ltb-project / openldap-deb Goto Github PK
View Code? Open in Web Editor NEWDebian packages for OpenLDAP
Home Page: http://ltb-project.org/wiki/documentation/openldap-deb
License: GNU General Public License v3.0
Debian packages for OpenLDAP
Home Page: http://ltb-project.org/wiki/documentation/openldap-deb
License: GNU General Public License v3.0
In stretch apt can't verify packages
wget -O - https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -
OK
cat /etc/apt/sources.list.d/ltb-project.list
deb [arch=amd64] "https://ltb-project.org/debian/stretch" stretch main
apt-get -q -y install openldap-ltb=2.4.45.1
WARNING: The following packages cannot be authenticated!
berkeleydb-ltb openldap-ltb
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
This is required to configure olcReverseLookup parameter
When building OpenLDAP LTB packages, I get this error:
libtool: install: warning: relinking `explockout.la'
(cd /home/clement/paquet-openldap-debian/openldap-ltb-2.4.47/ltb-project-openldap-explockout-1.0; /bin/bash ../libtool --mode=relink gcc -g -O2 -Wall -fpic -DCONFIG_FILE="/opt/openldap-2.4.46-el/etc/openldap/explockout.conf" -DDEBUG -version-info 0:0:0 -rpath /home/clement/paquet-openldap-debian/openldap-ltb-2.4.47/debian/tmp/usr/local/openldap/libexec/openldap -module -o explockout.la explockout.lo -lldap_r -llber -L../libraries/liblber/.libs -L../libraries/libldap_r/.libs )
gcc -shared .libs/explockout.o -Wl,--rpath -Wl,/usr/local/openldap/lib64 -L/usr/local/openldap/lib64 -lldap_r -L/usr/local/berkeleydb/lib -llber -Wl,-soname -Wl,explockout.so.0 -o .libs/explockout.so.0.0.0
/usr/bin/ld: cannot find -lldap_r
/usr/bin/ld: cannot find -llber
collect2: error: ld returned 1 exit status
libtool: install: error: relink `explockout.la' with the above command before installing it
Makefile:52: recipe for target 'install' failed
make[1]: *** [install] Error 1
make[1]: Leaving directory '/home/clement/paquet-openldap-debian/openldap-ltb-2.4.47/ltb-project-openldap-explockout-1.0'
debian/rules:41: recipe for target 'install' failed
make: *** [install] Error 2
slapd executable, all libs, all slapd modules, etc. are installed with ownership ldap:ldap. But ldap is the demon user for running slapd. This is very bad security practice.
Only the database directory /usr/local/openldap/var/openldap-data must have ownership ldap:ldap. The rest of all files should be installed with ownership root:root (with same permissions like now).
Main objectives:
We choosed to compile official backends and overlays in static mode at the beginning of the project. I recnetly had an issue with this choice : OpenAM is using a specific schema with memberOf in it, which is also redefined in memberOf overlay. With this overlay compiled as static, even if the overlay is not loaded in configuration, the schema is defined and we can't include the OpenAM schema.
So I open this issue so we can discuss to change this mode and provide all backends and overlays as modules.
As this will require a change in configuration (moduleload), I plan it for 2.5.
Hello,
We installed openldap-ltb package, it was starting, restarting and stopping very well without any problem, but since we added the option "-d" to the slapd-cli.conf file in order to enable the debug we have some issues when starting the slapd service. It failed to start whith a time out message but then when we restart it again it restart with a success.
Do you know why when adding -d option we have this time-out problem?
Thank you in advance for your response.
integrate explockout
https://github.com/davidcoutadeur/explockout
Hi,
we've experimenting some issues during the upgrade of openldap packages from LTB repository on our openldap server.
The openldap server is 2.4.44 and o.s. is a debian 8
The errors regarding openldap are the following
Can you please help us?
regards
Installing new version of config file /etc/init.d/slapd ...
addgroup: The group `ldap' already exists as a system group. Exiting.
Job for slapd.service failed. See 'systemctl status slapd.service' and 'journalctl -xn' for details.
invoke-rc.d: initscript slapd, action "start" failed.
dpkg: error processing package openldap-ltb (--configure):
subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of openldap-ltb-check-password:
openldap-ltb-check-password depends on openldap-ltb; however:
Package openldap-ltb is not configured yet.
dpkg: error processing package openldap-ltb-check-password (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.19-18+deb8u10) ...
