OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Contrib/6238
Full headers

From: jonathan@phillipoux.net
Subject: contrib: lastbind overlay to record timestamp of last successful bind
Compose comment
Download message
State:
0 replies:
17 followups: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 30 Jul 2009 12:50:34 +0000
From: jonathan@phillipoux.net
To: openldap-its@OpenLDAP.org
Subject: contrib: lastbind overlay to record timestamp of last successful bind
Full_Name: Jonathan Clarke
Version: RE24
OS: 
URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
Submission from: (NULL) (82.67.204.30)


Hi,

Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that
intercepts successful binds and records the current timestamp in an attribute
named "bindTimestamp" in the bound-to entry. It's original use-case is to detect
unused accounts.

A configuration parameter (olcLastBindPrecision) allows to set a minimum
precision for the timestamp (ie, don't update the timestamp unless it's older
than <n> seconds). This avoids a performance hit from many unnecessary
writes in
case there are many binds per minute/hour/day/week/etc.

Of course, the behaviour this overlay implements is not described in any RFC, or
other. However, it closely resembles some of the functionality from the password
policy overlay, and similar functionality already exists in other LDAP servers.

I post it here in the hope that it may serve others, and in case the OpenLDAP
wishes to include it in one form or another. I would most appreciate any
comments or feedback.

Regards,
Jonathan

PS: please note that the OIDs used are not registered, but used temporarily. I
do not currently have access to a registered OID to use.

Followup 1

Download message
Date: Thu, 30 Jul 2009 16:08:10 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: jonathan@phillipoux.net
CC: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
jonathan@phillipoux.net wrote:
> Full_Name: Jonathan Clarke
> Version: RE24
> OS: 
> URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
> Submission from: (NULL) (82.67.204.30)
> 
> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that
> intercepts successful binds and records the current timestamp in an
attribute
> named "bindTimestamp" in the bound-to entry. It's original use-case is to
detect
> unused accounts.

Detecting unused accounts can also somewhat achieved by using
slapo-accesslog with configuration directive "logops session". Still I
see some value for such an simple overlay.

> A configuration parameter (olcLastBindPrecision) allows to set a minimum
> precision for the timestamp (ie, don't update the timestamp unless it's
older
> than <n> seconds). This avoids a performance hit from many
unnecessary writes in
> case there are many binds per minute/hour/day/week/etc.

Things to consider:

Is this attribute supposed to be replicated?

How about adding configuration paramters so you can specify 1. the
attribute type used and 2. the datetime format. This could be handy in
situations where you want to mimique the behaviour of other LDAP servers.

Ciao, Michael.



Followup 2

Download message
Date: Fri, 10 Dec 2010 14:42:58 +0000
From: Jonathan Clarke <jonathan@phillipoux.net>
To: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
On 30/07/09 13:50, jonathan@phillipoux.net wrote:
> Full_Name: Jonathan Clarke
> Version: RE24
> OS: 
> URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
> Submission from: (NULL) (82.67.204.30)
> 
> 
> Hi,
> 
> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that
> intercepts successful binds and records the current timestamp in an
attribute
> named "bindTimestamp" in the bound-to entry. It's original use-case is to
detect
> unused accounts.
> 
> A configuration parameter (olcLastBindPrecision) allows to set a minimum
> precision for the timestamp (ie, don't update the timestamp unless it's
older
> than <n> seconds). This avoids a performance hit from many
unnecessary writes in
> case there are many binds per minute/hour/day/week/etc.
> 
> Of course, the behaviour this overlay implements is not described in any
RFC, or
> other. However, it closely resembles some of the functionality from the
password
> policy overlay, and similar functionality already exists in other LDAP
servers.
> 
> I post it here in the hope that it may serve others, and in case the
OpenLDAP
> wishes to include it in one form or another. I would most appreciate any
> comments or feedback.
> 
> Regards,
> Jonathan
> 
> PS: please note that the OIDs used are not registered, but used
temporarily. I
> do not currently have access to a registered OID to use.

