Re: 2.5.7 for RHEL8 - Question
by Dave Macias
Awesome!
So then, if it's already shipped, why dont I see the schema files for
ppolicy?
Would have thought to find it here: /opt/symas/etc/openldap/schema
> find /opt/ -name *ppolicy*
/opt/symas/lib/openldap/ppolicy.la
/opt/symas/lib/openldap/ppolicy.so
/opt/symas/lib/openldap/ppolicy-2.5.so.0
/opt/symas/lib/openldap/ppolicy-2.5.so.0.1.2
/opt/symas/share/man/man5/slapo-ppolicy.5
Thank you again for the quick responses!
On Wed, Aug 25, 2021 at 2:07 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Wednesday, August 25, 2021 2:33 PM -0400 Dave Macias
> <davama(a)gmail.com> wrote:
>
> >
> > Thank you Quanah for the response!
> > Makes sense.
> >
> > One more question:
> > under: /opt/symas/etc/openldap/schema/README
> > It says that ppolicy is
> > ppolicy.schema Password Policy Schema (work in progress)
> >
> >
> >
> > If i'm not mistaken, this would be the new ppolicy10 , yes?
> >
> https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10
>
> Actually that should be deleted from the README, thanks. But yes, the
> ppolicy shipped with OpenLDAP 2.5 is based on draft 10, as documented in
> the man page.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
1 year, 9 months
Re: 2.5.7 for RHEL8 - Question
by Dave Macias
Thank you Quanah for the response!
Makes sense.
One more question:
under: /opt/symas/etc/openldap/schema/README
It says that ppolicy is
ppolicy.schema Password Policy Schema (work in progress)
If i'm not mistaken, this would be the new ppolicy10 , yes?
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10
Thanks!
On Wed, Aug 25, 2021 at 1:27 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Wednesday, August 25, 2021 2:17 PM -0400 Dave Macias
> <davama(a)gmail.com> wrote:
>
> > Without doing any configuration, I attempted to start the slapd
> > but /opt/symas/etc/openldap/slapd.conf did not exist, since it
> > was /opt/symas/etc/openldap/slapd.conf.default . Which was an easy name
> > change. After that the slapd service started without issues.
> >
> > My question is, why are the pkg files now under /opt?
>
> Two reasons:
>
> a) It preserves the installation paths of the Symas OpenLDAP Gold product
> b) Installation paths are identical regardless of host OS. While RHEL8
> has
> dropped OpenLDAP server support, other OSes have not. Additionally,
> RedHat
> has not stopped shipping the 2.4 libldap, so we still need isolation at
> that level.
>
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
1 year, 9 months
2.5.7 for RHEL8 - Question
by Dave Macias
Hello,
I am very excited about testing this new 2.5.X version. Thank you for the
release!
Just testing out the prepackaged versions on a clean rocky linux install
Specifically: https://repo.symas.com/soldap/rhel8/
Without doing any configuration, I attempted to start the slapd
but /opt/symas/etc/openldap/slapd.conf did not exist, since it
was /opt/symas/etc/openldap/slapd.conf.default . Which was an easy name
change. After that the slapd service started without issues.
My question is, why are the pkg files now under /opt?
Before, at least in the symas-openldap pkg for 2.4.X they were installed
under /etc/, /var/lib/, /usr/bin, etc. I'm assuming this was because it was
meant to replace the RedHat openldap pkg.. yes? But now there is no RedHad
openldap pkg for rhel8 so there is nothing to replace...
Thank you,
Dave
1 year, 9 months
Re: OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS
by Saša-Stjepan Bakša
On Tue, 24 Aug 2021 at 19:39, Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
>
> We don't provide any i386 data, which is what that message is saying.
> I.e., your local apt command looked for an i386 architecture and was
> unable
> to find one. For some reason, Ubuntu still configures to look for i386 by
> default.
>
I see it now.
*root@ldap-proxy:/etc/apt# dpkg --print-foreign-architecturesi386*
Well, if they did it on purpose I will not change it but I am still puzzled.
> Documentation error, thank you. I'll fix that right away. :)
>
>
You are welcome!
Br
Saša
1 year, 9 months
Re: OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS
by Dave Macias
> It's our replacement for Symas OpenLDAP for Linux and Symas OpenLDAP for
> Gold. They are free to use and optional support contracts are available.
> We're currently working on an official announcement to post, but thought
> I'd point you at them since they're ready from the technical perspective.
>
> --Quanah
>
Was about to ask if they were still considered WIP...
Thank you again for the support!!
-Dave
1 year, 9 months
Re: OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS
by Saša-Stjepan Bakša
Hi Quanah,
Long time has passed since our last conversation. :-)
Thank you for your info. I was looking around your site and didn't find
this repo.
Are those commercial release packages or public?
