2018-02-19 15:49 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002475CentOS-5openldappublic2009-01-21 10:03
Product Version5.0 - x86_64 
Target VersionFixed in Version 
Summary0002475: openldap is missing ppolicy plugin
DescriptionSchema for ppolicy is present in /etc/openldap/schema/ppolicy.schema, however when /etc/openldap/slapd.conf includes ppolicy statements like:

include /etc/openldap/schema/ppolicy.schema

overlay ppolicy
ppolicy_default cn=default,ou=Policies,dc=exmample,dc=com

openldap fails to start with:

Checking configuration files for slapd: overlay "ppolicy" not found

Looking further into openldap-2.3.27-5.src.rpm, it appears that the spec file does not have --enable-ppolicy defined.


TagsNo tags attached.
Attached Files

has duplicate 0002517closedrange openldap is missing rwm overlay 
has duplicate 0002774closedrange All the modules are missing from the package but the man pages are in. 



jsaintro (reporter)

The ppolicy overlay is not currently included in the openldap rpm. Looks like the convention is to create a separate rpm to provide the ppolicy module. Something like openldap-servers-ppolicy.rpm.

I've attached a patch for the openldap spec file that will build the openldap-servers-ppolicy.rpm overlay


range (administrator)

I have rebuilt the openldap src.rpm with all overlays enabled (plus smb5mkpwd). I'm waiting for the build process to finish (and me to get back to a computer with good internet connectivity).

I'll publish test rpms at the beginning of the next week and it would be great if those would be tested by the reporters of 2517 2774 and this bug.


range (administrator)


I hope that now links to the bugs.


jsaintro (reporter)

Need to install Centos again but will hopefully be able to test ppolicy overlay once you post.


kRocKodile (reporter)

1. yum install rpm-build unixODBC-devel bind-libbind-devel libtool-ltdl-devel

2. rpm -Uhv openldap-2.3.27-8.el5_1.3.src.rpm

3. vi /usr/src/redhat/SPECS/openldap.spec
   I have add the following configure options in both 2 sections (#Build 2.2 & #Build the servers with...) to the openldap.spec. [sorry for my bad english]
4. cd /usr/src/redhat/SPECS && rpmbuild -ba openldap.spec

5. rpm -qpl `ls -1 --color=none /usr/src/redhat/RPMS/i386/*` | grep -e "\.la"

6. cd /usr/src/redhat/RPMS/i386 && rpm -Uhv *.rpm


range (administrator)

Yes, that also works. But I'd like to put these packages into centosplus, so you can just install and update them with yum


johan (reporter)

There is a similar request in upstream bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=370411


range (administrator)

There are now RPMS available from http://people.centos.org/~ralph/RPMS/ (and SRPMS/ where the source rpm lives).

Could you please test those?


range (administrator)

The overlays have their own rpm - openldap-overlays. This also includes smbk5pwd from the contrib directory in the openldap sources.


timverhoeven (developer)

Can the bug reporter please provide feedback on the packages provided ?


johan (reporter)

More news on possible inclusion of all overlays in upstream Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=442324


galens (reporter)

I just tried the http://people.centos.org/~ralph/SRPMS/openldap-2.3.27-8.el5_1.3.centos.src.rpm package without success.

When moduleload smbk5pwd.la and overlay smbk5pwd are commented out in slapd.conf, I can successfully change the userpassword attribute via passwd(1) and poppassd with pam_password exop.

When the smbk5pwd lines in slapd.conf are active, attempts to change the password fail, and slapd appears to die.
500 PAM error: LDAP password information update failed: Can't contact LDAP server
When I restart slapd I get this error:
bdb_db_open: unclean shutdown detected; attempting recovery.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered.

Is it necessary to dump and reload the directory when moving to this rpm? I previously had the latest openldap package from CentOS 5.2 installed. Please let me know how I can help debug this.


range (administrator)

Hmmm. The smbk5pwd overlay is supposed to work (Johnny tested and uses those, I'll ping him).

Regarding the dumping and rereading of the ldap database - this is also in the original ldap package from upstream.

See https://bugzilla.redhat.com/show_bug.cgi?id=436046


fr0w (reporter)

I'm getting the same error galens is getting.

I have installed this packages:
* openldap-overlays-2.3.27-8.el5_2.4.centos
* openldap-servers-2.3.27-8.el5_2.4.centos
* openldap-clients-2.3.27-8.el5_2.4.centos
* openldap-2.3.27-8.el5_2.4.centos
* openldap-devel-2.3.27-8.el5_2.4.centos

Everytime I tried to change a password and I have smb5kpwd "activated" in my slapd.conf the daemon just crashes w/o even a line of log (even if I set loglevel to 'any').

For now I'm disabling it 'cuz it has caused me enough headache but I'm fully willing to provide more info if needed.


brandond (reporter)

I have been using packages built from Range's SRPM without any issues for quite a while.

