openldap-technical August 2021

openldap-technical@openldap.org

26 participants
49 discussions

/usr/local/etc/openldap/slapd.conf: line 39: <password-hash> scheme not available ({SHA512})
by kevin martin 26 Aug '21

26 Aug '21

while trying to convert from a slapd.conf file to a cn=config style, slaptest displays the error as shown in the subject line. openldap 2.4 supported "password-hash {SHA512}" in the slapd.conf, is this simply an issue of password-hash not being able to be converted or is that *particular* password-hash line unsupported in the latest 2.5 (building from source)? --- Regards, Kevin Martin

2 1

Re: 2.5.7 for RHEL8 - Question
by Dave Macias 25 Aug '21

25 Aug '21

Awesome! So then, if it's already shipped, why dont I see the schema files for ppolicy? Would have thought to find it here: /opt/symas/etc/openldap/schema > find /opt/ -name *ppolicy* /opt/symas/lib/openldap/ppolicy.la /opt/symas/lib/openldap/ppolicy.so /opt/symas/lib/openldap/ppolicy-2.5.so.0 /opt/symas/lib/openldap/ppolicy-2.5.so.0.1.2 /opt/symas/share/man/man5/slapo-ppolicy.5 Thank you again for the quick responses! On Wed, Aug 25, 2021 at 2:07 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Wednesday, August 25, 2021 2:33 PM -0400 Dave Macias > <davama(a)gmail.com> wrote: > > > > > Thank you Quanah for the response! > > Makes sense. > > > > One more question: > > under: /opt/symas/etc/openldap/schema/README > > It says that ppolicy is > > ppolicy.schema Password Policy Schema (work in progress) > > > > > > > > If i'm not mistaken, this would be the new ppolicy10 , yes? > > > https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10 > > Actually that should be deleted from the README, thanks. But yes, the > ppolicy shipped with OpenLDAP 2.5 is based on draft 10, as documented in > the man page. > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

Re: 2.5.7 for RHEL8 - Question
by Dave Macias 25 Aug '21

25 Aug '21

Thank you Quanah for the response! Makes sense. One more question: under: /opt/symas/etc/openldap/schema/README It says that ppolicy is ppolicy.schema Password Policy Schema (work in progress) If i'm not mistaken, this would be the new ppolicy10 , yes? https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10 Thanks! On Wed, Aug 25, 2021 at 1:27 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Wednesday, August 25, 2021 2:17 PM -0400 Dave Macias > <davama(a)gmail.com> wrote: > > > Without doing any configuration, I attempted to start the slapd > > but /opt/symas/etc/openldap/slapd.conf did not exist, since it > > was /opt/symas/etc/openldap/slapd.conf.default . Which was an easy name > > change. After that the slapd service started without issues. > > > > My question is, why are the pkg files now under /opt? > > Two reasons: > > a) It preserves the installation paths of the Symas OpenLDAP Gold product > b) Installation paths are identical regardless of host OS. While RHEL8 > has > dropped OpenLDAP server support, other OSes have not. Additionally, > RedHat > has not stopped shipping the 2.4 libldap, so we still need isolation at > that level. > > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

2.5.7 for RHEL8 - Question
by Dave Macias 25 Aug '21

25 Aug '21

Hello, I am very excited about testing this new 2.5.X version. Thank you for the release! Just testing out the prepackaged versions on a clean rocky linux install Specifically: https://repo.symas.com/soldap/rhel8/ Without doing any configuration, I attempted to start the slapd but /opt/symas/etc/openldap/slapd.conf did not exist, since it was /opt/symas/etc/openldap/slapd.conf.default . Which was an easy name change. After that the slapd service started without issues. My question is, why are the pkg files now under /opt? Before, at least in the symas-openldap pkg for 2.4.X they were installed under /etc/, /var/lib/, /usr/bin, etc. I'm assuming this was because it was meant to replace the RedHat openldap pkg.. yes? But now there is no RedHad openldap pkg for rhel8 so there is nothing to replace... Thank you, Dave

2 1

Re: OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS
by Saša-Stjepan Bakša 24 Aug '21

