openldap-technical February 2014

openldap-technical@openldap.org

85 participants
90 discussions

Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
by Dan White 26 Feb '14

26 Feb '14

Forwarding to the list for posterity. On 02/25/14 15:22 -0700, Nels Lindquist wrote: >On 2/21/2014 1:45 PM, Dan White wrote: >> On 02/21/14 13:09 -0700, Nels Lindquist wrote: > ><snip> > >>> However, from what I can determine I'm not getting any realm component >>> in the searches coming through. The "default" realm configuration works >>> when I use a bare userid to authenticate, but when using a full e-mail >>> address, that comes through as >>> "uid=example(a)example.com,cn=[authmech],cn=auth". That said, I haven't >>> found a LogLevel which includes AuthzRegexp processing; I've tried >>> various settings, but the closest I've come is logging the resulting >>> bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com" >>> mech=DIGEST-MD5 sasl_ssf=128 ssf=128). >> >> I would not depend on realm being delivered in a consistent way from cyrus >> imapd/sasl. Different mechanisms will act in different ways. libsasl2 is >> responsible for providing the realm (or not). To maintain some consistency, >> create two sets of authz-regexp rules, such as: >> >> authz-regexp >> "uid=([^,]+),cn=([^,]+),cn=auth" >> "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))" >> >> authz-regexp >> "uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth" >> >> "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1@$2)(objectClass=person))" >> >> And you may need a third rule which matches cases where both a fully >> qualified username AND a realm are provided. > >To be more clear, in my LDAP none of the objects have uids incorporating >e-mail addresses, but that's how Cyrus IMAP allows for virtual domain >logins. > >My base dn is actually "o=top", and then I have the various domains laid >out like: > >dc=example,dc=com,o=top >dc=example2,dc=ca,o=top > >... so my plan was to use the virtual domain information to translate >into which subtree I need to search against. The "fallthrough" default >domain just searches the bare uid against a particular subtree. > >It seems to be working using this (we're using LDAPRouting with >Sendmail, so all mailboxes must have inetLocalMailRecipient attributes): > ># Match e-mail address; map to correct subtree > >authz-regexp > "uid=([^,]+)(a)([^,\.]+)\.([^,]+),cn=[^,]*,cn=auth" > "ldap:///dc=$2,dc=$3,o=top??sub?(&(uid=$1)(mailLocalAddress=*))" > > ># Default domain > >authz-regexp > "uid=([^,]*),cn=[^,]*,cn=auth" > "ldap:///dc=example,dc=com,o=top??sub?(&(uid=$1)(mailLocalAddress=*))" > >> ldapwhoami is highly recommend for testing this setup. Include all of -Y, >> -U, and -X. > >Thanks very much for putting me on the right track! -- Dan White

1 0

How to assign a password policy to a group of users, in one go
by Rodrigo Coutinho 25 Feb '14

25 Feb '14

Hi again, I've finally managed to setup the password policy, but only statically (ran configure again). Have defined two password policies, one for all (default) and another for a specific group of users. The question now is: Can I assign a password policy to a group of users (cn=some_group,ou=groups,dc=xxx,dc=local)in one go, or must I assign to each user individualy the pwdPolicySubentry? I have searched, and although slapo states that it can be done, no example is provided. Thank you in advance A transmiss�o de mensagens por e-mail n�o � absolutamente segura ou livre de erros. A mensagem pode ser intercetada, alterada, perdida, destru�da, chegar ao destinat�rio com atraso, ou mesmo com v�rus, n�o obstante o IFAP utilizar software anti-v�rus. Esta mensagem, incluindo eventuais ficheiros anexos, pode conter informa��o confidencial ou privilegiada e destina-se a uso exclusivo dos seus destinat�rios. Se n�o for o destinat�rio pretendido, informamos que a recebeu por engano, pelo que, qualquer utiliza��o, distribui��o, reencaminhamento ou outra forma de revela��o a terceiros, impress�o ou c�pia s�o expressamente proibidos. Se recebeu esta mensagem por engano, por favor contacte imediatamente o remetente por e-mail, e apague de imediato a mensagem do seu sistema inform�tico. O IFAP declina qualquer responsabilidade por erros ou omiss�es na presente mensagem e eventuais consequ�ncias, que resultem das situa��es referidas.

