[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pesky ppolicy problems

To: openldap-software@openldap.org
Subject: Re: pesky ppolicy problems
From: Alex Samad <alex@samad.com.au>
Date: Tue, 23 Jan 2007 09:06:32 +1100
Content-disposition: inline
In-reply-to: <785DC26415423B4A99298F1972DD4A4E26F7BB7B@tytexu02.sls-tt.acs-inc.com>
Mail-followup-to: openldap-software@openldap.org
References: <785DC26415423B4A99298F1972DD4A4E26F7BB7B@tytexu02.sls-tt.acs-inc.com>
User-agent: Mutt/1.5.13 (2006-08-11)

On Mon, Jan 22, 2007 at 04:27:19PM -0500, Metcalf, Roger wrote:
> Thanks for the quick response!  I'm using 2.3.27 because it was The Stable
> Release when I started this.  
> I'll move to the latest stable release after I get ppolicy figured out.
> 
> I want dynamic modules, so I changed my enable-ppolicy to be "mod" --
> 

<snip >

> 
> In slapd.conf I set the module path:
> 
> 	modulepath      /usr/sbin/openldap
> 	moduleload	ppolicy.la
> 	<snip>
> 	overlay   ppolicy
> 	ppolicy_default	"cn=Standard Policy,ou=Policies,c=us"
> 	ppolicy_hash_cleartext
> 	ppolicy_use_lockout
> 
> Still I get:
> 
> 	[root openldap-2.3.27]# /etc/init.d/ldap start
> 	Checking configuration files for : WARNING: No dynamic config
> support for overlay ppolicy.
> 	config file testing succeeded
> 	Starting slapd: FAILED
> 	[root openldap-2.3.27]# 


I get this problem with 2.3.30 (debian)

when I do the same thing for unique as well.


seems like the only way to get slapd to start without coughing its guts up is 

1 add the module load statement before the backend statement
2 use overlay in the database section 
3 ignore the warning about dynamic configuration!


Plus I was having trouble inserting my default policy as well, until I matched
it up with organizationalRole, seems like pwdPolicy did not like being with
inetorgperson




> 
> Shouldn't this work now?
> 
> I attach my slapd.conf, mostly vanilla in this version, and I've removed
> commented lines for your convenience.  
> How's it look?
> 
> 	include	/etc/openldap/schema/core.schema
> 	include	/etc/openldap/schema/cosine.schema
> 	include	/etc/openldap/schema/inetorgperson.schema
> 	include	/etc/openldap/schema/nis.schema
> 	include     /etc/openldap/schema/acs.schema
> 	include     /etc/openldap/schema/ppolicy.schema
> 
> 	pidfile	/var/lib/ldap/run/slapd.pid
> 	argsfile	/var/lib/ldap/run/slapd.args
> 
> 	modulepath      /usr/sbin/openldap
> 	moduleload	ppolicy.la
> 
> 	database	bdb
> 	suffix		"c=US"
> 	rootdn		"cn=Manager, c=US"
> 	rootpw		secret
> 
> 	directory	/var/lib/ldap/openldap-data
> 
> 	index objectClass                       eq,pres
> 	index ou,cn,mail,surname,givenname      eq,pres,sub
> 	index uidNumber,gidNumber,loginShell    eq,pres
> 	index uid,memberUid                     eq,pres,sub
> 	index nisMapName,nisMapEntry            eq,pres,sub
> 	loglevel 256
> 
> 	overlay   ppolicy
> 
> 	ppolicy_default	"cn=Standard Policy,ou=Policies,c=us"
> 	ppolicy_hash_cleartext
> 	ppolicy_use_lockout
> 
> 
> Thanks,
> Roger
> 
> 
> 
> > -----Original Message-----
> > From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
> > Sent: Monday, January 22, 2007 1:36 PM
> > To: Metcalf, Roger; openldap-software@openldap.org
> > Subject: Re: pesky ppolicy problems
> > 
> > 
> > 
> > 
> > --On Monday, January 22, 2007 1:08 PM -0500 "Metcalf, Roger" 
> > <roger.metcalf@acs-inc.com> wrote:
> > 
> > > I am trying to use the ppolicy overlay.  I've searched, read and
> > > experimented and can't get it to work.
> > > I've read other similar postings with similar problems but 
> > haven't found
> > > the one with the answer.
> > >
> > > My OpenLDAP knowledge is intermediate.
> > >
> > > I download 2.3.27, then build it:
> > 
> > Why 2.3.27?  2.3.32 is the current stable release.
> > 
> > Plus there have been fixes since 2.3.27:
> > 
> > OpenLDAP 2.3.30 Release (2006/11/14)
> > 	Fixed slapo-ppolicy external quality check (ITS#4741)
> > 
> > 
> > OpenLDAP 2.3.29 Release (2006/11/10)
> > 	Fixed slapo-ppolicy leaks (ITS#4665)
> > 
> > OpenLDAP 2.3.28 Release (2006/10/21)
> > 	Fixed slapo-ppolicy pwdChangedTime behavior (ITS#4692)
> > 
> > 
> > 
> > As for your questions:
> > 
> > Questions:
> > 
> > 1) Where is ppolicy.la located?
> > 
> > Well, if its a dynamic module, then in $lib/openldap:
> > 
> > ldap00:/usr/local/lib/openldap> ls -l ppol*
> > lrwxrwxrwx  1 root root     21 Nov 13 22:38 ppolicy-2.3.so.0 -> 
> > ppolicy-2.3.so.0.2.16*
> > -rwxr-xr-x  1 root root 102169 Nov  8 21:49 ppolicy-2.3.so.0.2.16*
> > -rwxr-xr-x  1 root root    909 Nov  8 21:49 ppolicy.la*
> > lrwxrwxrwx  1 root root     21 Nov 13 22:38 ppolicy.so -> 
> > ppolicy-2.3.so.0.2.16*
> > 
> > 2) Does it need to be loaded?
> > 
> > Yes, if it is a dynamic module.
> > 
> > 3) Where is the path to it specified?
> > 
> > Via the "modulepath" directive in slapd.conf:
> > 
> > # Load dynamic backend modules:
> > modulepath      /usr/local/lib/openldap
> > moduleload      back_hdb.la
> > moduleload      back_monitor.la
> > 
> > 
> > 4) When are moduleload specs needed?
> > 
> > Not sure what you mean here.
> > 
> > 5) Are env variables needed to find ppolicy.la?
> > 
> > No.
> > 
> > 6) What's the secret?
> > 
> > Reading the man pages and other documentation.
> > 
> > 7) When will the book be published?
> > 
> > Howard is currently working on writing it.
> > 
> > --Quanah
> > 
> > --
> > Quanah Gibson-Mount
> > Principal Software Developer
> > ITS/Shared Application Services
> > Stanford University
> > GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
> > 
>

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: pesky ppolicy problems
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- RE: pesky ppolicy problems
  - From: "Metcalf, Roger" <roger.metcalf@acs-inc.com>

Prev by Date: RE: pesky ppolicy problems
Next by Date: WARNING: No dynamic config support for overlay ppolicy? - SOLVED
Index(es):
- Chronological
- Thread