Package: slapd Version: 2.4.31-1+nmu2 (note: some long command lines might be line wrapped, hopefully this isn't a big problem)
If I do the following on a clean wheezy chroot: PS1='# ' # debconf-set-selections debconf.conf # apt-get install slapd ldap-utils Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libslp1 libwrap0 psmisc Suggested packages: libmyodbc odbc-postgresql tdsodbc unixodbc-bin slpd openslp-doc Recommended packages: libsasl2-modules tcpd The following NEW packages will be installed: ldap-utils libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libslp1 libwrap0 psmisc slapd 0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded. Need to get 3329 kB of archives. After this operation, 7583 kB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://hq.in.vpac.org/debian/ wheezy/main libsasl2-2 amd64 2.1.25.dfsg1-6+deb7u1 [120 kB] Get:2 http://hq.in.vpac.org/debian/ wheezy/main libldap-2.4-2 amd64 2.4.31-1+nmu2 [243 kB] Get:3 http://hq.in.vpac.org/debian/ wheezy/main libwrap0 amd64 7.6.q-24 [62.4 kB] Get:4 http://hq.in.vpac.org/debian/ wheezy/main libltdl7 amd64 2.4.2-1.1 [352 kB] Get:5 http://hq.in.vpac.org/debian/ wheezy/main libodbc1 amd64 2.2.14p2-5 [252 kB] Get:6 http://hq.in.vpac.org/debian/ wheezy/main libperl5.14 amd64 5.14.2-21 [1174 B] Get:7 http://hq.in.vpac.org/debian/ wheezy/main libslp1 amd64 1.2.1-9 [50.8 kB] Get:8 http://hq.in.vpac.org/debian/ wheezy/main psmisc amd64 22.19-1+deb7u1 [135 kB] Get:9 http://hq.in.vpac.org/debian/ wheezy/main slapd amd64 2.4.31-1+nmu2 [1768 kB] Get:10 http://hq.in.vpac.org/debian/ wheezy/main ldap-utils amd64 2.4.31-1+nmu2 [345 kB] Fetched 3329 kB in 0s (16.1 MB/s) Preconfiguring packages ... Selecting previously unselected package libsasl2-2:amd64. (Reading database ... 16497 files and directories currently installed.) Unpacking libsasl2-2:amd64 (from .../libsasl2-2_2.1.25.dfsg1-6+deb7u1_amd64.deb) ... Selecting previously unselected package libldap-2.4-2:amd64. Unpacking libldap-2.4-2:amd64 (from .../libldap-2.4-2_2.4.31-1+nmu2_amd64.deb) ... Selecting previously unselected package libwrap0:amd64. Unpacking libwrap0:amd64 (from .../libwrap0_7.6.q-24_amd64.deb) ... Selecting previously unselected package libltdl7:amd64. Unpacking libltdl7:amd64 (from .../libltdl7_2.4.2-1.1_amd64.deb) ... Selecting previously unselected package libodbc1:amd64. Unpacking libodbc1:amd64 (from .../libodbc1_2.2.14p2-5_amd64.deb) ... Selecting previously unselected package libperl5.14. Unpacking libperl5.14 (from .../libperl5.14_5.14.2-21_amd64.deb) ... Selecting previously unselected package libslp1. Unpacking libslp1 (from .../libslp1_1.2.1-9_amd64.deb) ... Selecting previously unselected package psmisc. Unpacking psmisc (from .../psmisc_22.19-1+deb7u1_amd64.deb) ... Selecting previously unselected package slapd. Unpacking slapd (from .../slapd_2.4.31-1+nmu2_amd64.deb) ... Selecting previously unselected package ldap-utils. Unpacking ldap-utils (from .../ldap-utils_2.4.31-1+nmu2_amd64.deb) ... Processing triggers for man-db ... Setting up libsasl2-2:amd64 (2.1.25.dfsg1-6+deb7u1) ... Setting up libldap-2.4-2:amd64 (2.4.31-1+nmu2) ... Setting up libwrap0:amd64 (7.6.q-24) ... Setting up libltdl7:amd64 (2.4.2-1.1) ... Setting up libodbc1:amd64 (2.2.14p2-5) ... Setting up libperl5.14 (5.14.2-21) ... Setting up libslp1 (1.2.1-9) ... Setting up psmisc (22.19-1+deb7u1) ... Setting up slapd (2.4.31-1+nmu2) ... Creating initial configuration... done. Creating LDAP directory... done. [ ok ] Starting OpenLDAP: slapd. Setting up ldap-utils (2.4.31-1+nmu2) ... # ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=ppolicy,cn=schema,cn=config" # ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy1.