3 3

libldap "Happy Eyeballs" support (aka Fast Fallback or ipv4/ipv6 dual-stack)
by Žarko Milenković 25 Feb '14

25 Feb '14

Hi all, I would like to have Happy Eyeballs<http://en.wikipedia.org/wiki/Happy_eyeballs> algorithm (more details here<http://tools.ietf.org/html/rfc6555>) implemented for all network communication in my application. Because I'm using libldap for searching openldap server I'm not quite sure does library already support this or would I need to implement it myself? To further clarify, I have following scenario: ldap server on myoldap.organization.org that listens for both ipv6 and ipv4 connections. Clients connect to it using libldap. Does libldap have support to automatically choose ipv6 over ipv4 or vice versa? If yes, how is choice made? Is ipv6 always preferred if available or does better connection win? If no, then I know the way I need to go. The only thing to add there is that I would be willing to add this support to libldap. Thanks, Žarko

2 1

dynlist groups not usable in ACLs?
by DRVTiny 25 Feb '14

25 Feb '14

OpenLDAP 2.4.39, amd64, debian 7 When i use the group with only static members in "by group/groupOfNames/member" clause - all works perfectly But when i'm trying to use in ACL definition dynamic members in 1:1 identicaly group - it doesnt work at all and in slapd debug output i see: --- 530b1a22 dnMatch -40 "dc=ru" "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" --- where "dc=ru" is one static member of this group (all others is dynamic members and it is not compared to "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" at all). It is very strange behavior, because official documentation says that: --- Dynamic Groups are also supported in Access Control. Please see slapo-dynlist(5) and the Dynamic Lists overlay section. --- Any comments? Can i use dynlist'ed groups in OpenLDAP ACL?

3 2

strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
by Jefferson Davis 24 Feb '14

24 Feb '14

This has been beating me like a red-headed stepchild... In the AD world, groupOfNames is expected (in combination with the member attribute, provides for reverse group resolution, ie users by group membership AND groups by member inclusion). On the unix side of the fence, groups REQUIRE a gidNumber in order to resolve group membership, using posixGroup structural OC in conjunction with memberUID. In attempting to future-proof our ldap services, and to accommodate the AD-Focused nature of commercial products, I'm attempting to get this to all work automatically, ie use the same group setup for both (probably naive and ill-advised?). But you CANNOT have multiple structural objectclasses in a single entry. So these requirements put group structures in direct opposition of one another. Has anyone resolved this successfully, and if so, how? Overlays (which ones, examples)? Schema mods (examples?) Splitting groups off as unix groups vs windows groups (sync could get ugly) and could run into other issues with respect to file and dir permissions. I also need to avoid breaking smbldap-tools, which at the moment appears NOT to support the groupofnames model. Building this on CentOS 6, OpenLDAP 2.4.23-34, and migrating from older OpenLDAP version. I'm somewhat open to considering a different LDAP service (389/Apache/OpenDJ) though I've found java to be a resource pig in the extreme, and would prefer to avoid if possible. If you have this working I would love to see the relevant configuration files. -- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110 ext 120 (office) http://district.standard.k12.ca.us District Users: Click here to report technology issues

7 9

Relay recipient postfix via ldap exception email address
by Rony 23 Feb '14

23 Feb '14

I make postfix relay recipient via ldap and I want an exception email addresses can not look up but have not been successful, my configuration server_host = 1.1.1.1.1 ldap_search_base = o = example, c = com bind = no query_filter = (| (mail =% s) (mailAlternateAddress =% s)) (! (mail = group(a)example.com))) result_attribute = mail I want group(a)example.com can not look up, but have not been successful, how correct configuration?

