View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002475||CentOS-5||openldap||public||2007-11-28 20:39||2009-01-21 10:03|
|Product Version||5.0 - x86_64|
|Target Version||Fixed in Version|
|Summary||0002475: openldap is missing ppolicy plugin|
|Description||Schema for ppolicy is present in /etc/openldap/schema/ppolicy.schema, however when /etc/openldap/slapd.conf includes ppolicy statements like:|
openldap fails to start with:
Checking configuration files for slapd: overlay "ppolicy" not found
Looking further into openldap-2.3.27-5.src.rpm, it appears that the spec file does not have --enable-ppolicy defined.
|Tags||No tags attached.|
patch.ppolicy (2,981 bytes)
The ppolicy overlay is not currently included in the openldap rpm. Looks like the convention is to create a separate rpm to provide the ppolicy module. Something like openldap-servers-ppolicy.rpm.
I've attached a patch for the openldap spec file that will build the openldap-servers-ppolicy.rpm overlay
I have rebuilt the openldap src.rpm with all overlays enabled (plus smb5mkpwd). I'm waiting for the build process to finish (and me to get back to a computer with good internet connectivity).
I'll publish test rpms at the beginning of the next week and it would be great if those would be tested by the reporters of 2517 2774 and this bug.
I hope that now links to the bugs.
|Need to install Centos again but will hopefully be able to test ppolicy overlay once you post.|
1. yum install rpm-build unixODBC-devel bind-libbind-devel libtool-ltdl-devel
2. rpm -Uhv openldap-2.3.27-8.el5_1.3.src.rpm
3. vi /usr/src/redhat/SPECS/openldap.spec
I have add the following configure options in both 2 sections (#Build 2.2 & #Build the servers with...) to the openldap.spec. [sorry for my bad english]
4. cd /usr/src/redhat/SPECS && rpmbuild -ba openldap.spec
5. rpm -qpl `ls -1 --color=none /usr/src/redhat/RPMS/i386/*` | grep -e "\.la"
6. cd /usr/src/redhat/RPMS/i386 && rpm -Uhv *.rpm
|Yes, that also works. But I'd like to put these packages into centosplus, so you can just install and update them with yum|
|There is a similar request in upstream bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=370411|
There are now RPMS available from http://people.centos.org/~ralph/RPMS/ (and SRPMS/ where the source rpm lives).
Could you please test those?
|The overlays have their own rpm - openldap-overlays. This also includes smbk5pwd from the contrib directory in the openldap sources.|
|Can the bug reporter please provide feedback on the packages provided ?|
|More news on possible inclusion of all overlays in upstream Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=442324|
I just tried the http://people.centos.org/~ralph/SRPMS/openldap-2.3.27-8.el5_1.3.centos.src.rpm package without success.
When moduleload smbk5pwd.la and overlay smbk5pwd are commented out in slapd.conf, I can successfully change the userpassword attribute via passwd(1) and poppassd with pam_password exop.
When the smbk5pwd lines in slapd.conf are active, attempts to change the password fail, and slapd appears to die.
500 PAM error: LDAP password information update failed: Can't contact LDAP server
When I restart slapd I get this error:
bdb_db_open: unclean shutdown detected; attempting recovery.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered.
Is it necessary to dump and reload the directory when moving to this rpm? I previously had the latest openldap package from CentOS 5.2 installed. Please let me know how I can help debug this.
Hmmm. The smbk5pwd overlay is supposed to work (Johnny tested and uses those, I'll ping him).
Regarding the dumping and rereading of the ldap database - this is also in the original ldap package from upstream.
I'm getting the same error galens is getting.
I have installed this packages:
Everytime I tried to change a password and I have smb5kpwd "activated" in my slapd.conf the daemon just crashes w/o even a line of log (even if I set loglevel to 'any').
For now I'm disabling it 'cuz it has caused me enough headache but I'm fully willing to provide more info if needed.
I have been using packages built from Range's SRPM without any issues for quite a while.
Did anyone ever figure out what the deal was with the smbk5pwd conflicts? It would be nice to see this in extras, if we could get the problems worked out. As it stands, I'm holding off on updating to the latest openldap release until I have time to port the changes from Range's package over to the latest release.
Find current ones in http://dev.centos.org/centos/5/testing/i386/RPMS/ (or x86_64 if you need those).
