Re: pesky ppolicy problems

[Howard Chu <hyc@symas.com>]

Metcalf, Roger wrote:
> I am trying to use the ppolicy overlay.  I've searched, read and
> experimented and can't get it to work.  
> I've read other similar postings with similar problems but haven't found the
> one with the answer.
>
> My OpenLDAP knowledge is intermediate.
>
> I download 2.3.27, then build it:
>
> 	env LIBS="-L/usr/bin" \
> 	./configure \
> 	--prefix=/usr/local \
> 	--libdir=/usr/local/lib \
> 	--sbindir=/usr/sbin \
> 	--libexecdir=/usr/sbin \
> 	--sysconfdir=/etc \
> 	--localstatedir=/var/lib/ldap \
> 	--enable-overlays=mod \
> 	--enable-dynamic=yes \
> 	--enable-modules=yes \
> 	--enable-ppolicy=yes &&
> 	make depend &&
> 	make
Setting "--enable-overlays=mod" turns on all of the overlays, building them 
as dynamically loadable modules. However, setting "--enable-ppolicy=yes" 
overrides that setting, and causes the ppolicy overlay to be built 
statically. For slapd backends and overlays, "yes" means build the feature 
and build it statically. "mod" means build the feature and build it dynamically.

> I include ppolicy in slapd.conf.
>
> 	include         /etc/openldap/schema/ppolicy.schema
> 	overlay   ppolicy
> 	ppolicy_default	"cn=Standard Policy,ou=Policies,c=us"
> 	ppolicy_hash_cleartext
> 	ppolicy_use_lockout

Without seeing more context from your slapd.conf, I'd guess you've put the 
overlay configuration in the wrong place.

> I have tried with and without modulepath and moduleload.  I suspect they are
> not needed but am not sure.
>
> 	modulepath      /usr/sbin
> 	moduleload	ppolicy.la

As the slapd.conf(5) manpage states, these directives are only needed for 
access to dynamically loaded modules. Since you configured ppolicy static, 
this moduleload directive will fail.

> I have created a policy structure in my repository.
>
> I don't really care if ppolicy is statically or dynamically loaded, I just
> want it to be available!
> The problem may be that I really don't get the meaning or dependencies of
> enable-dynamic, enable-modules, enable-overlays, enable-static,
> enable-shared.

Have you tried "configure --help" already? --enable-shared and 
--enable-static are standard options on most autoconf-based software. If you 
don't understand these, you can find them in the autoconf documentation. If 
you don't understand the significance of static libraries vs shared 
libraries, you need to do some reading on computing basics. Teaching those 
basics is way outside the scope of OpenLDAP.

--enable-dynamic is explained clearly in configure --help:
  --enable-dynamic        enable linking built binaries with dynamic libs [no]
The default "no" means that by default, the OpenLDAP binaries will be linked 
with static libraries. Whether or not you actually enable the creation of 
shared libraries, only the static ones will be used.

   --enable-modules      enable dynamic module support [no]
This should be fairly obvious too - if you don't enable this, then OpenLDAP 
cannot use dynamically loaded modules. And slapd.conf(5) also says pretty 
clearly:
       moduleload <filename>
              Specify the name of a dynamically loadable module to  load.
              ... This option and the modulepath option are
              only usable if slapd was compiled with --enable-modules.

   --enable-overlays     enable all available overlays no|yes|mod
I already explained this above.

> My goal is simple : to get ppolicy working in the simplest way.
>
> Problems:
>
> /etc/init.d/ldap start --
>
> 	WARNING: No dynamic config support for overlay ppolicy.
>
> This apparently is more than just a "warning" because startup fails.

No, it's just a warning, and has nothing to do with your other problems.

> I figured Symas CDS silver would work, so I downloaded it, commented out the
> ppolicy lines:

> 	line 234 (overlay	ppolicy)
> 	overlay "ppolicy" not found
> 	/opt/symas/etc/openldap/slapd.conf: line 234: <overlay> handler
> exited with 1!

Last time I checked, we don't bundle the ppolicy overlay in CDS Silver. You 
need to subscribe to CDS Gold to get all of the overlays. So naturally it 
would not be found.

> What makes this all the more frustrating is that test022-ppolicy appears to
> work fine.
> I have examined its .conf file and environment variables, etc and can't
> extract the secret.

There are no secrets. You just have to actually read and pay attention to the 
details.

I recall reading somewhere that human speech naturally involves a great deal 
of redundancy, which allows people to hear and comprehend each other even in 
very noisy environments. The same applies to written text; you can drop most 
vowels and even a lot of consonants from written English and still be understood.

The same is not true for computer software. If you omit or misplace even a 
single character the entire meaning is lost. Likewise in the documentation, 
if you skim it or skip even a single sentence then you'll have missed a 
crucial point.

One of the basic recipes for public speaking is "tell them what you're going 
to tell them, tell them, then tell them what you told them." Again, 
redundancy is built in. We don't have the time or resources to be so 
redundant in writing the documentation. We write the essential information 
once, and every word is relevant. Life is too short, we don't have time to 
repeat what has already been written.

Quanah has already responded to the rest of this email, so I'll stop here.

> Questions:
>
> 1) Where is ppolicy.la located?
> 2) Does it need to be loaded?
> 3) Where is the path to it specified?
> 4) When are moduleload specs needed?
> 5) Are env variables needed to find ppolicy.la?
> 6) What's the secret?
> 7) When will the book be published?
>
> All advice welcome.
>
> Thanks,
> Roger Metcalf

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/