2 1

Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
by Nels Lindquist 22 Feb '14

22 Feb '14

I'm attempting to configure Cyrus IMAPD with ldapdb for SASL authentication. As I'm using virtual domains, I need users to be able to authenticate using their e-mail addresses, or just a bare userid for the default domain. I'm having some trouble getting everything working[1]. Based on this documentation extract from Cyrus SASL, I've been primarily focussing on the OpenLDAP configuration: "Unlike other LDAP-enabled plugins for other services that are common on the web, this plugin does not require you to configure DN search patterns to map usernames to LDAP DNs. This plugin requires SASL name mapping to be configured on the target slapd. This approach keeps the LDAP-specific configuration details in one place, the slapd.conf, and makes the configuration of remote services much simpler." I've set up a number of olcAuthzRegexp entries similar to (from the OpenLDAP 2.4 admin guide): "A more complex site might have several realms in use, each mapping to a different subtree in the directory. These can be handled with statements of the form: # Match Engineering realm authz-regexp uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=auth ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person)) # Match Accounting realm authz-regexp uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=auth ldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person)) # Default realm is customers.example.com authz-regexp uid=([^,]*),cn=digest-md5,cn=auth ldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))" However, from what I can determine I'm not getting any realm component in the searches coming through. The "default" realm configuration works when I use a bare userid to authenticate, but when using a full e-mail address, that comes through as "uid=example(a)example.com,cn=[authmech],cn=auth". That said, I haven't found a LogLevel which includes AuthzRegexp processing; I've tried various settings, but the closest I've come is logging the resulting bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128). So my question is, how is the realm determined in such a scenario? Do I need to design olcAuththzRegexp entries to determine the realm based on the e-mail address supplied? If so, how does that information get passed back to Cyrus IMAPD so that the correct virtual domain is selected? Is there an appropriate olcLogLevel to see detailed olcAuthzRegexp processing? I'd be grateful for any suggestions or references to documentation, etc. I've done some searching of the mailing list archives to little avail. In case it matters, this is on CentOS 6.5 (x86_64) with stock OpenLDAP 2.4.23 and Cyrus SASL 2.1.23 packages, plus Cyrus IMAPD 2.4.17 built from Simon Matter's SRPM. [1] I *am* able to get authentication + virtual domains working with saslauthd, but I'd like to be able to support non-plaintext auth mechanisms. ---- Nels Lindquist

