[Date Prev][Date Next]
Re: pesky ppolicy problems
Metcalf, Roger wrote:
I am trying to use the ppolicy overlay. I've searched, read andSetting "--enable-overlays=mod" turns on all of the overlays, building them
as dynamically loadable modules. However, setting "--enable-ppolicy=yes"
overrides that setting, and causes the ppolicy overlay to be built
statically. For slapd backends and overlays, "yes" means build the feature
and build it statically. "mod" means build the feature and build it dynamically.
experimented and can't get it to work.
I've read other similar postings with similar problems but haven't found the
one with the answer.
My OpenLDAP knowledge is intermediate.
I download 2.3.27, then build it:
env LIBS="-L/usr/bin" \
make depend &&
I include ppolicy in slapd.conf.
ppolicy_default "cn=Standard Policy,ou=Policies,c=us"
Without seeing more context from your slapd.conf, I'd guess you've put the
overlay configuration in the wrong place.
I have tried with and without modulepath and moduleload. I suspect they are
not needed but am not sure.
As the slapd.conf(5) manpage states, these directives are only needed for
access to dynamically loaded modules. Since you configured ppolicy static,
this moduleload directive will fail.
I have created a policy structure in my repository.
I don't really care if ppolicy is statically or dynamically loaded, I just
want it to be available!
The problem may be that I really don't get the meaning or dependencies of
enable-dynamic, enable-modules, enable-overlays, enable-static,
Have you tried "configure --help" already? --enable-shared and
--enable-static are standard options on most autoconf-based software. If you
don't understand these, you can find them in the autoconf documentation. If
you don't understand the significance of static libraries vs shared
libraries, you need to do some reading on computing basics. Teaching those
basics is way outside the scope of OpenLDAP.
--enable-dynamic is explained clearly in configure --help:
--enable-dynamic enable linking built binaries with dynamic libs [no]
The default "no" means that by default, the OpenLDAP binaries will be linked
with static libraries. Whether or not you actually enable the creation of
shared libraries, only the static ones will be used.
--enable-modules enable dynamic module support [no]
This should be fairly obvious too - if you don't enable this, then OpenLDAP
cannot use dynamically loaded modules. And slapd.conf(5) also says pretty
Specify the name of a dynamically loadable module to load.
... This option and the modulepath option are
only usable if slapd was compiled with --enable-modules.
--enable-overlays enable all available overlays no|yes|mod
I already explained this above.
My goal is simple : to get ppolicy working in the simplest way.
/etc/init.d/ldap start --
WARNING: No dynamic config support for overlay ppolicy.
This apparently is more than just a "warning" because startup fails.
No, it's just a warning, and has nothing to do with your other problems.
I figured Symas CDS silver would work, so I downloaded it, commented out the
line 234 (overlay ppolicy)
overlay "ppolicy" not found
/opt/symas/etc/openldap/slapd.conf: line 234: <overlay> handler
exited with 1!
Last time I checked, we don't bundle the ppolicy overlay in CDS Silver. You
need to subscribe to CDS Gold to get all of the overlays. So naturally it
would not be found.
What makes this all the more frustrating is that test022-ppolicy appears to
I have examined its .conf file and environment variables, etc and can't
extract the secret.
There are no secrets. You just have to actually read and pay attention to the
I recall reading somewhere that human speech naturally involves a great deal
of redundancy, which allows people to hear and comprehend each other even in
very noisy environments. The same applies to written text; you can drop most
vowels and even a lot of consonants from written English and still be understood.
The same is not true for computer software. If you omit or misplace even a
single character the entire meaning is lost. Likewise in the documentation,
if you skim it or skip even a single sentence then you'll have missed a
One of the basic recipes for public speaking is "tell them what you're going
to tell them, tell them, then tell them what you told them." Again,
redundancy is built in. We don't have the time or resources to be so
redundant in writing the documentation. We write the essential information
once, and every word is relevant. Life is too short, we don't have time to
repeat what has already been written.
Quanah has already responded to the rest of this email, so I'll stop here.
1) Where is ppolicy.la located?
2) Does it need to be loaded?
3) Where is the path to it specified?
4) When are moduleload specs needed?
5) Are env variables needed to find ppolicy.la?
6) What's the secret?
7) When will the book be published?
All advice welcome.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/