Sorry to intrude on the conversation. I was wondering if this thread was leading towards the OpenLDAP overlays being included somehow in the near future so that I could just do a "yum install openldap-overlays" rather than having to recompile OpenLDAP on my box by hand. I'd prefer the stability and ease-of-use of just doing a "yum update" from time to time, if that's at all possible.
Yes. The packages are in CentOS-Testin - http://dev.centos.org/ - and if you can help testing those, they will go into centosplus. But up until now nobody provided any feedback. So please install them from dev.centos.org, test them and provide feedback here >:)
Like I said before, the smb5kpwd overlay does not work for me.
If is there anything I can do in order to provide some good debug information, let me know.
I added the testing repository and then did a "yum update", followed by a "yum install openldap-overlays". Here's what I have installed now:
root@ldap-01# yum list installed 'openldap*'
Loaded plugins: fastestmirror
openldap.i386 2.3.27-8.el5_2.4.centos installed
openldap-clients.i386 2.3.27-8.el5_2.4.centos installed
openldap-overlays.i386 2.3.27-8.el5_2.4.centos installed
openldap-servers.i386 2.3.27-8.el5_2.4.centos installed
I added the following to my /etc/openldap/slapd.conf:
Now when I start OpenLDAP, I get:
root@ldap-01# /etc/init.d/ldap start
Checking configuration files for slapd: overlay "auditlog" not found
slaptest: bad configuration file!
I don't see anything in the man pages that let me specify a search path for overlays, but the overlay file is indeed installed:
root@ldap-01# locate auditlog
Range: Works great for me.
TimmerCA: You need to explicitly load the overlay modules. My slapd.conf has a section right near the top that reads:
# Load overlay modules:
This is followed later by an instantiation of the overlay in a database section, as your example shows.
Brandond, thanks that fixed it.
I am now running OpenLDAP with the acceslog, auditlog and ppolicy modules activated and they all appear to be running properly. I'm going to try to devise a stress test of the server tomorrow to see how it acts under load, but it seems like we're good to go right now.
|I have tested these openldap RPM's and configured both the accesslog and auditlog overlays. Both seem to be working properly.|
|It looks like 5.3 is going to include the ppolicy package by default|
This will be fixed in 5.3 - upstream has released a policy package while also rebasing openldap to a newer version.
This means that there will be no smbk5pwd. I'm thinking about how this can be put into some other package.
|2007-11-28 20:39||posiczko||New Issue|
|2007-12-06 01:05||jsaintro||File Added: patch.ppolicy|
|2007-12-06 01:06||jsaintro||Note Added: 0006487|
|2008-04-03 15:48||range||Relationship added||has duplicate 0002517|
|2008-04-03 15:49||range||Relationship added||has duplicate 0002774|
|2008-04-03 15:56||range||Note Added: 0007085|
|2008-04-03 15:57||range||Note Added: 0007086|
|2008-04-03 16:18||jsaintro||Note Added: 0007089|
|2008-04-04 06:58||kRocKodile||Note Added: 0007092|
|2008-04-04 13:44||range||Note Added: 0007094|
|2008-04-05 07:51||johan||Note Added: 0007100|
|2008-04-07 10:41||range||Note Added: 0007106|
|2008-04-07 10:42||range||Status||new => feedback|
|2008-04-07 10:44||range||Note Added: 0007109|
|2008-05-22 15:01||timverhoeven||Note Added: 0007313|
|2008-05-24 08:56||johan||Note Added: 0007330|
|2008-07-04 08:07||galens||Note Added: 0007568|
|2008-07-04 08:41||range||Note Added: 0007569|
|2008-08-12 04:15||fr0w||Note Added: 0007829|
|2008-09-24 22:10||brandond||Note Added: 0008035|
|2008-09-24 22:21||range||Note Added: 0008036|
|2008-10-21 00:00||TimmerCA||Note Added: 0008169|
|2008-10-21 08:25||range||Note Added: 0008171|
|2008-10-21 12:22||fr0w||Note Added: 0008172|
|2008-10-21 18:14||TimmerCA||Note Added: 0008173|
|2008-10-21 20:20||brandond||Note Added: 0008174|
|2008-10-23 03:54||TimmerCA||Note Added: 0008184|
|2008-11-23 10:55||johan||Note Added: 0008316|
|2008-11-23 13:40||range||Note Added: 0008317|
|2009-01-21 10:03||range||Status||feedback => closed|
|2009-01-21 10:03||range||Note Added: 0008605|
|2009-01-21 10:03||range||Resolution||open => fixed|