3 2

RE: Syncrepl and mmr
by Quanah Gibson-Mount 21 Feb '14

21 Feb '14

Hi John, SIDs (server IDs) must be unique across servers. RIDs (replication IDs) must be unique inside a single server. So the answer to your question is essentially "no". If you email me your full cn=config db bits from both servers (minus passwords), there's some cleanup on them I can send back. The serverID: 1 <URI> bit is only necessary if you are doing cn=config replication, which you are not doing. If you are going to use the <#> <URI> form, then the <URI> must EXACTLY MATCH the arguments slapd is being started with. Personally, since I do not do cn=config replication, and the URIs are customizable by customers, I go with the much simpler: olcServerID: <#> form. Then each server only has a single value for olcServerID, which is its specific serverID. This way I never have to worry that MMR replication is going to get mesed up because of URI changes. --Quanah --On Tuesday, February 18, 2014 10:09 AM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > All, > > The long weekend didn't help...still at a loss. Question... > > If the olcServerIDs look like, on all three servers: > > olcServerID: 1 ldap://mm-server1.example.ldap > olcServerID: 2 ldap://mm-server2.example.ldap > olcServerID: 3 ldap://mm-server3.example.ldap > > Should the Replica IDs (rid) in the olcSycnrepl directive be: > > olcSyncrepl: {0} rid=001 provider=mm-server1.example.ldap > bindmethod=simple binddn="cn=ldapadmin,dc=group42,dc=ldap" > credentials=<password> interval=01:00:00:00 > searchbase="dc=example,dc=ldap" logbase="cn=accesslog" schemachecking=on > type=refreshAndPersist retry="60 +" filter="(objectClass=*)" attrs=*,+" > syncdata=accesslog starttls=no olcSyncrepl: {1} rid=002 > provider=mm-server2.example.ldap bindmethod=simple > binddn="cn=ldapadmin,dc=group42,dc=ldap" credentials=<password> > interval=01:00:00:00 searchbase="dc=example,dc=ldap" > logbase="cn=accesslog" schemachecking=on type=refreshAndPersist retry="60 > +" filter="(objectClass=*)" attrs=*,+" syncdata=accesslog starttls=no > olcSyncrepl: {0} rid=003 provider=mm-server3.example.ldap > bindmethod=simple binddn="cn=ldapadmin,dc=group42,dc=ldap" > credentials=<password> interval=01:00:00:00 > searchbase="dc=example,dc=ldap" logbase="cn=accesslog" schemachecking=on > type=refreshAndPersist retry="60 +" filter="(objectClass=*)" attrs=*,+" > syncdata=accesslog starttls=no > > OR > > olcSyncrepl: {0} rid=1 provider=mm-server1.example.ldap bindmethod=simple > binddn="cn=ldapadmin,dc=group42,dc=ldap" credentials=<password> > interval=01:00:00:00 searchbase="dc=example,dc=ldap" > logbase="cn=accesslog" schemachecking=on type=refreshAndPersist retry="60 > +" filter="(objectClass=*)" attrs=*,+" syncdata=accesslog starttls=no > olcSyncrepl: {1} rid=2 provider=mm-server2.example.ldap bindmethod=simple > binddn="cn=ldapadmin,dc=group42,dc=ldap" credentials=<password> > interval=01:00:00:00 searchbase="dc=example,dc=ldap" > logbase="cn=accesslog" schemachecking=on type=refreshAndPersist retry="60 > +" filter="(objectClass=*)" attrs=*,+" syncdata=accesslog starttls=no > olcSyncrepl: {0} rid=3 provider=mm-server3.example.ldap bindmethod=simple > binddn="cn=ldapadmin,dc=group42,dc=ldap" credentials=<password> > interval=01:00:00:00 searchbase="dc=example,dc=ldap" > logbase="cn=accesslog" schemachecking=on type=refreshAndPersist retry="60 > +" filter="(objectClass=*)" attrs=*,+" syncdata=accesslog starttls=no > > OR > > Does it matter? > > Also, should the all three olcSycrepl directives be loaded on all three > servers so they look identical. What I mean by that is should each > Server "replicate" to itself? There is confusion on this matter. I > asked Quanah that back in late January, and he stated that the system > knows about itself so it knows what to ignore. Then last week, he asked > why I had the master replicating to itself. > > Also, since I have refreshAndPersist configured do I need an interval as > well? > > Thanks in advance, > > John > > -----Original Message----- > From: openldap-technical-bounces(a)OpenLDAP.org > [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen, > John - 0442 - MITLL Sent: Friday, February 14, 2014 4:28 PM > To: Quanah Gibson-Mount; openldap-technical(a)openldap.org > Subject: RE: Syncrepl and mmr > > All, > > I just created an mm-server3, using the config_dbase and main_dbase from > mm-server2 -- copied the ldif's I created from mm-server2 then ran > slapadd. > > On mm-server3: > olcServerID: 1 ldap://mm-server1.example.ldap > olcServerID: 2 ldap://mm-server2.example.ldap > olcServerID: 3 ldap://mm-server3.example.ldap > > olcSyncrepl: {0} rid=001 provider=mm-server1.example.ldap > bindmethod=simple binddn="cn=ldapadmin,dc=group42,dc=ldap" > credentials=<password> interval=01:00:00:00 > searchbase="dc=example,dc=ldap" logbase="cn=accesslog" schemachecking=on > type=refreshAndPersist retry="60 +" filter="(objectClass=*)" attrs=*,+" > syncdata=accesslog starttls=no olcSyncrepl: {1} rid=002 > provider=mm-server2.example.ldap bindmethod=simple > binddn="cn=ldapadmin,dc=group42,dc=ldap" credentials=<password> > interval=01:00:00:00 searchbase="dc=example,dc=ldap" > logbase="cn=accesslog" schemachecking=on type=refreshAndPersist retry="60 > +" filter="(objectClass=*)" attrs=*,+" syncdata=accesslog starttls=no > olcSyncrepl: {0} rid=003 provider=mm-server3.example.ldap > bindmethod=simple binddn="cn=ldapadmin,dc=group42,dc=ldap" > credentials=<password> interval=01:00:00:00 > searchbase="dc=example,dc=ldap" logbase="cn=accesslog" schemachecking=on > type=refreshAndPersist retry="60 +" filter="(objectClass=*)" attrs=*,+" > syncdata=accesslog starttls=no > > Started slapd, no errors. It immediately sync'd up with mm-server1! > Changes that I made on mm-server1 days ago which have never replicated > over to mm-server2...replicated to mm-server3 immediately on startup. > > I had not even got around to adding mm-server3 to mm-server1 (or > mm-server2) yet. > > The olcServerIDs and olcSyncrepl on both mm-server1 and 2 show: > olcServerID: 1 ldap://mm-server1.example.ldap > olcServerID: 2 ldap://mm-server2.example.ldap > > olcSyncrepl: {0} rid=001 provider=mm-server1.example.ldap > bindmethod=simple binddn="cn=ldapadmin,dc=group42,dc=ldap" > credentials=<password> interval=01:00:00:00 > searchbase="dc=example,dc=ldap" logbase="cn=accesslog" schemachecking=on > type=refreshAndPersist retry="60 +" filter="(objectClass=*)" attrs=*,+" > syncdata=accesslog starttls=no olcSyncrepl: {1} rid=002 > provider=mm-server2.example.ldap bindmethod=simple > binddn="cn=ldapadmin,dc=group42,dc=ldap" credentials=<password> > interval=01:00:00:00 searchbase="dc=example,dc=ldap" > logbase="cn=accesslog" schemachecking=on type=refreshAndPersist retry="60 > +" filter="(objectClass=*)" attrs=*,+" syncdata=accesslog starttls=no > > So...now, I am at even more of a loss. Why would mm-server1 be > replicating to mm-server3 and not 2? When the configs are the same > between mm-server2 and 3??? > > > > Thanks in advance... > John > > > -----Original Message----- > From: openldap-technical-bounces(a)OpenLDAP.org > [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen, > John - 0442 - MITLL Sent: Friday, February 14, 2014 1:34 PM > To: Quanah Gibson-Mount; openldap-technical(a)openldap.org > Subject: RE: Syncrepl and mmr > > All, > > If I went off the beaten' path...where did I go wrong? (my config and > error messages are in a previous posting) > > Thanks in advance, > John > > -----Original Message----- > From: openldap-technical-bounces(a)OpenLDAP.org > [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen, > John - 0442 - MITLL Sent: Friday, February 14, 2014 8:40 AM > To: Quanah Gibson-Mount; openldap-technical(a)openldap.org > Subject: RE: Syncrepl and mmr > > Thanks Quanah, > > A few weeks back I asked that question (on 1/30): >> All Masters in the chain have the olcServerID's and olcSynRepl for >> itself and its partner? I can understand having each knowing about >> the others but why itself? It's replicating to itself? > -You replied > -It knows about itself so it knows what to ignore. > > Even in the Admin Guide is specifies setting it up that way...each server > has all the others and itself listed. I was following the procedures > delineated in the Admin Guide and in the man-pages (including how I > understood what was put out on the board): From the Admin Guide: > 8.3.3. N-Way Multi-Master > > For the following example we will be using 3 Master nodes. Keeping in > line with test050-syncrepl-multimaster of the OpenLDAP test suite, we > will be configuring slapd(8) via cn=config > > This sets up the config database: > > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 1 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW: secret > > second and third servers will have a different olcServerID obviously: > > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 2 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW: secret > > This sets up syncrepl as a provider (since these are all masters): > > dn: cn=module,cn=config > objectClass: olcModuleList > cn: module > olcModulePath: /usr/local/libexec/openldap > olcModuleLoad: syncprov.la > > Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. > with your actual ldap urls): > > dn: cn=config > changetype: modify > replace: olcServerID > olcServerID: 1 $URI1 > olcServerID: 2 $URI2 > olcServerID: 3 $URI3 > > dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config > changetype: add > objectClass: olcOverlayConfig > objectClass: olcSyncProvConfig > olcOverlay: syncprov > > dn: olcDatabase={0}config,cn=config > changetype: modify > add: olcSyncRepl > olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" > bindmethod=simple credentials=secret searchbase="cn=config" > type=refreshAndPersist retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" > bindmethod=simple credentials=secret searchbase="cn=config" > type=refreshAndPersist retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" > bindmethod=simple credentials=secret searchbase="cn=config" > type=refreshAndPersist retry="5 5 300 5" timeout=1 > - > add: olcMirrorMode > olcMirrorMode: TRUE > > I followed what is put in the Admin Guide, etc... > > Thanks > > -----Original Message----- > From: openldap-technical-bounces(a)OpenLDAP.org > [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Quanah > Gibson-Mount Sent: Thursday, February 13, 2014 1:57 PM > To: Borresen, John - 0442 - MITLL; openldap-technical(a)openldap.org > Subject: Re: Syncrepl and mmr > > --On Thursday, February 13, 2014 10:54 AM -0500 "Borresen, John - 0442 - > MITLL" <John.Borresen(a)ll.mit.edu> wrote: > >> All, > > Your configuration is very confused. Why do you have the master > replicate to itself, for example? > > --Quanah > > > -- > > Quanah Gibson-Mount > Architect - Server > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > > > > -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