Processing triggers for systemd (215-17+deb8u7) ...
Errors were encountered while processing:
openldap-ltb
openldap-ltb-check-password
E: Sub-process /usr/bin/dpkg returned an error code (1)
use new 2.3 openldap-initscript:
ltb-project/slapd-cli#4
Hello,
During installation process, execution right is added to the /lib/systemd/system/slapd.service which is useless :
systemd[1]: Configuration file /lib/systemd/system/slapd.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Fred.
include new openldap-initscript release
ltb-project/slapd-cli#20
https://github.com/ltb-project/openldap-initscript/releases/tag/v2.5
when ltb-project/ppm#11 is done, integrate it into deb package.
When I go to install openldap-ltb after following the instructions here, https://ltb-project.org/documentation/openldap-deb#apt_repository , I get this output:
Setting up openldap-ltb (2.4.47.1) ...
addgroup: The group 'ldap' already exists as a system group. Exiting.
adduser: The user 'ldap' already exists, but is not a system user. Exiting.
dpkg: error processing package openldap-ltb (--configure):
installed openldap-ltb package post-installation script subprocess returned error exit status 1
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Errors were encountered while processing:
openldap-ltb
E: Sub-process /usr/bin/dpkg returned an error code (1)
I tried this on the server I am trying to set this up on as well as a fresh server and got the same issue. On Ubuntu Buster. I see that the errors involve the user/group ldap, but I have no idea why this is causing and issue. Thank you for you help.
Sorry for the wrong placement.
Fix this issue: ltb-project/ppm#16
OpenLDAP 2.4.53 was released today
hi there
I installed Self Service password changer, but how do you launch it?
I cant get any posts on that?
include ppm 1.6 in OpenLDAP packaging.
Changelog : adding cracklib support
I did an upgrade today and noticed that my systemd service file ( /lib/systemd/system/slapd.service) was erased.
It should be tagged as configuration file I think.
It seems that lastbind overlay will be included nativally into OpenLDAP 2.5. (see for example: https://bugs.openldap.org/show_bug.cgi?id=9156)
If it is true, we will have to remove lastbind overlay, and warn users that configuration directives have changed (overlay lastbind -> lastbind on)
When installing Debian packages and running slapd-cli backup
we have an error because backup directory is not writable by ldap user.
OpenLDAP 2.4.50 was released today
See:
lintian -c openldap-ltb_2.4.46.1_amd64.deb
warning: the authors of lintian do not recommend running it with root privileges!
W: openldap-ltb: debian-changelog-line-too-long line 4
W: openldap-ltb: debian-changelog-line-too-long line 5
W: openldap-ltb: debian-changelog-line-too-long line 9
W: openldap-ltb: debian-changelog-line-too-long ... use --no-tag-display-limit to see all (or pipe to a file/program)
E: openldap-ltb: file-in-usr-marked-as-conffile usr/local/openldap/etc/openldap/slapd.conf
E: openldap-ltb: file-in-usr-marked-as-conffile usr/local/openldap/etc/openldap/slapd-cli.conf
E: openldap-ltb: file-in-usr-marked-as-conffile usr/local/openldap/etc/openldap/ldap.conf
E: openldap-ltb: file-in-usr-marked-as-conffile ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: openldap-ltb: unknown-control-file vars
E: openldap-ltb: helper-templates-in-copyright
W: openldap-ltb: readme-debian-contains-debmake-template
W: openldap-ltb: spelling-error-in-description librairies libraries
E: openldap-ltb: dir-in-usr-local usr/local/openldap/
E: openldap-ltb: dir-in-usr-local usr/local/openldap/bin/
E: openldap-ltb: file-in-usr-local usr/local/openldap/bin/ldapadd
W: openldap-ltb: file-in-unusual-dir usr/local/openldap/bin/ldapadd
E: openldap-ltb: file-in-usr-local usr/local/openldap/bin/ldapcompare
W: openldap-ltb: file-in-unusual-dir usr/local/openldap/bin/ldapcompare
E: openldap-ltb: file-in-usr-local usr/local/openldap/bin/ldapdelete
W: openldap-ltb: file-in-unusual-dir usr/local/openldap/bin/ldapdelete