24 Aug '21

On Tue, 24 Aug 2021 at 19:39, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > We don't provide any i386 data, which is what that message is saying. > I.e., your local apt command looked for an i386 architecture and was > unable > to find one. For some reason, Ubuntu still configures to look for i386 by > default. > I see it now. *root@ldap-proxy:/etc/apt# dpkg --print-foreign-architecturesi386* Well, if they did it on purpose I will not change it but I am still puzzled. > Documentation error, thank you. I'll fix that right away. :) > > You are welcome! Br Saša

1 0

Re: OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS
by Dave Macias 24 Aug '21

24 Aug '21

> It's our replacement for Symas OpenLDAP for Linux and Symas OpenLDAP for > Gold. They are free to use and optional support contracts are available. > We're currently working on an official announcement to post, but thought > I'd point you at them since they're ready from the technical perspective. > > --Quanah > Was about to ask if they were still considered WIP... Thank you again for the support!! -Dave

1 0

Re: OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS
by Saša-Stjepan Bakša 24 Aug '21

24 Aug '21

Hi Quanah, Long time has passed since our last conversation. :-) Thank you for your info. I was looking around your site and didn't find this repo. Are those commercial release packages or public? Br Saša On Mon, 23 Aug 2021 at 18:12, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Monday, August 23, 2021 3:15 PM +0200 Saša-Stjepan Bakša > <ssbaksa(a)gmail.com> wrote: > > > > Does anyone maintain PPA for OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS? > > On the Symas page, there is a package only for 2.4.59+dfsg-1ppa~bionic1 > > and since Quanah recommends the latest version for using dynlist I am in > > a bit of a problem. I just can't find the proper deb package for Ubuntu. > > Hi Saša-Stjepan Bakša, > > Symas OpenLDAP 2.5 can be obtained from: > > <https://repo.symas.com/soldap/ubuntu20/> > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS
by Saša-Stjepan Bakša 24 Aug '21

24 Aug '21

Hi, Does anyone maintain PPA for OpenLDAP 2.5.5 PPA for Ubuntu 20.04 LTS? On the Symas page, there is a package only for 2.4.59+dfsg-1ppa~bionic1 and since Quanah recommends the latest version for using dynlist I am in a bit of a problem. I just can't find the proper deb package for Ubuntu. Well to be honest, there is one for the latest Ubuntu but that one is still under development and I can't use that in production. Switching to another distro? Well, after so many years using Ubuntu I am not fond of the idea of switching to another distro. Building it from scratch? Maybe, if I can create an Ubuntu building environment. Br, Saša-Stjepan Bakša

3 3

Re: migrate from 2.4 to 2.5, determine existing MDB format
by kevin martin 20 Aug '21

20 Aug '21

i understand that ldap is a protocol but it occurred to me that a database change (where tables and the like might be different and slapd version dependent) might need to be a sitewide thing, not a server by server thing (meaning the 2.4 servers, once the "database" is mirrored from the master server, might not understand the new format?). --- Regards, Kevin Martin On Thu, Aug 19, 2021 at 12:31 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Thursday, August 19, 2021 1:23 PM -0500 kevin martin > <ktmdms(a)gmail.com> wrote: > > > > > > > if I have multiple slapd servers running 2.4 can I update my master > > server to 2.5 with the new format and will the 2.4 mirrors be able to > > handle the new format or is it an all or nothing upgrade of all servers > > at once? > > LDAP is a protocol, the internal change to the MDB database structure is > immaterial. > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

3 3

Re: migrate from 2.4 to 2.5, determine existing MDB format
by kevin martin 19 Aug '21

19 Aug '21

Ok, thanks for the clarification. That's what I needed to know. --- Regards, Kevin Martin On Thu, Aug 19, 2021 at 12:45 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Thursday, August 19, 2021 1:35 PM -0500 kevin martin > <ktmdms(a)gmail.com> wrote: > > > > > > > i understand that ldap is a protocol but it occurred to me that a > > database change (where tables and the like might be different and slapd > > version dependent) might need to be a sitewide thing, not a server by > > server thing (meaning the 2.4 servers, once the "database" is mirrored > > from the master server, might not understand the new format?). > > The only limitation would be that you could not mdb_copy a 2.5 database > and > run that under a 2.4 slapd. Since it's purely internal, the replication > protocol has no "knowledge" of it, and it would not appear in an LDIF > created by slapcat. > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2021