3 5

AttributeDescription contains inappropriate characters
by Kamran Khan 21 Feb '14

21 Feb '14

Hi All, I'm a bit new to OpenLDAP, and I'm not quite sure what went wrong. I installed OpenLDAP because it was a prerequisite of Moab. After installing OpenLDAP and Moab yesterday, I had everything working just fine. I rebooted the cluster, and now OpenLDAP is not happy. ============================================================ [root@USDTWCLUS01 ~]# service slapd start Checking configuration files for slapd: [FAILED] <= str2entry: str2ad(o): AttributeDescription contains inappropriate characters slaptest: bad configuration file! ============================================================ I understand that something in my configuration must be messed up, but I am really unsure where there error is occuring. I'm unsure where my 'str2entry's are. Any help is greatly appreciated. Like I said, I had it working just fine yesterday, and after a reboot it didn't like something. Thanks. -- Kamran Khan PSSC Labs HPC Software Technical Engineer

3 4

openldap 2.4.33 configure problem - could not locate TLS/ssl package.
by xiaoming zhao 20 Feb '14

20 Feb '14

All, can someone help me out? When building openldap 2.4.33, I got the following error "Could not locate TLS/SSL package". did I missed something in openssl? how to fix it? Thanks in advance for your support! checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_library_init in -lssl... no checking for ssl3_accept in -lssl... no checking gnutls/gnutls.h usability... no checking gnutls/gnutls.h presence... no checking for gnutls/gnutls.h... no checking nssutil.h usability... no checking nssutil.h presence... no checking for nssutil.h... no configure: WARNING: Could not locate TLS/SSL package configure: WARNING: TLS data protection not supported Thanks, Eric.

3 2

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2014