E: openldap-ltb: file-in-usr-local ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: openldap-ltb: file-in-unusual-dir ... use --no-tag-display-limit to see all (or pipe to a file/program)
E: openldap-ltb: dir-in-usr-local usr/local/openldap/etc/
E: openldap-ltb: dir-in-usr-local ... use --no-tag-display-limit to see all (or pipe to a file/program)
E: openldap-ltb: prerm-calls-updaterc.d slapd
E: openldap-ltb: postrm-does-not-call-updaterc.d-for-init.d-script etc/init.d/slapd
W: openldap-ltb: command-with-path-in-maintainer-script postinst:8 /usr/sbin/addgroup
W: openldap-ltb: command-with-path-in-maintainer-script postinst:9 /usr/sbin/adduser
W: openldap-ltb: command-with-path-in-maintainer-script postinst:37 /bin/chown
W: openldap-ltb: command-with-path-in-maintainer-script ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: openldap-ltb: maintainer-script-ignores-errors postinst
W: openldap-ltb: maintainer-script-ignores-errors prerm
W: openldap-ltb: maintainer-script-ignores-errors vars
E: openldap-ltb: non-empty-dependency_libs-in-la-file usr/local/openldap/lib64/liblber.la
E: openldap-ltb: non-empty-dependency_libs-in-la-file usr/local/openldap/lib64/libldap.la
E: openldap-ltb: non-empty-dependency_libs-in-la-file usr/local/openldap/lib64/libldap_r.la
E: openldap-ltb: non-empty-dependency_libs-in-la-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: openldap-ltb: package-has-unnecessary-activation-of-ldconfig-trigger
W: openldap-ltb: init.d-script-does-not-source-init-functions etc/init.d/slapd
Today, security advise to use the Argon2 hashing algorithm.
SH2 and PBKDF2 are become deprecated and I think Argon2 should be the reference.
linked to libssl-1.0.0, but libssl-1.1.1 is to be used
Need to recompile on debian stretch
OpenLDAP 2.4.55 was released yesterday
OpenLDAP 2.4.55 is now available for download as detailed on our download page:
https://www.openldap.org/software/download/
and should soon be available on all official mirrors:
ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS
This is a maintenance release and is made available for general use. Users of OpenLDAP Software are encouraged to upgrade.
Significant contributors are:
Howard Chu (Symas Corp)
Quanah Gibson-Mount (Symas Corp)
Ondřej Kuzník (Symas Corp)
OpenLDAP 2.4.55 Release (2020/10/26)
Fixed slapd normalization handling with modrdn (ITS#9370)
Fixed slapd-meta to check ldap_install_tls return code (ITS#9366)
Contrib
Fixed nssov misplaced semicolon (ITS#8731, ITS#9368)
MD5(openldap-2.4.55.tgz)= 333a75f42e55b907543fa3a46a620eab
SHA1(openldap-2.4.55.tgz)= 03f67a56b8760abe0d5fdfa06e93542a3f4b8ef4
LMDB 0.9.27 Release (2020/10/26)
ITS#9376 fix repeated DUPSORT cursor deletes
From http://tools.ltb-project.org/issues/854
Provided patch:
Index: trunk/debian/paquet-openldap-debian/openldap-ltb-2.4.44/debian/configure
===================================================================
--- trunk/debian/paquet-openldap-debian/openldap-ltb-2.4.44/debian/configure (revision 419)
+++ trunk/debian/paquet-openldap-debian/openldap-ltb-2.4.44/debian/configure (working copy)
@@ -5,7 +5,7 @@
export CC="gcc"
-export CFLAGS="-DOPENLDAP_FD_SETSIZE=4096 -O2 -g"
+export CFLAGS="-DOPENLDAP_FD_SETSIZE=4096 -DSLAP_SCHEMA_EXPOSE -O2 -g"
export CPPFLAGS="-I${BDBDIR}/include -I/usr/kerberos/include"
export LDFLAGS="-L${BDBDIR}/lib"
Hello,
Since last week, we see a degradation of our ldap behavior in production.
Counting the number of entries takes more than 15 minutes (it usually last less than 2 minutes).
The backup take now 20 minutes but it took less than 4 minutes previously.
We see that the disk access is used on read at almost 100%
We already had a similar behavior due to a mdb file corruption.
The first time on march after a file system saturation on the system disk (the mdb file is on a secondary disk). A second time, on april after a VM uprgrade.
Each time, we solved the issues by deleting the mdb file and letting it be created by replication.
Now, we don't understand the reason of this new corruption. But it is courious to see that the mdb file is corrupted once by month.
