[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pesky ppolicy problems



Metcalf, Roger wrote:
I am trying to use the ppolicy overlay. I've searched, read and
experimented and can't get it to work. I've read other similar postings with similar problems but haven't found the
one with the answer.


My OpenLDAP knowledge is intermediate.

I download 2.3.27, then build it:

	env LIBS="-L/usr/bin" \
	./configure \
	--prefix=/usr/local \
	--libdir=/usr/local/lib \
	--sbindir=/usr/sbin \
	--libexecdir=/usr/sbin \
	--sysconfdir=/etc \
	--localstatedir=/var/lib/ldap \
	--enable-overlays=mod \
	--enable-dynamic=yes \
	--enable-modules=yes \
	--enable-ppolicy=yes &&
	make depend &&
	make

Setting "--enable-overlays=mod" turns on all of the overlays, building them as dynamically loadable modules. However, setting "--enable-ppolicy=yes" overrides that setting, and causes the ppolicy overlay to be built statically. For slapd backends and overlays, "yes" means build the feature and build it statically. "mod" means build the feature and build it dynamically.

I include ppolicy in slapd.conf.

	include         /etc/openldap/schema/ppolicy.schema
	overlay   ppolicy
	ppolicy_default	"cn=Standard Policy,ou=Policies,c=us"
	ppolicy_hash_cleartext
	ppolicy_use_lockout

Without seeing more context from your slapd.conf, I'd guess you've put the overlay configuration in the wrong place.


I have tried with and without modulepath and moduleload.  I suspect they are
not needed but am not sure.

	modulepath      /usr/sbin
	moduleload	ppolicy.la

As the slapd.conf(5) manpage states, these directives are only needed for access to dynamically loaded modules. Since you configured ppolicy static, this moduleload directive will fail.


I have created a policy structure in my repository.

I don't really care if ppolicy is statically or dynamically loaded, I just
want it to be available!
The problem may be that I really don't get the meaning or dependencies of
enable-dynamic, enable-modules, enable-overlays, enable-static,
enable-shared.

Have you tried "configure --help" already? --enable-shared and --enable-static are standard options on most autoconf-based software. If you don't understand these, you can find them in the autoconf documentation. If you don't understand the significance of static libraries vs shared libraries, you need to do some reading on computing basics. Teaching those basics is way outside the scope of OpenLDAP.


--enable-dynamic is explained clearly in configure --help:
--enable-dynamic enable linking built binaries with dynamic libs [no]
The default "no" means that by default, the OpenLDAP binaries will be linked with static libraries. Whether or not you actually enable the creation of shared libraries, only the static ones will be used.


--enable-modules enable dynamic module support [no]
This should be fairly obvious too - if you don't enable this, then OpenLDAP cannot use dynamically loaded modules. And slapd.conf(5) also says pretty clearly:
moduleload <filename>
Specify the name of a dynamically loadable module to load.
... This option and the modulepath option are
only usable if slapd was compiled with --enable-modules.


   --enable-overlays     enable all available overlays no|yes|mod
I already explained this above.

My goal is simple : to get ppolicy working in the simplest way.

Problems:

/etc/init.d/ldap start --

	WARNING: No dynamic config support for overlay ppolicy.

This apparently is more than just a "warning" because startup fails.

No, it's just a warning, and has nothing to do with your other problems.

I figured Symas CDS silver would work, so I downloaded it, commented out the
ppolicy lines:

	line 234 (overlay	ppolicy)
	overlay "ppolicy" not found
	/opt/symas/etc/openldap/slapd.conf: line 234: <overlay> handler
exited with 1!

Last time I checked, we don't bundle the ppolicy overlay in CDS Silver. You need to subscribe to CDS Gold to get all of the overlays. So naturally it would not be found.


What makes this all the more frustrating is that test022-ppolicy appears to
work fine.
I have examined its .conf file and environment variables, etc and can't
extract the secret.

There are no secrets. You just have to actually read and pay attention to the details.


I recall reading somewhere that human speech naturally involves a great deal of redundancy, which allows people to hear and comprehend each other even in very noisy environments. The same applies to written text; you can drop most vowels and even a lot of consonants from written English and still be understood.

The same is not true for computer software. If you omit or misplace even a single character the entire meaning is lost. Likewise in the documentation, if you skim it or skip even a single sentence then you'll have missed a crucial point.

One of the basic recipes for public speaking is "tell them what you're going to tell them, tell them, then tell them what you told them." Again, redundancy is built in. We don't have the time or resources to be so redundant in writing the documentation. We write the essential information once, and every word is relevant. Life is too short, we don't have time to repeat what has already been written.

Quanah has already responded to the rest of this email, so I'll stop here.

Questions:

1) Where is ppolicy.la located?
2) Does it need to be loaded?
3) Where is the path to it specified?
4) When are moduleload specs needed?
5) Are env variables needed to find ppolicy.la?
6) What's the secret?
7) When will the book be published?

All advice welcome.

Thanks,
Roger Metcalf

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/