Thanks for the quick response! I'm using 2.3.27 because it was The Stable Release when I started this. I'll move to the latest stable release after I get ppolicy figured out.
I want dynamic modules, so I changed my enable-ppolicy to be "mod" --
env LIBS="-L/usr/bin" \ ./configure \ --prefix=/usr/local \ --libdir=/usr/local/lib \ --sbindir=/usr/sbin \ --libexecdir=/usr/sbin \ --sysconfdir=/etc \ --localstatedir=/var/lib/ldap \ --enable-modules=yes \ --enable-ppolicy=mod && make depend && make
The make/install process displayed:
make[3]: Entering directory `/usr/local/src/openldap-2.3.27/servers/slapd/overlays' ../../../build/shtool install -c -m 755 .libs/ppolicy-2.3.so.0.2.15 /usr/sbin/openldap/ppolicy-2.3.so.0.2.15 (cd /usr/sbin/openldap && { ln -s -f ppolicy-2.3.so.0.2.15 ppolicy-2.3.so.0 || { rm -f ppolicy-2.3.so.0 && ln -s ppolicy-2.3.so.0.2.15 ppolicy-2.3.so.0; }; }) (cd /usr/sbin/openldap && { ln -s -f ppolicy-2.3.so.0.2.15 ppolicy.so || { rm -f ppolicy.so && ln -s ppolicy-2.3.so.0.2.15 ppolicy.so; }; }) ../../../build/shtool install -c -m 755 .libs/ppolicy.lai /usr/sbin/openldap/ppolicy.la PATH="$PATH:/sbin" ldconfig -n /usr/sbin/openldap
That looked like what I need. In /usr/sbin/openldap I now find:
lrwxrwxrwx 1 root root 21 Jan 22 14:51 ppolicy-2.3.so.0 -> ppolicy-2.3.so.0.2.15 -rwxr-xr-x 1 root root 85722 Jan 22 14:51 ppolicy-2.3.so.0.2.15 -rwxr-xr-x 1 root root 836 Jan 22 14:51 ppolicy.la lrwxrwxrwx 1 root root 21 Jan 22 14:51 ppolicy.so -> ppolicy-2.3.so.0.2.15
In slapd.conf I set the module path:
modulepath /usr/sbin/openldap moduleload ppolicy.la <snip> overlay ppolicy ppolicy_default "cn=Standard Policy,ou=Policies,c=us" ppolicy_hash_cleartext ppolicy_use_lockout
Still I get:
[root openldap-2.3.27]# /etc/init.d/ldap start Checking configuration files for : WARNING: No dynamic config support for overlay ppolicy. config file testing succeeded Starting slapd: FAILED [root openldap-2.3.27]#
Shouldn't this work now?
I attach my slapd.conf, mostly vanilla in this version, and I've removed commented lines for your convenience. How's it look?
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/acs.schema include /etc/openldap/schema/ppolicy.schema
pidfile /var/lib/ldap/run/slapd.pid argsfile /var/lib/ldap/run/slapd.args
modulepath /usr/sbin/openldap moduleload ppolicy.la
database bdb suffix "c=US" rootdn "cn=Manager, c=US" rootpw secret
directory /var/lib/ldap/openldap-data
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub loglevel 256
overlay ppolicy
ppolicy_default "cn=Standard Policy,ou=Policies,c=us" ppolicy_hash_cleartext ppolicy_use_lockout
Thanks, Roger
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@stanford.edu] Sent: Monday, January 22, 2007 1:36 PM To: Metcalf, Roger; openldap-software@openldap.org Subject: Re: pesky ppolicy problems
--On Monday, January 22, 2007 1:08 PM -0500 "Metcalf, Roger" roger.metcalf@acs-inc.com wrote:
I am trying to use the ppolicy overlay. I've searched, read and experimented and can't get it to work. I've read other similar postings with similar problems but
haven't found
the one with the answer.
My OpenLDAP knowledge is intermediate.
I download 2.3.27, then build it:
Why 2.3.27? 2.3.32 is the current stable release.
Plus there have been fixes since 2.3.27:
OpenLDAP 2.3.30 Release (2006/11/14) Fixed slapo-ppolicy external quality check (ITS#4741)
OpenLDAP 2.3.29 Release (2006/11/10) Fixed slapo-ppolicy leaks (ITS#4665)
OpenLDAP 2.3.28 Release (2006/10/21) Fixed slapo-ppolicy pwdChangedTime behavior (ITS#4692)
As for your questions:
Questions:
- Where is ppolicy.la located?
Well, if its a dynamic module, then in $lib/openldap:
ldap00:/usr/local/lib/openldap> ls -l ppol* lrwxrwxrwx 1 root root 21 Nov 13 22:38 ppolicy-2.3.so.0 -> ppolicy-2.3.so.0.2.16* -rwxr-xr-x 1 root root 102169 Nov 8 21:49 ppolicy-2.3.so.0.2.16* -rwxr-xr-x 1 root root 909 Nov 8 21:49 ppolicy.la* lrwxrwxrwx 1 root root 21 Nov 13 22:38 ppolicy.so -> ppolicy-2.3.so.0.2.16*
- Does it need to be loaded?
Yes, if it is a dynamic module.
- Where is the path to it specified?
