<div dir="ltr"><div style>Package: slapd</div><div style>Version: 2.4.31-1+nmu2</div><div style><br></div><div style>(note: some long command lines might be line wrapped, hopefully this isn't a big problem)</div><div style>
<br></div><div style><br></div>If I do the following on a clean wheezy chroot:<div><br></div><div>PS1='# '<br></div><div><br></div><div><div># debconf-set-selections debconf.conf</div></div><div><div><br></div><div>
# apt-get install slapd ldap-utils</div><div style>Reading package lists... Done<br></div><div style><div>Building dependency tree </div><div>Reading state information... Done</div><div>The following extra packages will be installed:</div>
<div> libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libslp1 libwrap0 psmisc</div><div>Suggested packages:</div><div> libmyodbc odbc-postgresql tdsodbc unixodbc-bin slpd openslp-doc</div><div>Recommended packages:</div>
<div> libsasl2-modules tcpd</div><div>The following NEW packages will be installed:</div><div> ldap-utils libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libslp1 libwrap0 psmisc slapd</div><div>0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.</div>
<div>Need to get 3329 kB of archives.</div><div>After this operation, 7583 kB of additional disk space will be used.</div><div>Do you want to continue [Y/n]? y</div><div>Get:1 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main libsasl2-2 amd64 2.1.25.dfsg1-6+deb7u1 [120 kB]</div>
<div>Get:2 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main libldap-2.4-2 amd64 2.4.31-1+nmu2 [243 kB]</div><div>Get:3 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main libwrap0 amd64 7.6.q-24 [62.4 kB]</div>
<div>Get:4 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main libltdl7 amd64 2.4.2-1.1 [352 kB]</div><div>Get:5 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main libodbc1 amd64 2.2.14p2-5 [252 kB]</div>
<div>Get:6 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main libperl5.14 amd64 5.14.2-21 [1174 B]</div><div>Get:7 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main libslp1 amd64 1.2.1-9 [50.8 kB]</div>
<div>Get:8 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main psmisc amd64 22.19-1+deb7u1 [135 kB]</div><div>Get:9 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main slapd amd64 2.4.31-1+nmu2 [1768 kB]</div>
<div>Get:10 <a href="http://hq.in.vpac.org/debian/">http://hq.in.vpac.org/debian/</a> wheezy/main ldap-utils amd64 2.4.31-1+nmu2 [345 kB]</div><div>Fetched 3329 kB in 0s (16.1 MB/s) </div><div>Preconfiguring packages ...</div>
<div>Selecting previously unselected package libsasl2-2:amd64.</div><div>(Reading database ... 16497 files and directories currently installed.)</div><div>Unpacking libsasl2-2:amd64 (from .../libsasl2-2_2.1.25.dfsg1-6+deb7u1_amd64.deb) ...</div>
<div>Selecting previously unselected package libldap-2.4-2:amd64.</div><div>Unpacking libldap-2.4-2:amd64 (from .../libldap-2.4-2_2.4.31-1+nmu2_amd64.deb) ...</div><div>Selecting previously unselected package libwrap0:amd64.</div>
<div>Unpacking libwrap0:amd64 (from .../libwrap0_7.6.q-24_amd64.deb) ...</div><div>Selecting previously unselected package libltdl7:amd64.</div><div>Unpacking libltdl7:amd64 (from .../libltdl7_2.4.2-1.1_amd64.deb) ...</div>
<div>Selecting previously unselected package libodbc1:amd64.</div><div>Unpacking libodbc1:amd64 (from .../libodbc1_2.2.14p2-5_amd64.deb) ...</div><div>Selecting previously unselected package libperl5.14.</div><div>Unpacking libperl5.14 (from .../libperl5.14_5.14.2-21_amd64.deb) ...</div>
<div>Selecting previously unselected package libslp1.</div><div>Unpacking libslp1 (from .../libslp1_1.2.1-9_amd64.deb) ...</div><div>Selecting previously unselected package psmisc.</div><div>Unpacking psmisc (from .../psmisc_22.19-1+deb7u1_amd64.deb) ...</div>
<div>Selecting previously unselected package slapd.</div><div>Unpacking slapd (from .../slapd_2.4.31-1+nmu2_amd64.deb) ...</div><div>Selecting previously unselected package ldap-utils.</div><div>Unpacking ldap-utils (from .../ldap-utils_2.4.31-1+nmu2_amd64.deb) ...</div>