To respond to an off-list request, I'd like to add an IPR notice to this
contribution:

The above mentioned files are derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the files were
developed by Jonathan Clarke <jonathan@phillipoux.net>. I have not
assigned rights and/or interest in this work to any party.

Hope this is the right wording...

Jonathan



Followup 3

Download message
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
From: Kurt Zeilenga <Kurt@OpenLDAP.org>
Date: Fri, 10 Dec 2010 06:53:22 -0800
Cc: openldap-its@OpenLDAP.org
To: jonathan@phillipoux.net
On Dec 10, 2010, at 6:43 AM, jonathan@phillipoux.net wrote:

> I'd like to add an IPR notice to this
> contribution:

I note that you only provide half the notice.  A complete notice would =
be followed by a statement of what license the contribution is provided =
under.

-- Kurt=



Followup 4

Download message
Date: Fri, 10 Dec 2010 14:55:45 +0000
From: Jonathan Clarke <jonathan@phillipoux.net>
To: Kurt Zeilenga <Kurt@OpenLDAP.org>
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
On 10/12/10 14:53, Kurt Zeilenga wrote:
> 
> On Dec 10, 2010, at 6:43 AM, jonathan@phillipoux.net wrote:
> 
>> I'd like to add an IPR notice to this
>> contribution:
> 
> I note that you only provide half the notice.  A complete notice would be
followed by a statement of what license the contribution is provided under.

Ah, the licence is included in the files, but I repeat it here for clarity:

 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.

Jonathan



Followup 5

Download message
Date: Fri, 10 Dec 2010 09:14:27 -0800
From: Howard Chu <hyc@symas.com>
To: jonathan@phillipoux.net
CC: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
jonathan@phillipoux.net wrote:
> On 30/07/09 13:50, jonathan@phillipoux.net wrote:
>> Full_Name: Jonathan Clarke
>> Version: RE24
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
>> Submission from: (NULL) (82.67.204.30)
>>
>>
>> Hi,
>>
>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that
>> intercepts successful binds and records the current timestamp in an
attribute
>> named "bindTimestamp" in the bound-to entry. It's original use-case is
to detect
>> unused accounts.
>>
>> A configuration parameter (olcLastBindPrecision) allows to set a
minimum
>> precision for the timestamp (ie, don't update the timestamp unless it's
older
>> than<n>  seconds). This avoids a performance hit from many
unnecessary writes in
>> case there are many binds per minute/hour/day/week/etc.
>>
>> Of course, the behaviour this overlay implements is not described in
any RFC, or
>> other. However, it closely resembles some of the functionality from the
password
>> policy overlay, and similar functionality already exists in other LDAP
servers.

There is an equivalent attribute defined in the latest ppolicy draft. Perhaps 
you could use that. Or just submit a patch to incorporate this feature into 
the current ppoloicy overlay.
>>
>> I post it here in the hope that it may serve others, and in case the
OpenLDAP
>> wishes to include it in one form or another. I would most appreciate
any
>> comments or feedback.


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 6

Download message
Date: Fri, 10 Dec 2010 18:37:23 +0000
From: Jonathan Clarke <jonathan@phillipoux.net>
To: Howard Chu <hyc@symas.com>
CC: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
On 10/12/10 17:14, Howard Chu wrote:
> jonathan@phillipoux.net wrote:
>> On 30/07/09 13:50, jonathan@phillipoux.net wrote:
>>> Full_Name: Jonathan Clarke
>>> Version: RE24
>>> OS:
>>> URL:
>>> ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
>>> Submission from: (NULL) (82.67.204.30)
>>>
>>>
>>> Hi,
>>>
>>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4,
that
>>> intercepts successful binds and records the current timestamp in an
>>> attribute
>>> named "bindTimestamp" in the bound-to entry. It's original use-case
>>> is to detect
>>> unused accounts.
>>>
>>> A configuration parameter (olcLastBindPrecision) allows to set a
minimum
>>> precision for the timestamp (ie, don't update the timestamp unless
>>> it's older
>>> than<n>  seconds). This avoids a performance hit from many
>>> unnecessary writes in
>>> case there are many binds per minute/hour/day/week/etc.
>>>
>>> Of course, the behaviour this overlay implements is not described
in
>>> any RFC, or
>>> other. However, it closely resembles some of the functionality from
>>> the password
>>> policy overlay, and similar functionality already exists in other
>>> LDAP servers.
> 
> There is an equivalent attribute defined in the latest ppolicy draft.
> Perhaps you could use that. Or just submit a patch to incorporate this
> feature into the current ppoloicy overlay.