Via the "modulepath" directive in slapd.conf:
# Load dynamic backend modules: modulepath /usr/local/lib/openldap moduleload back_hdb.la moduleload back_monitor.la
- When are moduleload specs needed?
Not sure what you mean here.
- Are env variables needed to find ppolicy.la?
No.
- What's the secret?
Reading the man pages and other documentation.
- When will the book be published?
Howard is currently working on writing it.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Mon, Jan 22, 2007 at 04:27:19PM -0500, Metcalf, Roger wrote:
Thanks for the quick response! I'm using 2.3.27 because it was The Stable Release when I started this. I'll move to the latest stable release after I get ppolicy figured out.
I want dynamic modules, so I changed my enable-ppolicy to be "mod" --
<snip >
In slapd.conf I set the module path:
modulepath /usr/sbin/openldap moduleload ppolicy.la
<snip> overlay ppolicy ppolicy_default "cn=Standard Policy,ou=Policies,c=us" ppolicy_hash_cleartext ppolicy_use_lockout
Still I get:
[root openldap-2.3.27]# /etc/init.d/ldap start Checking configuration files for : WARNING: No dynamic config support for overlay ppolicy. config file testing succeeded Starting slapd: FAILED [root openldap-2.3.27]#
I get this problem with 2.3.30 (debian)
when I do the same thing for unique as well.
seems like the only way to get slapd to start without coughing its guts up is
1 add the module load statement before the backend statement 2 use overlay in the database section 3 ignore the warning about dynamic configuration!
Plus I was having trouble inserting my default policy as well, until I matched it up with organizationalRole, seems like pwdPolicy did not like being with inetorgperson
Shouldn't this work now?
I attach my slapd.conf, mostly vanilla in this version, and I've removed commented lines for your convenience. How's it look?
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/acs.schema include /etc/openldap/schema/ppolicy.schema
pidfile /var/lib/ldap/run/slapd.pid argsfile /var/lib/ldap/run/slapd.args
modulepath /usr/sbin/openldap moduleload ppolicy.la
database bdb suffix "c=US" rootdn "cn=Manager, c=US" rootpw secret
directory /var/lib/ldap/openldap-data
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub loglevel 256
overlay ppolicy
ppolicy_default "cn=Standard Policy,ou=Policies,c=us" ppolicy_hash_cleartext ppolicy_use_lockout
Thanks, Roger
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@stanford.edu] Sent: Monday, January 22, 2007 1:36 PM To: Metcalf, Roger; openldap-software@openldap.org Subject: Re: pesky ppolicy problems
--On Monday, January 22, 2007 1:08 PM -0500 "Metcalf, Roger" roger.metcalf@acs-inc.com wrote:
I am trying to use the ppolicy overlay. I've searched, read and experimented and can't get it to work. I've read other similar postings with similar problems but
haven't found
the one with the answer.
My OpenLDAP knowledge is intermediate.
I download 2.3.27, then build it:
Why 2.3.27? 2.3.32 is the current stable release.
Plus there have been fixes since 2.3.27:
OpenLDAP 2.3.30 Release (2006/11/14) Fixed slapo-ppolicy external quality check (ITS#4741)
OpenLDAP 2.3.29 Release (2006/11/10) Fixed slapo-ppolicy leaks (ITS#4665)
OpenLDAP 2.3.28 Release (2006/10/21) Fixed slapo-ppolicy pwdChangedTime behavior (ITS#4692)
As for your questions:
Questions:
- Where is ppolicy.la located?
Well, if its a dynamic module, then in $lib/openldap:
ldap00:/usr/local/lib/openldap> ls -l ppol* lrwxrwxrwx 1 root root 21 Nov 13 22:38 ppolicy-2.3.so.0 -> ppolicy-2.3.so.0.2.16* -rwxr-xr-x 1 root root 102169 Nov 8 21:49 ppolicy-2.3.so.0.2.16* -rwxr-xr-x 1 root root 909 Nov 8 21:49 ppolicy.la* lrwxrwxrwx 1 root root 21 Nov 13 22:38 ppolicy.so -> ppolicy-2.3.so.0.2.16*
- Does it need to be loaded?
Yes, if it is a dynamic module.
- Where is the path to it specified?
Via the "modulepath" directive in slapd.conf:
# Load dynamic backend modules: modulepath /usr/local/lib/openldap moduleload back_hdb.la moduleload back_monitor.la
- When are moduleload specs needed?
Not sure what you mean here.
- Are env variables needed to find ppolicy.la?
No.
- What's the secret?
Reading the man pages and other documentation.
- When will the book be published?
Howard is currently working on writing it.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--On Tuesday, January 23, 2007 9:06 AM +1100 Alex Samad alex@samad.com.au wrote:
I get this problem with 2.3.30 (debian)
when I do the same thing for unique as well.
The only "problem" here is people not understanding what the warning messages mean.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--On Monday, January 22, 2007 4:27 PM -0500 "Metcalf, Roger" roger.metcalf@acs-inc.com wrote:
Thanks for the quick response! I'm using 2.3.27 because it was The Stable Release when I started this. I'll move to the latest stable release after I get ppolicy figured out.
Starting slapd: FAILED [root openldap-2.3.27]#
When slapd fais for me, I usually use -d -1 to see why. It generally will tell you right away.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
openldap-software@openldap.org
-
Alex Samad -
Metcalf, Roger -
Quanah Gibson-Mount