<div>Processing triggers for man-db ...</div><div>Setting up libsasl2-2:amd64 (2.1.25.dfsg1-6+deb7u1) ...</div><div>Setting up libldap-2.4-2:amd64 (2.4.31-1+nmu2) ...</div><div>Setting up libwrap0:amd64 (7.6.q-24) ...</div>
<div>Setting up libltdl7:amd64 (2.4.2-1.1) ...</div><div>Setting up libodbc1:amd64 (2.2.14p2-5) ...</div><div>Setting up libperl5.14 (5.14.2-21) ...</div><div>Setting up libslp1 (1.2.1-9) ...</div><div>Setting up psmisc (22.19-1+deb7u1) ...</div>
<div>Setting up slapd (2.4.31-1+nmu2) ...</div><div> Creating initial configuration... done.</div><div> Creating LDAP directory... done.</div><div>[ ok ] Starting OpenLDAP: slapd.</div><div>Setting up ldap-utils (2.4.31-1+nmu2) ...</div>
<div><br></div></div><div style><div># ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy.ldif</div><div>SASL/EXTERNAL authentication started</div><div>SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth</div>
<div>SASL SSF: 0</div><div>adding new entry "cn=ppolicy,cn=schema,cn=config"</div><div><br></div><div># ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy1.ldif</div><div>SASL/EXTERNAL authentication started</div>
<div>SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth</div><div>SASL SSF: 0</div><div>adding new entry "cn=module,cn=config"</div><div><br></div></div><div><div># ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/ppolicy2.ldif</div>
<div>adding new entry "ou=People,dc=example,dc=org"</div><div><br></div><div>adding new entry "ou=Groups,dc=example,dc=org"</div><div><br></div><div>adding new entry "ou=policies,dc=example,dc=org"</div>
<div><br></div><div>adding new entry "cn=default,ou=policies,dc=example,dc=org"</div><div>ldap_add: Invalid syntax (21)</div><div> additional info: pwdAttribute: value #0 invalid per syntax</div><div><br>
</div></div><div style>It complains that it doesn't like:</div><div style><br></div><div style>pwdAttribute: userPassword<br></div><div style><br></div><div style>I have to change it to:</div><div style><br></div><div style>
pwdAttribute: 2.5.4.35<br></div><div style><br></div><div style>Then it works. Once the default policy is loaded, I can change it back again:</div><div style><br></div><div style><div># ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/ppolicy2fixed.ldif</div>
<div>adding new entry "cn=default,ou=policies,dc=example,dc=org"</div><div><br></div><div># ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy3.ldif</div><div>SASL/EXTERNAL authentication started</div><div>SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth</div>
<div>SASL SSF: 0</div><div>adding new entry "olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config"</div><div><div><br></div><div># ldapmodify -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/fixup.ldif</div>
<div>modifying entry "cn=default,ou=policies,dc=example,dc=org"</div><div><br></div></div><div><br></div><div style>(This is a test chroot only, so, unfortunately, no, you can't use slapdsecret to break into any of my production boxes.)</div>
<div style><br></div><div><br></div><div style>This makes it very difficult to import an ldap ldiff file with ppolicy. You have to kludge the data first, because it won't accept *any* entries with pwdAttribute: userPassword password until the default policy is installed and configured, and the default policy is contained within the ldiff file and won't install either because it also has pwdAttribute: userPassword</div>
<div style><br></div><div style>The pwdAttribute appears to be required by the schema, so I can't leave it out either.</div><div style><br></div><div style>As far as I can tell pwdAttribute: userPassword is suppose to be the correct value.</div>
<div style><br></div><div style>The data files concerned:</div><div style><br></div><div style><div># cat debconf.conf</div><div>mysql-server-5.5 mysql-server/root_password string mysqlsecret</div><div>mysql-server-5.5 mysql-server/root_password_again string mysqlsecret</div>
<div>slapd shared/organization string example org</div><div>slapd slapd/domain string <a href="http://example.org">example.org</a></div><div>slapd slapd/password1 string slapdsecret</div>