Indeed. At the time I wrote this overlay, I think the ppolicy draft was
not yet finished or at least I wasn't aware of it. My client at the time
found it useful to just add this simple overlay, without worrying about
configuring ppolicy.

Since then, I actually haven't had any time to work on this overlay, but
today Michael expressed an interest in it, asking for a public IPR
notice, thus the "thread revival".

I hope to pick it up in the future, and at that point possibly submit a
patch for ppolicy also, as you suggest.

Regards,
Jonathan



Followup 7

Download message
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
From: Kurt Zeilenga <Kurt@OpenLDAP.org>
Date: Fri, 10 Dec 2010 10:58:20 -0800
Cc: openldap-its@OpenLDAP.org
To: jonathan@phillipoux.net
On Dec 10, 2010, at 10:37 AM, jonathan@phillipoux.net wrote:

> On 10/12/10 17:14, Howard Chu wrote:
>> jonathan@phillipoux.net wrote:
>>> On 30/07/09 13:50, jonathan@phillipoux.net wrote:
>>>> Full_Name: Jonathan Clarke
>>>> Version: RE24
>>>> OS:
>>>> URL:
>>>> =
ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
>>>> Submission from: (NULL) (82.67.204.30)
>>>>=20
>>>>=20
>>>> Hi,
>>>>=20
>>>> Please find, at the above URL, an overlay, built for OpenLDAP
2.4, =
that
>>>> intercepts successful binds and records the current timestamp
in an
>>>> attribute
>>>> named "bindTimestamp" in the bound-to entry. It's original
use-case
>>>> is to detect
>>>> unused accounts.
>>>>=20
>>>> A configuration parameter (olcLastBindPrecision) allows to set
a =
minimum
>>>> precision for the timestamp (ie, don't update the timestamp
unless
>>>> it's older
>>>> than<n>  seconds). This avoids a performance hit from
many
>>>> unnecessary writes in
>>>> case there are many binds per minute/hour/day/week/etc.
>>>>=20
>>>> Of course, the behaviour this overlay implements is not
described =
in
>>>> any RFC, or
>>>> other. However, it closely resembles some of the functionality
from
>>>> the password
>>>> policy overlay, and similar functionality already exists in
other
>>>> LDAP servers.
>>=20
>> There is an equivalent attribute defined in the latest ppolicy draft.
>> Perhaps you could use that.

That attribute is last successful password authentication, not last =
authentication by any means.

For the latter, I suggest a separate attribute.  At Isode, we use an =
authTimestamp dsaOperational attribute for this.

It's wise to have the updating of this attribute off by default.

>> Or just submit a patch to incorporate this
>> feature into the current ppoloicy overlay.
>=20
> Indeed. At the time I wrote this overlay, I think the ppolicy draft =
was
> not yet finished or at least I wasn't aware of it. My client at the =
time
> found it useful to just add this simple overlay, without worrying =
about
> configuring ppolicy.
>=20
> Since then, I actually haven't had any time to work on this overlay, =
but
> today Michael expressed an interest in it, asking for a public IPR
> notice, thus the "thread revival".
>=20
> I hope to pick it up in the future, and at that point possibly submit =
a
> patch for ppolicy also, as you suggest.
>=20
> Regards,
> Jonathan
>=20
>=20



