slapd doesn't start with openldap-2.4.39 and cyrus-sasl-2.1.26
by Jeganathan S
Hi All,
I am trying to build openldap 2.4.39 with following dependencies in RHEL 5.5.
BerkleyDB-5.1.29, cyrus-sasl-2.1.26 and openssl-1.0.1i. "make test" is failing due to failure in starting the ldap server. The content of the log file is given below.
When I disable cyrus-sasl while building openssl, I don't get the issue.
Is there any known issue with these combination?
The configuration options are:
export CPPFLAGS="-I/opt/cars-openldap-building/build_outputs/openldap_binaries/berkeleydb/include -I/opt/cars-openldap-building/build_outputs/openldap_binaries/openssl/include/openssl -I/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/include/sasl"
export LDFLAGS="-L/opt/cars-openldap-building/build_outputs/openldap_binaries/berkeleydb/lib -L/opt/cars-openldap-building/build_outputs/openldap_binaries/openssl/lib -L/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/lib -L/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/lib/sasl2"
export LD_LIBRARY_PATH=/opt/cars-openldap-building/build_outputs/openldap_binaries/berkeleydb/lib:/opt/cars-openldap-building/build_outputs/openldap_binaries/openssl/lib:/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/lib:/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/lib/sasl2
./configure --prefix=/opt/cars-openldap-building/build_outputs/openldap_binaries/openldap --exec-prefix=/opt/cars-openldap-building/build_outputs/openldap_binaries/openldap --with-tls=openssl --enable-bdb=mod --enable-hdb=mod --enable-mdb=mod
Regards,
Jeganathan
***************start of log file *********************
ldap_url_parse_ext(ldap://lap_sasl_init: auxprop add plugin failedocalhost/)
5406f5e9 @(#) $OpenLDAP: slapd 2.4.39 (Sep 3 2014 16:35:00) $
root@srv-ind-mdm6l.vanenburg.com:/opt/cars-openldap-building/openldap-2.4.39/servers/slapd
ldap_pvt_gethostbyname_a: host=srv-ind-mdm6l.vanenburg.com, r=0
5406f5e9 daemon_init: ldap://localhost:9011/
5406f5e9 daemon_init: listen on ldap://localhost:9011/
5406f5e9 daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap://localhost:9011/)
5406f5e9 daemon: listener initialized ldap://localhost:9011/
5406f5e9 daemon_init: 1 listeners opened
ldap_create
5406f5e9 slapd init: initiated server.
5406f5e9 slap_sasl_init: auxprop add plugin failed
5406f5e9 slapd destroy: freeing system resources.
5406f5e9 slapd stopped.
5406f5e9 connections_destroy: nothing to destroy.
*********************end of logfile***************
9 years
ppolicy and repeated password
by Stefano Zanmarchi
Hi all,
we'd like to use the ppolicy overlay to implement password locking after
a certain number of bind failures. Sadly ppolicy does not distinguish
between
failures with different passwords (probably a dictionary attack) and
failures
with the same password (a client using an old, expired, password).
This would easily lead to locking out users shortly after password change.
I read that Zytrax has developed for Mozilla a modified version of ppolicy:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
which can distinguish between unique and repeated passwords.
The page states the modified mozilla-ppolicy is available for openldap
2.4.11 and 2.4.16.
Has anyone tried it with a newer version of openldap? Is it working?
Thank you in advance,
Stefano
9 years
accesslog-based consumer stuck on objectClass modify on provider
by Francesco Malvezzi
Hi all,
yesterday I changed a structural objectClass for a entry with the relax
control (control: 1.3.6.1.4.1.4203.666.5.12):
dn: uid=cognos,ou=agents,dc=example,dc=org
control: 1.3.6.1.4.1.4203.666.5.12
changetype: modify
replace: objectClass
objectClass: inetOrgPerson
-
add: sn
sn: cognos
On provider all ok. Provider is mirrormode and other mirror side is ok.
The accesslog-based syncrepl on a consumer was stuck. Neither the modify
nor the other next modifies were propagated.
Is relax control unsupported in this scenario? Did I forget something
really important?
thank you,
Francesco
PS: I deleted on provider from accesslog db the entry corresponding to
the said modify, restarted both consumer and provider and replica
started again.
9 years
ACLQuestion
by Karl Heinz Wichmann
Hallo
I have a problem with acl. We have following sturctur.
dc=a,dc=b,dc=c
|
|-ou=ww-a
|
|-ou=ww-b
|
|-ou=ww-c
|
|-ou=ww-x
|
|-ou=system
In each ww-a,b,c...x have we users and groups.
In system we have system account (in groups and users)
When we search with an ldap client like thunderbird addressbook, the
users in system should not be visible.
I use follow rule didn't run:
olcAccess: {1}to filter="(objectclass=inetOrgperson)"
attrs=entry,uid,sn,cn,mail,givenName by
dn="cn=ad,ou=sys_ad,ou=people,dc=a,dc=b,dc=c" read by * none
the following rule, i found all users (incl. ad, admin and so on)
olcAccess: {1}to filter="(objectclass=*)"
attrs=entry,uid,sn,cn,mail,givenName by
dn="cn=ad,ou=system,dc=a,dc=b,dc=c" read by * none
I want to avoid regex when posible.
Karl Heinz
9 years