Is there a bug or something that has an impact the mdb file?
Is there a way to make the mdb more reliable?
We are using Openldap-ltb 2.4.47 on Ubuntu 16.04.2
Best Regards,
Mejdi
Package OpenLDAP-LTB 2.4.45 for debian
Hello,
When upgrading an openldap 2.4.49 to 2.4.51 on ubuntu 16.04 this morning I've seen this problem again #16
In this case we store accesslogs in /usr/local/openldap/var/openldap-accesslog/
# ls -lha /usr/local/openldap/var/
total 20K
drwxr-xr-x 5 root root 4.0K Jan 25 2019 .
drwxr-xr-x 10 root root 4.0K Nov 28 2017 ..
drwxr-xr-x 2 ldap ldap 4.0K Nov 10 10:35 openldap-accesslog
drwxr-xr-x 2 ldap ldap 4.0K Nov 10 10:35 openldap-data
drwxr-xr-x 2 ldap ldap 4.0K Nov 10 10:35 run
Upgrading the package makes :
chown -R root:root ${LDAPSERVERDIR}/var
Witch result to the accesslog folder being set to root:root, and then slapd is unable to restart :
Errors were encountered while processing:
openldap-ltb
openldap-ltb-contrib-overlays
openldap-ltb-mdb-utils
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@ldap:~# ls -lha /usr/local/openldap/var/openldap-accesslog/
total 168K
drwxr-xr-x 2 root root 4.0K Nov 10 10:38 .
drwxr-xr-x 5 root root 4.0K Jan 25 2019 ..
-rw------- 1 root root 156K Oct 26 09:01 data.mdb
-rw------- 1 root root 8.0K Nov 10 10:31 lock.mdb
Thanks
When applying this command:
/bin/chown -R root:root ${LDAPSERVERDIR}
the owner modifications are applied recursively.
However, if the directory slapd.d exists in etc/openldap/ and has correct owner root:ldap, it overwrites the owner permissions.
We could instead select more precisely the files with:
/bin/chown root:root ${LDAPSERVERDIR}
/bin/chown -R root:root ${LDAPSERVERDIR}/bin
/bin/chown -R root:root ${LDAPSERVERDIR}/etc/openldap/{DB_CONFIG.example,ldap.conf,ldap.conf.default,ppm.conf,schema,slapd.conf,slapd.conf.default,slapd.ldif,slapd.ldif.default}
/bin/chown -R root:root ${LDAPSERVERDIR}/include
/bin/chown -R root:root ${LDAPSERVERDIR}/lib64
/bin/chown -R root:root ${LDAPSERVERDIR}/libexec
/bin/chown -R root:root ${LDAPSERVERDIR}/sbin
/bin/chown -R root:root ${LDAPSERVERDIR}/var
Include new ppm release: https://github.com/ltb-project/ppm/releases/tag/v1.8
Hello,
When debugging #52 I realized that the slapd service is automatically started even if it was stopped before
root@openldap:~# /usr/local/openldap/sbin/slapd-cli status
slapd-cli: [INFO] Using /usr/local/openldap/etc/openldap/slapd-cli.conf for configuration
slapd-cli: [INFO] LDAP Tool Box OpenLDAP init script version 2.5
slapd-cli: [INFO] Process OpenLDAP is not running
slapd-cli: [INFO] Detected suffix: dc=my-domain,dc=com
root@openldap:~# apt install openldap-ltb
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
libfreetype6
Use 'apt autoremove' to remove it.
Suggested packages:
openldap-ltb-check-password openldap-ltb-contrib-overlays
The following packages will be upgraded:
openldap-ltb
1 upgraded, 0 newly installed, 0 to remove and 28 not upgraded.
Need to get 1686 kB of archives.
After this operation, 23.6 kB of additional disk space will be used.
Get:1 https://ltb-project.org/debian/jessie jessie/main amd64 openldap-ltb amd64 2.4.51.1 [1686 kB]
Fetched 1686 kB in 0s (5898 kB/s)
(Reading database ... 27987 files and directories currently installed.)
Preparing to unpack .../openldap-ltb_2.4.51.1_amd64.deb ...
Unpacking openldap-ltb (2.4.51.1) over (2.4.49.1) ...
Processing triggers for ureadahead (0.100.0-19.1) ...
Processing triggers for systemd (229-4ubuntu21.29) ...