Followup 8

Download message
Date: Fri, 10 Dec 2010 12:02:28 -0800
From: Howard Chu <hyc@symas.com>
To: Kurt@OpenLDAP.org
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
Kurt@OpenLDAP.org wrote:
> On Dec 10, 2010, at 10:37 AM, jonathan@phillipoux.net wrote:
>
>> On 10/12/10 17:14, Howard Chu wrote:
>>> jonathan@phillipoux.net wrote:
>>>> On 30/07/09 13:50, jonathan@phillipoux.net wrote:
>>>>> Full_Name: Jonathan Clarke
>>>>> Version: RE24
>>>>> OS:
>>>>> URL:
>>>>> =
> ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
>>>>> Submission from: (NULL) (82.67.204.30)
>>>>> =20
>>>>> =20
>>>>> Hi,
>>>>> =20
>>>>> Please find, at the above URL, an overlay, built for
OpenLDAP 2.4, =
> that
>>>>> intercepts successful binds and records the current
timestamp in an
>>>>> attribute
>>>>> named "bindTimestamp" in the bound-to entry. It's original
use-case
>>>>> is to detect
>>>>> unused accounts.
>>>>> =20
>>>>> A configuration parameter (olcLastBindPrecision) allows to
set a =
> minimum
>>>>> precision for the timestamp (ie, don't update the timestamp
unless
>>>>> it's older
>>>>> than<n>   seconds). This avoids a performance hit
from many
>>>>> unnecessary writes in
>>>>> case there are many binds per minute/hour/day/week/etc.
>>>>> =20
>>>>> Of course, the behaviour this overlay implements is not
described =
> in
>>>>> any RFC, or
>>>>> other. However, it closely resembles some of the
functionality from
>>>>> the password
>>>>> policy overlay, and similar functionality already exists in
other
>>>>> LDAP servers.
>>> =20
>>> There is an equivalent attribute defined in the latest ppolicy
draft.
>>> Perhaps you could use that.
>
> That attribute is last successful password authentication, not last =
> authentication by any means.
>
> For the latter, I suggest a separate attribute.  At Isode, we use an =
> authTimestamp dsaOperational attribute for this.
>
> It's wise to have the updating of this attribute off by default.

Good point. In that case it's probably fine as a separate overlay, the way it 
is now. Can we use the schema definition that Isode is using?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 9

Download message
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
From: Kurt Zeilenga <Kurt@OpenLDAP.org>
Date: Fri, 10 Dec 2010 12:18:55 -0800
Cc: openldap-its@OpenLDAP.org
To: Howard Chu <hyc@symas.com>
On Dec 10, 2010, at 12:02 PM, Howard Chu wrote:

> Good point. In that case it's probably fine as a separate overlay, the =
way it is now. Can we use the schema definition that Isode is using?

Not only yes, but hell yes.  Reuse and convergence is a good thing.

( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp'
	DESC 'last successful authentication using any method/mech'
        EQUALITY generalizedTimeMatch
        ORDERING generalizedTimeOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
        SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )

And we use this attribute in our configuration object to enable/disable =
(default disabled).

( 1.3.6.1.4.1.453.16.2.189 NAME 'authTimestamps'
	DESC 'enable recording of last successful authentication using =
any method/mech'
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
        SINGLE-VALUE USAGE dsaOperation )





Followup 10

Download message
Date: Sat, 11 Dec 2010 02:16:25 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: Kurt@OpenLDAP.org
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
Kurt@OpenLDAP.org wrote:
> ( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp'
> 	DESC 'last successful authentication using any method/mech'
>         EQUALITY generalizedTimeMatch
>         ORDERING generalizedTimeOrderingMatch
>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
>         SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )
> 
> And we use this attribute in our configuration object to enable/disable =
> (default disabled).
> 
> ( 1.3.6.1.4.1.453.16.2.189 NAME 'authTimestamps'
> 	DESC 'enable recording of last successful authentication using =
> any method/mech'
>         EQUALITY booleanMatch
>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
>         SINGLE-VALUE USAGE dsaOperation )

Hmm, isn't NAME of the second a little bit confusing since it sounds like just
the plural of the first?

Ciao, Michael.



