockout: TRUE
pwdMaxFailure: 3
pwdAttribute: userPassword
pwdGraceAuthNLimit: 3
pwdLockoutDuration: 15
pwdAllowUserChange: TRUE
* ppolicytest.ldif
=========================
dn: uid=ppolicytest,ou=people,#####SECRET######
uid: ppolicytest
uidNumber: 1012
gidNumber: 100
homeDirectory: /home/ppolicytest
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: e4c33596-d832-102b-8c70-39998be84848
creatorsName: #####SECRET######
createTimestamp: 20070806063457Z
pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET######
userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg==
pwdChangedTime: 20070806070643Z
cn: ppolicytest
entryCSN: 20070806070815Z#000000#00#000000
modifiersName: #####SECRET######
modifyTimestamp: 20070806070815Z
entryDN: uid=ppolicytest,ou=people,#####SECRET######
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
So with this all in place I get no errors starting slapd (the module
gets loaded.) I run the following command 4 times:
ldapsearch -P 3 -x -LLL -e ppolicy -D
"uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)"
Entering an incorrect password each time, however the account never gets
locked out and the operational attributes never change.
TIA, for any advice!
15 years
libcrypto.a : bad value(while doing make step in openldap)
by sridhar varadarajan
Hi friends,
While installing openldap in Red Hat Linux , I am
getting this error in Make step.. can anyone help me in this issue..
/usr/bin/ld: /usr/local/ssl/lib/libssl.a(s3_pkt.o): relocation
R_X86_64_32 against `a local symbol' can not be used when making a
shared object; recompile with -fPIC
/usr/local/ssl/lib/libssl.a: could not read symbols: Bad value
I have configured openssl like this
*. ./config -fPIC
*.make depend
*.make install
*.make test
thanks in advance.
with cheers,
sri.
15 years
shell backend and threads
by manu@netbsd.org
Hello
The man page says shell backed should not be used with slapd built with
thread support. What is the problem? Is it just that the backed
developper must face horrible race issues, or is there something that
will cause slapd to goes wrong?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
15 years
Replication using syncrepl
by CyberGod
I am trying to establish replication between two ldap servers.
Here's part of slapd.conf file for the subscriber:
syncrepl rid=123
provider=ldap://ldap.mydomain.com
type=refreshOnly
interval=00:00:01:00
searchbase="dc=mydomainr,dc=com"
schemachecking=off
updatedn="cn=Manager,dc=mydomain,dc=com"
bindmethod=simple
binddn="cn=Manager,dc=mydomain,dc=com"
credentials=secret
This is the stanza in slapd.conf for the provider:
sessionlog 123 4555
Ldap version on both is 2.3.37 and everything else works fine
(centralized login, automount etc.)
When I look at the log file for the provider it seems like the
subscriber is making queries but no updates are made to the slave.
Here's part of the log:
=> bdb_presence_candidates (objectClass)
<= bdb_filter_candidates: id=-1 first=1 last=20
<= bdb_list_candidates: id=-1 first=1 last=20
<= bdb_filter_candidates: id=-1 first=1 last=20
bdb_search_candidates: id=-1 first=1 last=20
=> test_filter
PRESENT
=> access_allowed: search access to "dc=mydomain,dc=com" "objectClass"
requested
<= root access granted
<= test_filter 6
=> send_search_entry: conn 34 dn="dc=mydomain,dc=com"
=> access_allowed: read access to "dc=mydomain,dc=com" "entry" requested
<= root access granted
=> access_allowed: read access to "dc=mydomain,dc=com" "objectClass"
requested
<= root access granted
=> access_allowed: read access to "dc=mydomain,dc=com" "o" requested
<= root access granted
=> access_allowed: read access to "dc=mydomain,dc=com" "dc" requested
<= root access granted
=> access_allowed: read access to "dc=mydomain,dc=com"
"structuralObjectClass" requested
<= root access granted
=> access_allowed: read access to "dc=mydomain,dc=com" "entryCSN" requested
<= root access granted
...
Any advise on what I am missing will be greatly appreciated. I am sure I
am missing something important here. Is there something else I need to
add to the providers config?
Regards.