<div>slapd slapd/password2 string slapdsecret</div><div><br></div><div># cat slapd/ppolicy.ldif </div><div style>[ ppolicy schema file omitted ]</div><div style><div><br></div><div># cat slapd/ppolicy1.ldif </div>
<div>dn: cn=module,cn=config</div><div>objectClass: olcModuleList</div><div>cn: module</div><div>olcModulepath: /usr/lib/ldap</div><div>olcModuleload: ppolicy.so</div><div># cat slapd/ppolicy2.ldif </div><div>dn: ou=People,dc=example,dc=org</div>
<div>objectClass: organizationalUnit</div><div><br></div><div>dn: ou=Groups,dc=example,dc=org</div><div>objectClass: organizationalUnit</div><div><br></div><div>dn: ou=policies,dc=example,dc=org</div><div>objectClass: organizationalUnit</div>
<div><br></div><div>dn: cn=default,ou=policies,dc=example,dc=org</div><div>objectClass: top</div><div>objectClass: device</div><div>objectClass: pwdPolicy</div><div>pwdAttribute: userPassword</div><div><br></div><div># cat slapd/ppolicy2fixed.ldif </div>
<div>dn: cn=default,ou=policies,dc=example,dc=org</div><div>objectClass: top</div><div>objectClass: device</div><div>objectClass: pwdPolicy</div><div>pwdAttribute: 2.5.4.35</div><div><div><br></div><div># cat slapd/ppolicy3.ldif </div>
<div>dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config</div><div>objectClass: olcPPolicyConfig</div><div>olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=org</div><div><br></div><div># cat slapd/fixup.ldif </div>
<div>dn: cn=default,ou=policies,dc=example,dc=org</div><div>changetype: modify</div><div>replace: pwdAttribute</div><div>pwdAttribute: userPassword</div><div>-</div></div><div><br></div><div><br></div><div style>For comparison, on a sid schroot (which has the same version of slapd, so same results, no surprise here):</div>
<div style><br></div><div style><br></div><div style>PS1='# '</div><div style><br></div><div style><div># debconf-set-selections debconf.conf</div><div><br></div><div># apt-get install slapd ldap-utils</div><div>Reading package lists... Done</div>
<div>Building dependency tree </div><div>Reading state information... Done</div><div>The following extra packages will be installed:</div><div> libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libsasl2-modules libslp1 psmisc</div>
<div>Suggested packages:</div><div> libmyodbc odbc-postgresql tdsodbc unixodbc-bin libsasl2-modules-otp libsasl2-modules-ldap libsasl2-modules-sql</div><div> libsasl2-modules-gssapi-mit libsasl2-modules-gssapi-heimdal slpd openslp-doc</div>
<div>The following NEW packages will be installed:</div><div> ldap-utils libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libsasl2-modules libslp1 psmisc slapd</div><div>0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.</div>
<div>Need to get 3389 kB of archives.</div><div>After this operation, 7805 kB of additional disk space will be used.</div><div>Do you want to continue [Y/n]? y</div><div>Get:1 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main libsasl2-modules amd64 2.1.25.dfsg1-13 [123 kB]</div>
<div>Get:2 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main libsasl2-2 amd64 2.1.25.dfsg1-13 [109 kB] </div><div>Get:3 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main libldap-2.4-2 amd64 2.4.31-1+nmu2 [243 kB] </div>
<div>Get:4 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main libperl5.14 amd64 5.14.2-21 [1174 B] </div><div>Get:5 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main libslp1 amd64 1.2.1-9 [50.8 kB]</div>
<div>Get:6 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main libltdl7 amd64 2.4.2-1.3 [352 kB]</div><div>Get:7 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main ldap-utils amd64 2.4.31-1+nmu2 [345 kB]</div>
<div>Get:8 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main libodbc1 amd64 2.2.14p2-5 [252 kB]</div><div>Get:9 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main psmisc amd64 22.20-1 [146 kB]</div>
<div>Get:10 <a href="http://http.debian.net/debian/">http://http.debian.net/debian/</a> sid/main slapd amd64 2.4.31-1+nmu2 [1768 kB] </div><div>Fetched 3389 kB in 8s (382 kB/s) </div>
