View Issue Details

IDProjectCategoryView StatusLast Update
0002475CentOS-5openldappublic2009-01-21 10:03
Status closedResolutionfixed 
Product Version5.0 - x86_64 
Target VersionFixed in Version 
Summary0002475: openldap is missing ppolicy plugin
DescriptionSchema for ppolicy is present in /etc/openldap/schema/ppolicy.schema, however when /etc/openldap/slapd.conf includes ppolicy statements like:

include /etc/openldap/schema/ppolicy.schema

overlay ppolicy
ppolicy_default cn=default,ou=Policies,dc=exmample,dc=com

openldap fails to start with:

Checking configuration files for slapd: overlay "ppolicy" not found

Looking further into openldap-2.3.27-5.src.rpm, it appears that the spec file does not have --enable-ppolicy defined.


TagsNo tags attached.


has duplicate 0002517 closedrange openldap is missing rwm overlay 
has duplicate 0002774 closedrange All the modules are missing from the package but the man pages are in. 


2007-12-06 01:05


patch.ppolicy (2,981 bytes)


2007-12-06 01:06

reporter   ~0006487

The ppolicy overlay is not currently included in the openldap rpm. Looks like the convention is to create a separate rpm to provide the ppolicy module. Something like openldap-servers-ppolicy.rpm.

I've attached a patch for the openldap spec file that will build the openldap-servers-ppolicy.rpm overlay


2008-04-03 15:56

administrator   ~0007085

I have rebuilt the openldap src.rpm with all overlays enabled (plus smb5mkpwd). I'm waiting for the build process to finish (and me to get back to a computer with good internet connectivity).

I'll publish test rpms at the beginning of the next week and it would be great if those would be tested by the reporters of 2517 2774 and this bug.


2008-04-03 15:57

administrator   ~0007086


I hope that now links to the bugs.


2008-04-03 16:18

reporter   ~0007089

Need to install Centos again but will hopefully be able to test ppolicy overlay once you post.


2008-04-04 06:58

reporter   ~0007092

1. yum install rpm-build unixODBC-devel bind-libbind-devel libtool-ltdl-devel

2. rpm -Uhv openldap-2.3.27-8.el5_1.3.src.rpm

3. vi /usr/src/redhat/SPECS/openldap.spec
   I have add the following configure options in both 2 sections (#Build 2.2 & #Build the servers with...) to the openldap.spec. [sorry for my bad english]
4. cd /usr/src/redhat/SPECS && rpmbuild -ba openldap.spec

5. rpm -qpl `ls -1 --color=none /usr/src/redhat/RPMS/i386/*` | grep -e "\.la"

6. cd /usr/src/redhat/RPMS/i386 && rpm -Uhv *.rpm


2008-04-04 13:44

administrator   ~0007094

Yes, that also works. But I'd like to put these packages into centosplus, so you can just install and update them with yum


2008-04-05 07:51

reporter   ~0007100

There is a similar request in upstream bugzilla:


2008-04-07 10:41

administrator   ~0007106

There are now RPMS available from (and SRPMS/ where the source rpm lives).

Could you please test those?


2008-04-07 10:44

administrator   ~0007109

The overlays have their own rpm - openldap-overlays. This also includes smbk5pwd from the contrib directory in the openldap sources.


2008-05-22 15:01

developer   ~0007313

Can the bug reporter please provide feedback on the packages provided ?


2008-05-24 08:56

reporter   ~0007330

More news on possible inclusion of all overlays in upstream Bugzilla at


2008-07-04 08:07

reporter   ~0007568

I just tried the package without success.

When moduleload and overlay smbk5pwd are commented out in slapd.conf, I can successfully change the userpassword attribute via passwd(1) and poppassd with pam_password exop.

When the smbk5pwd lines in slapd.conf are active, attempts to change the password fail, and slapd appears to die.
500 PAM error: LDAP password information update failed: Can't contact LDAP server
When I restart slapd I get this error:
bdb_db_open: unclean shutdown detected; attempting recovery.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered.

Is it necessary to dump and reload the directory when moving to this rpm? I previously had the latest openldap package from CentOS 5.2 installed. Please let me know how I can help debug this.


2008-07-04 08:41

administrator   ~0007569

Hmmm. The smbk5pwd overlay is supposed to work (Johnny tested and uses those, I'll ping him).

Regarding the dumping and rereading of the ldap database - this is also in the original ldap package from upstream.



2008-08-12 04:15

reporter   ~0007829

I'm getting the same error galens is getting.

I have installed this packages:
* openldap-overlays-2.3.27-8.el5_2.4.centos
* openldap-servers-2.3.27-8.el5_2.4.centos
* openldap-clients-2.3.27-8.el5_2.4.centos
* openldap-2.3.27-8.el5_2.4.centos
* openldap-devel-2.3.27-8.el5_2.4.centos

Everytime I tried to change a password and I have smb5kpwd "activated" in my slapd.conf the daemon just crashes w/o even a line of log (even if I set loglevel to 'any').

For now I'm disabling it 'cuz it has caused me enough headache but I'm fully willing to provide more info if needed.


2008-09-24 22:10

reporter   ~0008035

I have been using packages built from Range's SRPM without any issues for quite a while.