Followup 11

Download message
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
From: Kurt Zeilenga <Kurt@OpenLDAP.org>
Date: Fri, 10 Dec 2010 18:22:04 -0800
Cc: openldap-its@OpenLDAP.org
To: =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
On Dec 10, 2010, at 5:16 PM, Michael Str=F6der wrote:

> Kurt@OpenLDAP.org wrote:
>> ( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp'
>> 	DESC 'last successful authentication using any method/mech'
>>        EQUALITY generalizedTimeMatch
>>        ORDERING generalizedTimeOrderingMatch
>>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
>>        SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )
>>=20
>> And we use this attribute in our configuration object to =
enable/disable =3D
>> (default disabled).
>>=20
>> ( 1.3.6.1.4.1.453.16.2.189 NAME 'authTimestamps'
>> 	DESC 'enable recording of last successful authentication using =3D=

>> any method/mech'
>>        EQUALITY booleanMatch
>>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
>>        SINGLE-VALUE USAGE dsaOperation )
>=20
> Hmm, isn't NAME of the second a little bit confusing since it sounds =
like just
> the plural of the first?

Names should only be for the wire, the wire doesn't get confused.

-- Kurt=



Followup 12

Download message
Date: Mon, 13 Dec 2010 17:30:48 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
Could we have this overlay in contrib/ shipped with 2.4.24?
That would be really nice.

I've tested it with 2.4.23 and it still seems to work.



Followup 13

Download message
Date: Fri, 04 Feb 2011 15:36:57 -0800
From: Howard Chu <hyc@symas.com>
To: michael@stroeder.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
michael@stroeder.com wrote:
> Could we have this overlay in contrib/ shipped with 2.4.24?
> That would be really nice.
>
> I've tested it with 2.4.23 and it still seems to work.

Committed with changes in HEAD.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 14

Download message
Date: Sat, 05 Feb 2011 18:31:49 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: hyc@symas.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
This is a multi-part message in MIME format.
--------------010407040507050306070700
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

hyc@symas.com wrote:
> michael@stroeder.com wrote:
>> Could we have this overlay in contrib/ shipped with 2.4.24?
>> That would be really nice.
>>
>> I've tested it with 2.4.23 and it still seems to work.
> 
> Committed with changes in HEAD.

Also in RE24. Thanks a lot!

Any objections adding a slightly more complete Makefile (see attachment)?

Ciao, Michael.

--------------010407040507050306070700
Content-Type: text/plain;
 name="Makefile.lastbind"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="Makefile.lastbind"

# Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted only as authorized by the OpenLDAP
# Public License.
#
# A copy of this license is available in the file LICENSE in the
# top-level directory of the distribution or, alternatively, at
# <http://www.OpenLDAP.org/license.html>.

PREFIX=/opt/openldap-RE24

CPPFLAGS+=-I../../../include -I../../../servers/slapd 
CPPFLAGS+=-DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC
#LIBTOOL=libtool
LIBTOOL=../../../libtool
OPT=-g -O2
CC=gcc


all: lastbind.la

lastbind.lo:    lastbind.c
	$(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) -Wall -c $?

lastbind.la:    lastbind.lo
	$(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \
		   -rpath $(PREFIX)/lib -module -o $@ $?

clean:
	rm -rf lastbind.lo lastbind.la lastbind.o .libs/

install: lastbind.la
	mkdir -p $(PREFIX)/libexec/openldap
	$(LIBTOOL) --mode=install cp lastbind.la $(PREFIX)/libexec/openldap
	$(LIBTOOL) --finish $(PREFIX)/libexec/openldap

--------------010407040507050306070700--



Followup 15

Download message
Date: Mon, 07 Feb 2011 06:31:04 -0800
From: Howard Chu <hyc@symas.com>
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
CC: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
Michael Str.der wrote:
> hyc@symas.com wrote:
>> michael@stroeder.com wrote:
>>> Could we have this overlay in contrib/ shipped with 2.4.24?
>>> That would be really nice.
>>>
>>> I've tested it with 2.4.23 and it still seems to work.
>>
>> Committed with changes in HEAD.
>
> Also in RE24. Thanks a lot!
>
> Any objections adding a slightly more complete Makefile (see attachment)?