Br
Saša
On Mon, 23 Aug 2021 at 18:12, Quanah Gibson-Mount <quanah(a)symas.com> wrote:
> --On Monday, August 23, 2021 3:15 PM +0200 Saša-Stjepan Bakša
> <ssbaksa(a)gmail.com> wrote:
>
>
> > Does anyone maintain PPA for OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS?
> > On the Symas page, there is a package only for 2.4.59+dfsg-1ppa~bionic1
> > and since Quanah recommends the latest version for using dynlist I am in
> > a bit of a problem. I just can't find the proper deb package for Ubuntu.
>
> Hi Saša-Stjepan Bakša,
>
> Symas OpenLDAP 2.5 can be obtained from:
>
> <https://repo.symas.com/soldap/ubuntu20/>
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
1 year, 9 months
OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS
by Saša-Stjepan Bakša
Hi,
Does anyone maintain PPA for OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS?
On the Symas page, there is a package only for 2.4.59+dfsg-1ppa~bionic1
and since Quanah recommends the latest version for using dynlist I am in a
bit of a problem. I just can't find the proper deb package for Ubuntu.
Well to be honest, there is one for the latest Ubuntu but that one is still
under development and I can't use that in production.
Switching to another distro? Well, after so many years using Ubuntu I am
not fond of the idea of switching to another distro.
Building it from scratch? Maybe, if I can create an Ubuntu building
environment.
Br,
Saša-Stjepan Bakša
1 year, 9 months
Re: migrate from 2.4 to 2.5, determine existing MDB format
by kevin martin
i understand that ldap is a protocol but it occurred to me that a database
change (where tables and the like might be different and slapd version
dependent) might need to be a sitewide thing, not a server by server thing
(meaning the 2.4 servers, once the "database" is mirrored from the master
server, might not understand the new format?).
---
Regards,
Kevin Martin
On Thu, Aug 19, 2021 at 12:31 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Thursday, August 19, 2021 1:23 PM -0500 kevin martin
> <ktmdms(a)gmail.com> wrote:
>
> >
> >
> > if I have multiple slapd servers running 2.4 can I update my master
> > server to 2.5 with the new format and will the 2.4 mirrors be able to
> > handle the new format or is it an all or nothing upgrade of all servers
> > at once?
>
> LDAP is a protocol, the internal change to the MDB database structure is
> immaterial.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
1 year, 9 months
Re: migrate from 2.4 to 2.5, determine existing MDB format
by kevin martin
Ok, thanks for the clarification. That's what I needed to know.
---
Regards,
Kevin Martin
On Thu, Aug 19, 2021 at 12:45 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Thursday, August 19, 2021 1:35 PM -0500 kevin martin
> <ktmdms(a)gmail.com> wrote:
>
> >
> >
> > i understand that ldap is a protocol but it occurred to me that a
> > database change (where tables and the like might be different and slapd
> > version dependent) might need to be a sitewide thing, not a server by
> > server thing (meaning the 2.4 servers, once the "database" is mirrored
> > from the master server, might not understand the new format?).
>
> The only limitation would be that you could not mdb_copy a 2.5 database
> and
> run that under a 2.4 slapd. Since it's purely internal, the replication
> protocol has no "knowledge" of it, and it would not appear in an LDIF
> created by slapcat.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
1 year, 9 months
Re: pwdHistory setting not being honored
by kevin martin
yeah, just found that in the CHANGE file for 2.4. thanks. and that's why I
had asked the other question about the 2.4 vs 2.5 database format and
servers. figured if I have to update anyway (and should, granted) I should
do it to 2.5 but didn't necessarily want to take on a weekends worth of
work if I could get away with doing it bit by bit over time.
---
Regards,
Kevin Martin
On Thu, Aug 19, 2021 at 12:33 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Thursday, August 19, 2021 1:17 PM -0500 kevin martin
> <ktmdms(a)gmail.com> wrote:
>
> >
> >
> > we HAD a password history setting with ppolicy to store 10 passwords in
> > history, and that worked fine. Now, our policy has changed and only the
> > last 4 passwords can't be used but when I try to change to a password
> > that I know was not in the last 4 password changes I'm told that the
> > password exists in my history. looking at an ldif dump my user has 10
> > pwdHistory entries but shouldn't the change in policy cause slapd to only
> > look at my last 4 most recent pwdHistory entries, because it's certainly
> > not doing so. do I have to dump the ldap into an ldif, remove
> > pwdHistory entries, and reload it to make the password history stuff work
> > correctly? version of slapd is 2.4.45.
>
> This is <https://bugs.openldap.org/show_bug.cgi?id=8349>
>
> Fixed in OpenLDAP 2.4.48. I strongly advise upgrading to current
> supported
> release for many reasons.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
1 year, 9 months