OpenLDAP 'deref' overlay

Scott Lovenberg scott.lovenberg at
Fri Jan 2 21:16:29 GMT 2009

Sassy Natan wrote:
> On 16 Dec 2008 08:18:21 Andrew Bartlett wrote:
> """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> s4:provision: use extended_dn_out_ldb or extended_dn_out_dereference
> depending on ...<;a=commit;h=ebe1e923c862798602b563211ec8c625fc4032ea>
> This just changes the existing stratagy of loading different modules
> for the OpenLDAP backend to also include extended_dn_out_*
> When we provision the OpenLDAP backend, we make sure to include the
> 'deref' overlay (which must be made available by the OpenLDAP build)
> """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> I'm using Debian OpenLDAP 2.4.11 via the debain repository, but it seems
> that the 'deref' overlay doesn't exits in this verion, so I ahd to compile
> my own OpenLDAP server version 2.4.13.
> I was wonder if anyone can tell me which options should be on when compiling
> the new version.
> Bassilcy I add them all like this :
> ./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
> --sysconfdir=/etc/ --localstatedir=/var --libdir=/usr/lib/ldap
> --includedir=/usr/include/ --mandir=/usr/share/man --enable-debug=yes
> --enable-dynamic=yes --enable-syslog=yes --enable-proctitle=yes
> --enable-ipv6=yes --enable-local=yes -enable-slapd=yes
> --enable-cleartext=yes --enable-crypt=yes --enable-lmpasswd=yes
> --enable-spasswd=yes --enable-modules=yes --enable-rewrite=yes
> --enable-rlookups=yes --enable-slapi=yes --enable-slp=yes
> --enable-wrappers=yes --enable-backends=yes --enable-bdb=yes
> --enable-dnssrv=yes --enable-hdb=yes --enable-ldap=yes --enable-meta=yes
> --enable-monitor=yes --enable-ndb=yes --enable-null=yes --enable-passwd=yes
> --enable-perl=yes --enable-relay=yes --enable-shell=yes --enable-sock=yes
> --enable-sql=yes --enable-overlays=yes --enable-accesslog=yes
> --enable-auditlog=yes --enable-collect=yes --enable-constraint=yes
> --enable-dds=yes --enable-deref=yes --enable-dyngroup=yes
> --enable-dynlist=yes --enable-memberof=yes --enable-ppolicy=yes
> --enable-proxycache=yes --enable-refint=yes --enable-retcode=yes
> --enable-rwm=yes --enable-seqmod=yes --enable-syncprov=yes
> --enable-translucent=yes --enable-unique=yes --enable-valsort=yes
> --enable-shared --enable-fast-install --with-cyrus-sasl --with-fetch
> --with-gssapi --with-threads --with-tls --with-odbc
> But I'm I don't need all of this
> Can some provide some feedback?
> Thanks
> Sassy
FWIW, last time I compiled LDAP on Slackware I did the '...and the 
kitchen sink' thing with libraries to give me more flexibility, but I 
also ended up chasing dependencies for quite a few packages.

As for capabilities, it all depends on how you have your site setup.  
You should only need to enable your backend storage and protocols for it 
(I remember that enabling sql had a ton of dependencies).  You may want 
to skip over the ipv6 stack, too.  The 'includedir' probably isn't 
needed, but won't hurt anything.  So, the question is, what interfaces 
do you need for your setup?  BDB, passwd, tls, gssapi, and/or sasl, 
slapd, sock and threads is fairly common.  Accesslog and syslog are 
probably recommended, and auditlog might not be a bad idea.

All that being said, doing the 'kitchen sink' thing is also a way to go 
if you don't know exactly how you are going to interface a backend.  But 
it will increase your attack-surface and leave you chasing nested 
dependencies, and should be avoided if either of those ideas bother 
you.  I'd stay away from compiling in sql unless you really want to use 
a sql backend, though - you'll need about 5 other packages to satisfy 
its requirements.


More information about the samba-technical mailing list