Openldap server install failure - openldap client conflict

Wed Apr 16 21:06:07 UTC 2008

On Wed, 2008-04-16 at 10:37 -0400, David Robillard wrote:
> > I'm trying to install OpenLDAP as a server to "attempt" to try it out
> > for our network. The problem is the openldap client is already installed
> > for other apps as php, apache, asterisk, etc. So my question is: is it
> > possible to uninstall the client? Will the server include the client
> > required for these other apps?
> 
> You can always remove the old client and install the new version. You
> simply need to shutdown the services which depend on the client before
> you remove the old one and install the new one. Then start the
> services again. Of course you should do this on a test machine and
> make sure all your applications work as expected with the new client
> (i.e. don't do this on your production machine AND backup before you
> do!).
> 
> For what it's worth, I've removed and installed the OpenLDAP client
> from a few machines and never had any problems with Apache nor with
> PHP. But I did have a problem with sudo(8). If you use sudo (you
> probably should IMHO) and it was compiled with LDAP support, then the
> minute you remove the old OpenLDAP client, sudo will be broken. It's
> easy to work around this by using su(1) and switch to root. Of course,
> make sure you know the root password and that you're part of the wheel
> group before you do this.
> 
> Here's how I proceed to update the OpenLDAP client. I use SASL also,
> but it's not mandatory. Notice that I run a first make(1) without
> options. This will help reduce the time required between the `make
> deinstall` and `make install clean`.
> 
> cd /usr/ports/net/openldap24-sasl-client
> sudo make
> sudo /all/your/ldap/dependent/applications/rc.d/scripts stop
> sudo make deinstall
> sudo make install clean
> sudo /all/your/ldap/dependent/applications/rc.d/scripts start
> 
> Also, on a side note, I would suggest adding a few lines to
> make.conf(5) so that all your applications will require the same
> OpenLDAP versions (and the same Berkeley DB too). That change did help
> me quite a lot. The downside of this is that if you have many hosts,
> you may have to edit quite a few make.conf(5) files when either
> OpenLDAP or BDB changes versions. Using rsync, rdist
> 
> WANT_OPENLDAP_VER= 24
> WITH_BDB_VER= 46
> 
> Good luck with OpenLDAP. Should you need help with it, SASL and
> Kerberos integration, feel free to contact me.

I did just get it worked out, but those other apps were worrying me (see
last post). At least I know where to look now...

I am very interested in kerberos integration if you could provide some
hints. I looked into before for another reason and set it aside in the
too hard basket for a while... I posted back to the list to help others
if they're interested too.

One thing, I installed the lam webapp for administration (and I did also
try this manually too) but when I'm asked for a password I have no idea
what password its looking for (I do feel rather stupid!). This was
something I was going to try to solve next time I get back to this
project- it was late at night and I had only just got it installed and
running. It says in the install guide that it will ask for the secret
once you add a ldif file, so I assumed it would set it then- I was
wrong...

Thanks for the help.