<div>Preconfiguring packages ...</div><div>Selecting previously unselected package libsasl2-modules:amd64.</div><div>(Reading database ... 17453 files and directories currently installed.)</div><div>Unpacking libsasl2-modules:amd64 (from .../libsasl2-modules_2.1.25.dfsg1-13_amd64.deb) ...</div>
<div>Selecting previously unselected package libsasl2-2:amd64.</div><div>Unpacking libsasl2-2:amd64 (from .../libsasl2-2_2.1.25.dfsg1-13_amd64.deb) ...</div><div>Selecting previously unselected package libldap-2.4-2:amd64.</div>
<div>Unpacking libldap-2.4-2:amd64 (from .../libldap-2.4-2_2.4.31-1+nmu2_amd64.deb) ...</div><div>Selecting previously unselected package libltdl7:amd64.</div><div>Unpacking libltdl7:amd64 (from .../libltdl7_2.4.2-1.3_amd64.deb) ...</div>
<div>Selecting previously unselected package libodbc1:amd64.</div><div>Unpacking libodbc1:amd64 (from .../libodbc1_2.2.14p2-5_amd64.deb) ...</div><div>Selecting previously unselected package libperl5.14.</div><div>Unpacking libperl5.14 (from .../libperl5.14_5.14.2-21_amd64.deb) ...</div>
<div>Selecting previously unselected package libslp1.</div><div>Unpacking libslp1 (from .../libslp1_1.2.1-9_amd64.deb) ...</div><div>Selecting previously unselected package psmisc.</div><div>Unpacking psmisc (from .../psmisc_22.20-1_amd64.deb) ...</div>
<div>Selecting previously unselected package slapd.</div><div>Unpacking slapd (from .../slapd_2.4.31-1+nmu2_amd64.deb) ...</div><div>Selecting previously unselected package ldap-utils.</div><div>Unpacking ldap-utils (from .../ldap-utils_2.4.31-1+nmu2_amd64.deb) ...</div>
<div>Processing triggers for man-db ...</div><div>Setting up libsasl2-modules:amd64 (2.1.25.dfsg1-13) ...</div><div>Setting up libsasl2-2:amd64 (2.1.25.dfsg1-13) ...</div><div>Setting up libldap-2.4-2:amd64 (2.4.31-1+nmu2) ...</div>
<div>Setting up libltdl7:amd64 (2.4.2-1.3) ...</div><div>Setting up libodbc1:amd64 (2.2.14p2-5) ...</div><div>Setting up libperl5.14 (5.14.2-21) ...</div><div>Setting up libslp1 (1.2.1-9) ...</div><div>Setting up psmisc (22.20-1) ...</div>
<div>Setting up slapd (2.4.31-1+nmu2) ...</div><div> Creating initial configuration... done.</div><div> Creating LDAP directory... done.</div><div>[ ok ] Starting OpenLDAP: slapd.</div><div>Setting up ldap-utils (2.4.31-1+nmu2) ...</div>
<div>Processing triggers for libc-bin ...</div></div><div style><br></div><div style><div># ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy1.ldif</div><div>SASL/EXTERNAL authentication started</div><div>SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth</div>
<div>SASL SSF: 0</div><div>adding new entry "cn=module,cn=config"</div><div><br></div><div># ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/ppolicy2.ldif</div><div>adding new entry "ou=People,dc=example,dc=org"</div>
<div><br></div><div>adding new entry "ou=Groups,dc=example,dc=org"</div><div><br></div><div>adding new entry "ou=policies,dc=example,dc=org"</div><div><br></div><div>adding new entry "cn=default,ou=policies,dc=example,dc=org"</div>
<div>ldap_add: Invalid syntax (21)</div><div> additional info: pwdAttribute: value #0 invalid per syntax</div><div><br></div><div><div># ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/ppolicy2fixed.ldif</div>
<div>adding new entry "cn=default,ou=policies,dc=example,dc=org"</div><div><br></div><div># ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy3.ldif</div><div>SASL/EXTERNAL authentication started</div><div>SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth</div>
<div>SASL SSF: 0</div><div>adding new entry "olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config"</div><div><br></div></div><div><div># ldapmodify -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret < slapd/fixup.ldif</div>
<div>modifying entry "cn=default,ou=policies,dc=example,dc=org"</div><div><br></div></div></div></div></div></div>-- <br>Brian May <<a href="mailto:brian@microcomaustralia.com.au" target="_blank">brian@microcomaustralia.com.au</a>>
</div></div>