Did anyone ever figure out what the deal was with the smbk5pwd conflicts? It would be nice to see this in extras, if we could get the problems worked out. As it stands, I'm holding off on updating to the latest openldap release until I have time to port the changes from Range's package over to the latest release.


2008-09-24 22:21

administrator   ~0008036


Find current ones in (or x86_64 if you need those).


2008-10-21 00:00

reporter   ~0008169


Sorry to intrude on the conversation. I was wondering if this thread was leading towards the OpenLDAP overlays being included somehow in the near future so that I could just do a "yum install openldap-overlays" rather than having to recompile OpenLDAP on my box by hand. I'd prefer the stability and ease-of-use of just doing a "yum update" from time to time, if that's at all possible.


2008-10-21 08:25

administrator   ~0008171

Yes. The packages are in CentOS-Testin - - and if you can help testing those, they will go into centosplus. But up until now nobody provided any feedback. So please install them from, test them and provide feedback here >:)




2008-10-21 12:22

reporter   ~0008172

Like I said before, the smb5kpwd overlay does not work for me.
If is there anything I can do in order to provide some good debug information, let me know.


2008-10-21 18:14

reporter   ~0008173

I added the testing repository and then did a "yum update", followed by a "yum install openldap-overlays". Here's what I have installed now:

root@ldap-01# yum list installed 'openldap*'
Loaded plugins: fastestmirror
Installed Packages
openldap.i386 2.3.27-8.el5_2.4.centos installed
openldap-clients.i386 2.3.27-8.el5_2.4.centos installed
openldap-overlays.i386 2.3.27-8.el5_2.4.centos installed
openldap-servers.i386 2.3.27-8.el5_2.4.centos installed

I added the following to my /etc/openldap/slapd.conf:

overlay auditlog
auditlog audit.ldif

Now when I start OpenLDAP, I get:

root@ldap-01# /etc/init.d/ldap start
Checking configuration files for slapd: overlay "auditlog" not found
slaptest: bad configuration file!

I don't see anything in the man pages that let me specify a search path for overlays, but the overlay file is indeed installed:

root@ldap-01# locate auditlog

Any suggestions?


2008-10-21 20:20

reporter   ~0008174

Range: Works great for me.

TimmerCA: You need to explicitly load the overlay modules. My slapd.conf has a section right near the top that reads:

# Load overlay modules:
modulepath /usr/lib/openldap

This is followed later by an instantiation of the overlay in a database section, as your example shows.


2008-10-23 03:54

reporter   ~0008184

Brandond, thanks that fixed it.

I am now running OpenLDAP with the acceslog, auditlog and ppolicy modules activated and they all appear to be running properly. I'm going to try to devise a stress test of the server tomorrow to see how it acts under load, but it seems like we're good to go right now.


2008-11-23 10:55

reporter   ~0008316

I have tested these openldap RPM's and configured both the accesslog and auditlog overlays. Both seem to be working properly.


2008-11-23 13:40

administrator   ~0008317

It looks like 5.3 is going to include the ppolicy package by default


2009-01-21 10:03

administrator   ~0008605

This will be fixed in 5.3 - upstream has released a policy package while also rebasing openldap to a newer version.

This means that there will be no smbk5pwd. I'm thinking about how this can be put into some other package.

Issue History

Date Modified Username Field Change
2007-11-28 20:39 posiczko New Issue
2007-12-06 01:05 jsaintro File Added: patch.ppolicy
2007-12-06 01:06 jsaintro Note Added: 0006487
2008-04-03 15:48 range Relationship added has duplicate 0002517
2008-04-03 15:49 range Relationship added has duplicate 0002774
2008-04-03 15:56 range Note Added: 0007085
2008-04-03 15:57 range Note Added: 0007086
2008-04-03 16:18 jsaintro Note Added: 0007089
2008-04-04 06:58 kRocKodile Note Added: 0007092
2008-04-04 13:44 range Note Added: 0007094
2008-04-05 07:51 johan Note Added: 0007100
2008-04-07 10:41 range Note Added: 0007106
2008-04-07 10:42 range Status new => feedback
2008-04-07 10:44 range Note Added: 0007109
2008-05-22 15:01 timverhoeven Note Added: 0007313
2008-05-24 08:56 johan Note Added: 0007330
2008-07-04 08:07 galens Note Added: 0007568
2008-07-04 08:41 range Note Added: 0007569
2008-08-12 04:15 fr0w Note Added: 0007829
2008-09-24 22:10 brandond Note Added: 0008035
2008-09-24 22:21 range Note Added: 0008036
2008-10-21 00:00 TimmerCA Note Added: 0008169
2008-10-21 08:25 range Note Added: 0008171
2008-10-21 12:22 fr0w Note Added: 0008172
2008-10-21 18:14 TimmerCA Note Added: 0008173
2008-10-21 20:20 brandond Note Added: 0008174
2008-10-23 03:54 TimmerCA Note Added: 0008184
2008-11-23 10:55 johan Note Added: 0008316
2008-11-23 13:40 range Note Added: 0008317
2009-01-21 10:03 range Status feedback => closed
2009-01-21 10:03 range Note Added: 0008605
2009-01-21 10:03 range Resolution open => fixed