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" # ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/ppolicy2.ldif adding new entry "ou=People,dc=example,dc=org" adding new entry "ou=Groups,dc=example,dc=org" adding new entry "ou=policies,dc=example,dc=org" adding new entry "cn=default,ou=policies,dc=example,dc=org" ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax It complains that it doesn't like: pwdAttribute: userPassword I have to change it to: pwdAttribute: 2.5.4.35 Then it works. Once the default policy is loaded, I can change it back again: # ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/ppolicy2fixed.ldif adding new entry "cn=default,ou=policies,dc=example,dc=org" # ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy3.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config" # ldapmodify -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/fixup.ldif modifying entry "cn=default,ou=policies,dc=example,dc=org" (This is a test chroot only, so, unfortunately, no, you can't use slapdsecret to break into any of my production boxes.) This makes it very difficult to import an ldap ldiff file with ppolicy. You have to kludge the data first, because it won't accept *any* entries with pwdAttribute: userPassword password until the default policy is installed and configured, and the default policy is contained within the ldiff file and won't install either because it also has pwdAttribute: userPassword The pwdAttribute appears to be required by the schema, so I can't leave it out either. As far as I can tell pwdAttribute: userPassword is suppose to be the correct value. The data files concerned: # cat debconf.conf mysql-server-5.5 mysql-server/root_password string mysqlsecret mysql-server-5.5 mysql-server/root_password_again string mysqlsecret slapd shared/organization string example org slapd slapd/domain string example.org slapd slapd/password1 string slapdsecret slapd slapd/password2 string slapdsecret # cat slapd/ppolicy.ldif [ ppolicy schema file omitted ] # cat slapd/ppolicy1.ldif dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: ppolicy.so # cat slapd/ppolicy2.ldif dn: ou=People,dc=example,dc=org objectClass: organizationalUnit dn: ou=Groups,dc=example,dc=org objectClass: organizationalUnit dn: ou=policies,dc=example,dc=org objectClass: organizationalUnit dn: cn=default,ou=policies,dc=example,dc=org objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword # cat slapd/ppolicy2fixed.ldif dn: cn=default,ou=policies,dc=example,dc=org objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: 2.5.4.35 # cat slapd/ppolicy3.ldif dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcPPolicyConfig olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=org # cat slapd/fixup.ldif dn: cn=default,ou=policies,dc=example,dc=org changetype: modify replace: pwdAttribute pwdAttribute: userPassword - For comparison, on a sid schroot (which has the same version of slapd, so same results, no surprise here): PS1='# ' # debconf-set-selections debconf.conf # apt-get install slapd ldap-utils Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libsasl2-modules libslp1 psmisc Suggested packages: libmyodbc odbc-postgresql tdsodbc unixodbc-bin libsasl2-modules-otp libsasl2-modules-ldap libsasl2-modules-sql libsasl2-modules-gssapi-mit libsasl2-modules-gssapi-heimdal slpd openslp-doc The following NEW packages will be installed: ldap-utils libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libsasl2-modules libslp1 psmisc slapd 0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded. Need to get 3389 kB of archives. After this operation, 7805 kB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://http.debian.net/debian/ sid/main libsasl2-modules amd64 2.1.25.dfsg1-13 [123 kB] Get:2 http://http.debian.net/debian/ sid/main libsasl2-2 amd64 2.1.25.dfsg1-13 [109 kB] Get:3 http://http.debian.net/debian/ sid/main libldap-2.4-2 amd64 2.4.31-1+nmu2 [243 kB] Get:4 http://http.debian.net/debian/ sid/main libperl5.14 amd64 5.14.2-21 [1174 B] Get:5 http://http.debian.net/debian/ sid/main libslp1 amd64 1.2.1-9 [50.8 kB] Get:6 http://http.debian.net/debian/ sid/main libltdl7 amd64 2.4.2-1.3 [352 kB] Get:7 http://http.debian.net/debian/ sid/main ldap-utils amd64 2.4.31-1+nmu2 [345 kB] Get:8 http://http.debian.net/debian/ sid/main libodbc1 amd64 2.2.14p2-5 [252 kB] Get:9 http://http.debian.net/debian/ sid/main psmisc amd64 22.20-1 [146 kB] Get:10 http://http.debian.net/debian/ sid/main slapd amd64 2.4.31-1+nmu2 [1768 kB] Fetched 3389 kB in 8s (382 kB/s) Preconfiguring packages ... Selecting previously unselected package libsasl2-modules:amd64. (Reading database ... 17453 files and directories currently installed.) Unpacking libsasl2-modules:amd64 (from .../libsasl2-modules_2.1.25.dfsg1-13_amd64.deb) ... Selecting previously unselected package libsasl2-2:amd64. Unpacking libsasl2-2:amd64 (from .../libsasl2-2_2.1.25.dfsg1-13_amd64.deb) ... Selecting previously unselected package libldap-2.4-2:amd64. Unpacking libldap-2.4-2:amd64 (from .../libldap-2.4-2_2.4.31-1+nmu2_amd64.deb) ... Selecting previously unselected package libltdl7:amd64. Unpacking libltdl7:amd64 (from .../libltdl7_2.4.2-1.3_amd64.deb) ... Selecting previously unselected package libodbc1:amd64. Unpacking libodbc1:amd64 (from .../libodbc1_2.2.14p2-5_amd64.deb) ... Selecting previously unselected package libperl5.14. Unpacking libperl5.14 (from .../libperl5.14_5.14.2-21_amd64.deb) ... Selecting previously unselected package libslp1. Unpacking libslp1 (from .../libslp1_1.2.1-9_amd64.deb) ... Selecting previously unselected package psmisc. Unpacking psmisc (from .../psmisc_22.20-1_amd64.deb) ... Selecting previously unselected package slapd. Unpacking slapd (from .../slapd_2.4.31-1+nmu2_amd64.deb) ... Selecting previously unselected package ldap-utils. Unpacking ldap-utils (from .../ldap-utils_2.4.31-1+nmu2_amd64.deb) ... Processing triggers for man-db ... Setting up libsasl2-modules:amd64 (2.1.25.dfsg1-13) ... Setting up libsasl2-2:amd64 (2.1.25.dfsg1-13) ... Setting up libldap-2.4-2:amd64 (2.4.31-1+nmu2) ... Setting up libltdl7:amd64 (2.4.2-1.3) ... Setting up libodbc1:amd64 (2.2.14p2-5) ... Setting up libperl5.14 (5.14.2-21) ... Setting up libslp1 (1.2.1-9) ... Setting up psmisc (22.20-1) ... Setting up slapd (2.4.31-1+nmu2) ... Creating initial configuration... done. Creating LDAP directory... done. [ ok ] Starting OpenLDAP: slapd. Setting up ldap-utils (2.4.31-1+nmu2) ... Processing triggers for libc-bin ... # ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy1.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" # ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/ppolicy2.ldif adding new entry "ou=People,dc=example,dc=org" adding new entry "ou=Groups,dc=example,dc=org" adding new entry "ou=policies,dc=example,dc=org" adding new entry "cn=default,ou=policies,dc=example,dc=org" ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax # ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/ppolicy2fixed.ldif adding new entry "cn=default,ou=policies,dc=example,dc=org" # ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy3.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config" # ldapmodify -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/fixup.ldif modifying entry "cn=default,ou=policies,dc=example,dc=org" -- Brian May <br...@microcomaustralia.com.au>