Did anyone ever figure out what the deal was with the smbk5pwd conflicts? It would be nice to see this in extras, if we could get the problems worked out. As it stands, I'm holding off on updating to the latest openldap release until I have time to port the changes from Range's package over to the latest release.


range (administrator)


Find current ones in http://dev.centos.org/centos/5/testing/i386/RPMS/ (or x86_64 if you need those).


TimmerCA (reporter)


Sorry to intrude on the conversation. I was wondering if this thread was leading towards the OpenLDAP overlays being included somehow in the near future so that I could just do a "yum install openldap-overlays" rather than having to recompile OpenLDAP on my box by hand. I'd prefer the stability and ease-of-use of just doing a "yum update" from time to time, if that's at all possible.


range (administrator)

Yes. The packages are in CentOS-Testin - http://dev.centos.org/ - and if you can help testing those, they will go into centosplus. But up until now nobody provided any feedback. So please install them from dev.centos.org, test them and provide feedback here >:)




fr0w (reporter)

Like I said before, the smb5kpwd overlay does not work for me.
If is there anything I can do in order to provide some good debug information, let me know.


TimmerCA (reporter)

I added the testing repository and then did a "yum update", followed by a "yum install openldap-overlays". Here's what I have installed now:

root@ldap-01# yum list installed 'openldap*'
Loaded plugins: fastestmirror
Installed Packages
openldap.i386 2.3.27-8.el5_2.4.centos installed
openldap-clients.i386 2.3.27-8.el5_2.4.centos installed
openldap-overlays.i386 2.3.27-8.el5_2.4.centos installed
openldap-servers.i386 2.3.27-8.el5_2.4.centos installed

I added the following to my /etc/openldap/slapd.conf:

overlay auditlog
auditlog audit.ldif

Now when I start OpenLDAP, I get:

root@ldap-01# /etc/init.d/ldap start
Checking configuration files for slapd: overlay "auditlog" not found
slaptest: bad configuration file!

I don't see anything in the man pages that let me specify a search path for overlays, but the overlay file is indeed installed:

root@ldap-01# locate auditlog

Any suggestions?


brandond (reporter)

Range: Works great for me.

TimmerCA: You need to explicitly load the overlay modules. My slapd.conf has a section right near the top that reads:

# Load overlay modules:
modulepath /usr/lib/openldap
moduleload auditlog.la

This is followed later by an instantiation of the overlay in a database section, as your example shows.


TimmerCA (reporter)

Brandond, thanks that fixed it.

I am now running OpenLDAP with the acceslog, auditlog and ppolicy modules activated and they all appear to be running properly. I'm going to try to devise a stress test of the server tomorrow to see how it acts under load, but it seems like we're good to go right now.


johan (reporter)

I have tested these openldap RPM's and configured both the accesslog and auditlog overlays. Both seem to be working properly.


range (administrator)

It looks like 5.3 is going to include the ppolicy package by default


range (administrator)

This will be fixed in 5.3 - upstream has released a policy package while also rebasing openldap to a newer version.

This means that there will be no smbk5pwd. I'm thinking about how this can be put into some other package.

-Issue History
Date Modified Username Field Change
2007-11-28 20:39 posiczko New Issue
2007-12-06 01:05 jsaintro File Added: patch.ppolicy
2007-12-06 01:06 jsaintro Note Added: 0006487
2008-04-03 15:48 range Relationship added has duplicate 0002517
2008-04-03 15:49 range Relationship added has duplicate 0002774
2008-04-03 15:56 range Note Added: 0007085
2008-04-03 15:57 range Note Added: 0007086
2008-04-03 16:18 jsaintro Note Added: 0007089
2008-04-04 06:58 kRocKodile Note Added: 0007092
2008-04-04 13:44 range Note Added: 0007094
2008-04-05 07:51 johan Note Added: 0007100
2008-04-07 10:41 range Note Added: 0007106
2008-04-07 10:42 range Status new => feedback
2008-04-07 10:44 range Note Added: 0007109
2008-05-22 15:01 timverhoeven Note Added: 0007313
2008-05-24 08:56 johan Note Added: 0007330
2008-07-04 08:07 galens Note Added: 0007568
2008-07-04 08:41 range Note Added: 0007569
2008-08-12 04:15 fr0w Note Added: 0007829
2008-09-24 22:10 brandond Note Added: 0008035
2008-09-24 22:21 range Note Added: 0008036
2008-10-21 00:00 TimmerCA Note Added: 0008169
2008-10-21 08:25 range Note Added: 0008171
2008-10-21 12:22 fr0w Note Added: 0008172
2008-10-21 18:14 TimmerCA Note Added: 0008173
2008-10-21 20:20 brandond Note Added: 0008174
2008-10-23 03:54 TimmerCA Note Added: 0008184
2008-11-23 10:55 johan Note Added: 0008316
2008-11-23 13:40 range Note Added: 0008317
2009-01-21 10:03 range Status feedback => closed
2009-01-21 10:03 range Note Added: 0008605
2009-01-21 10:03 range Resolution open => fixed
+Issue History