15 years
configure fails on libtool problem v2.3.32
by Kent Nasveschuk
Trying to compile version 2.3.32
RedHat 5
Heimdal 1.0
I've already compiled this without module support and I have a working
Kerberos/LDAP directory.
I want module support so I can use the smbk5pwd overlay.
Compile options:
export CPPFLAGS="-I/usr/share/libtool/libltdl";./configure
--prefix=/opt/openldap --enable-local --with-cyrus-sasl --with-tls
--enable-crypt --enable-spasswd --enable-lmpasswd --enable-cleartext
--enable-syncprov --disable-ipv6 --enable-lastmod --enable-unique
--enable-syslog --enable-rlookups --enable-ppolicy --enable-debug
--enable-hdb --enable-dynamic --enable-modules
Results:
checking for afopen in -ls... no
checking ltdl.h usability... yes
checking ltdl.h presence... yes
checking for ltdl.h... yes
checking for lt_dlinit in -lltdl... no
configure: error: could not locate libtool -lltdl
Any suggestion on how to get around this?
Kent N.
15 years
alock package is unstable
by Arunachalam Parthasarathy
Hello all,
My slapd server machine got restarted when adding entries.
When I start the machine again, it is saying ,: alock package is unstable
bi_db_open failed
Please say me what is the problem. Expecting ur replies. Thanks a lot in
advance.
Regards,
Arunachalam.
****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
15 years
Syncrepl with back-sql provider
by Pavel Zakouril
Hello all,
I would like to replicate content of one OpenLDAP server running over
the sql backend to the another one running over the bdb (provider
version 2.3.37, consumer 2.3.34). I set up
overlay syncprov on the sql based provider and syncrepl directive on the
bdb consumer, but replication does not work. On the provider I can see
in the log file:
Aug 2 14:27:47 ducklet slapd[27789]: Entry dc=mff,dc=cuni,dc=cz CSN
20070802122747Z#000000#00#000000 greater than snapshot
20070802122642Z#000000#00#000000
for all entries, which should be replicated. When I start consumer with
-c switch, eg.:
slapd -d 16389 -h "ldap:/// ldaps:///" -c
'rid=1,csn=20070731102106Z#000000#00#000000'
I get a little bit different message:
Aug 2 13:53:56 ducklet slapd[26562]: Entry dc=mff,dc=cuni,dc=cz CSN
20070731102106Z#000000#00#000000 matches ctx
20070731102106Z#000000#00#000000
but replication does not work as well.
When I try to use similarly configured provider with bdb backend, then
replication works as expected.
Is there anybody who can help ?
Best regards,
Pavel Zakouril
15 years
trigger external program on some change
by Emmanuel Dreyfus
Hello
I'd need to trigger execution of an external shell script when some
particular change occur in the tree. Is there a simple way of doing that?
Of course, an overlay could do that. I saw no available overlay that
would have this capacity out of the box. The only way I see is building
a new overlay just for that, or use something such as slapo-auditlog
and feed it to an external filter (throug a pipe?). I wonder if there is a
simplier mechanism available.
--
Emmanuel Dreyfus
manu(a)netbsd.org
15 years
OpenLDAP 2.4 (alpha) - multi-master-replication (docs)
by Stefan Jurisch
Hello,
Just round about a few hour ago I wrote an email to Quanah, who gave me the advice to contact the developers' mailinglist, so I did it, but there the moderator told be to better redirect my question into this software-mailinglist... now I do so, and I really hope to be in the correct list now. :-)
I just would like to ask one little question:
Is there already any documentation on the multi-master-replication
feature, which is planned for the upcoming openldap-release 2.4?
At work I have to implement a special ldap-solution which should provide
this feature beacuse our customer has multiple locations where the 3 big
ones should have their own master-directory-server.
Even the german Linux Magazine brought an article this month, where the
author also writes about this new features in the new 2.4-release.
I compiled the openldap-source just last sunday, but I did not find any
documentation to activate and use the multi-master-replication.
Perhaps you can help me, please?
Looking forward to an answer I thank you in advance.
Cordially yours
Stefan "FastEddy" Jurisch
Siegnetz.IT GmbH, Germany
15 years