Setting up openldap-ltb (2.4.51.1) ...
Installing new version of config file /usr/local/openldap/etc/openldap/ldap.conf ...
slapd.service is not a native service, redirecting to systemd-sysv-install
Executing /lib/systemd/systemd-sysv-install enable slapd
root@openldap:~# /usr/local/openldap/sbin/slapd-cli status
slapd-cli: [INFO] Using /usr/local/openldap/etc/openldap/slapd-cli.conf for configuration
slapd-cli: [INFO] LDAP Tool Box OpenLDAP init script version 2.5
slapd-cli: [INFO] Process OpenLDAP is running (PID 2804)
slapd-cli: [INFO] Listening to services ldap://*:389 ldaps://*:636 ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
slapd-cli: [INFO] Process usage: 0.0% CPU / 0.0% MEM
slapd-cli: [INFO] Detected suffix: dc=my-domain,dc=com
Could It be possible to make the service stay as it was before the upgrade ? It would make errors like #52 a lot easier to debug and not leave the packages in a unconfigured state.
Thanks
Hello,
at least on Ubuntu 18.04, shouldn't the package slapd be in conflict with these packages?
Installing both at the same time seems to bring some issues due to PATH and overwritten systemd files.
Hi,
I'm trying to build a docker image using OpenLDAP LTB project and I have an issue with the postinst script.
It requires to have systemctl installed. I don't want to compile openldap, I want reuse Debian packages even if it is no perfect. So is it possible to test if systemctl exists and then call it ?
Fred.
Hello,
I tried to compile berkeleydb-ltb package on Ubuntu 18.04, and I get his:
clement@kptn-ubuntu-18-04:~/paquet-berkeleydb-debian/berkeleydb-ltb-4.6.21.NC$ dpkg-buildpackage -us -uc
dpkg-buildpackage: info: source package berkeleydb-ltb
dpkg-buildpackage: info: source version 4.6.21.NC-4-patch4
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: source changed by David Coutadeur <[email protected]>
dpkg-buildpackage: info: host architecture amd64
dpkg-source --before-build berkeleydb-ltb-4.6.21.NC
fakeroot debian/rules clean
dh clean
dh: Compatibility levels before 9 are deprecated (level 7 in use)
debian/rules override_dh_clean
make[1]: Entering directory '/home/clement/paquet-berkeleydb-debian/berkeleydb-ltb-4.6.21.NC'
cd build_unix && make clean
make[2]: Entering directory '/home/clement/paquet-berkeleydb-debian/berkeleydb-ltb-4.6.21.NC/build_unix'
make[2]: *** No rule to make target 'clean'. Stop.
make[2]: Leaving directory '/home/clement/paquet-berkeleydb-debian/berkeleydb-ltb-4.6.21.NC/build_unix'
debian/rules:24: recipe for target 'override_dh_clean' failed
make[1]: *** [override_dh_clean] Error 2
make[1]: Leaving directory '/home/clement/paquet-berkeleydb-debian/berkeleydb-ltb-4.6.21.NC'
debian/rules:21: recipe for target 'clean' failed
make: *** [clean] Error 2
dpkg-buildpackage: error: fakeroot debian/rules clean subprocess returned exit status 2
See https://github.com/ltb-project/openldap-initscript/releases/tag/v2.4
Changes:
#12 : possibility to disable LDIF wrapping
#13 : manage spaces in syncrepl options values
#14 : remove ExecRestart in systemd service
as topic states
A good feature would be to provide a default configuration and some sample data so we start with some entries in the directory
Hello,
We installed the package OpenLDAP-ltb on ubuntu 16.04.2 and we have two LDAP data bases working in multi-master mode replication.
We then, imported our data with "slapadd" on each node. On the first node we have all our data which was imported before with "slapdaddd" and we have 9Go in mdb.data.
In the second node, we can't find all the data that was imported with "slapdadd" and still, we have the same size (9Go) in mdb.data.
We cannot explain why we can't find our data in the second node anymore...
Do you have any idea how is that possible ? And do you know if we can recover our data that was imported ?
Thank you in advance for your response and your help.
Older Debian packages must always be kept please. :)
2.4.51 was released on August 12th.
Hello,
Before adding the LTB key, we need to install apt-transport-https package on Stretch to be able to update local index:
$ apt install apt-transport-https
cf: documentation link : https://ltb-project.org/documentation/openldap-deb
Regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.