Yes, several objections. Post diffs that can be applied by the "patch" 
command, not the complete file. If you're going to add more rules, make them 
conform to the standard Makefiles. E.g. the correct macro is "prefix" not 
"PREFIX". Post diffs that actually work, your "OPT" macro is never referenced 
anywhere else in the Makefile so it's useless. The default prefix is always 
/usr/local. You can use whatever prefix you like in your personal copy, but 
stick with the defaults on anything you submit to us.

> Ciao, Michael.
>
>
> Makefile.lastbind
>
>
> # Copyright 2009 Jonathan Clarke<jonathan@phillipoux.net>.
> # All rights reserved.
> #
> # Redistribution and use in source and binary forms, with or without
> # modification, are permitted only as authorized by the OpenLDAP
> # Public License.
> #
> # A copy of this license is available in the file LICENSE in the
> # top-level directory of the distribution or, alternatively, at
> #<http://www.OpenLDAP.org/license.html>.
>
> PREFIX=/opt/openldap-RE24
>
> CPPFLAGS+=-I../../../include -I../../../servers/slapd
> CPPFLAGS+=-DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC
> #LIBTOOL=libtool
> LIBTOOL=../../../libtool
> OPT=-g -O2
> CC=gcc
>
>
> all: lastbind.la
>
> lastbind.lo:    lastbind.c
> 	$(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) -Wall -c $?
>
> lastbind.la:    lastbind.lo
> 	$(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \
> 		   -rpath $(PREFIX)/lib -module -o $@ $?
>
> clean:
> 	rm -rf lastbind.lo lastbind.la lastbind.o .libs/
>
> install: lastbind.la
> 	mkdir -p $(PREFIX)/libexec/openldap
> 	$(LIBTOOL) --mode=install cp lastbind.la $(PREFIX)/libexec/openldap
> 	$(LIBTOOL) --finish $(PREFIX)/libexec/openldap


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 16

Download message
Date: Mon, 07 Feb 2011 21:37:17 +0100
From: Jonathan Clarke <jonathan@phillipoux.net>
To: hyc@symas.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
Le 05/02/2011 00:37, hyc@symas.com a .crit :
> michael@stroeder.com wrote:
>> Could we have this overlay in contrib/ shipped with 2.4.24?
>> That would be really nice.
>>
>> I've tested it with 2.4.23 and it still seems to work.
> 
> Committed with changes in HEAD.

Howard,

Thanks for taking the time to clean this up and commit it.

Jonathan
-- 
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------



Followup 17

Download message
Date: Tue, 15 Feb 2011 15:49:24 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last
 successful bind
Howard Chu wrote:
> Yes, several objections. Post diffs that can be applied by the "patch"
> command, not the complete file. 

See below.

> If you're going to add more rules, make
> them conform to the standard Makefiles. E.g. the correct macro is
> "prefix" not "PREFIX".

Not consequently used in contrib/slapd-modules/. Therefore I didn't know this.

Ciao, Michael.

Index: Makefile
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/contrib/slapd-modules/lastbind/Makefile,v
retrieving revision 1.2.2.2
diff -u -r1.2.2.2 Makefile
--- Makefile	4 Feb 2011 23:39:17 -0000	1.2.2.2
+++ Makefile	15 Feb 2011 14:48:30 -0000
@@ -10,6 +10,8 @@
 # top-level directory of the distribution or, alternatively, at
 # <http://www.OpenLDAP.org/license.html>.

+prefix=/usr/local
+
 CPPFLAGS+=-I../../../include -I../../../servers/slapd
 CPPFLAGS+=-DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC
 #LIBTOOL=libtool
@@ -23,7 +25,12 @@

 lastbind.la:    lastbind.lo
 	$(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \
-		   -rpath $(PREFIX)/lib -module -o $@ $?
+		   -rpath $(prefix)/lib -module -o $@ $?

 clean:
 	rm -rf lastbind.lo lastbind.la lastbind.o .libs/
+
+install: lastbind.la
+	mkdir -p $(prefix)/libexec/openldap
+	$(LIBTOOL) --mode=install cp lastbind.la $(prefix)/libexec/openldap
+	$(LIBTOOL) --finish $(prefix)/libexec/openldap


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org