Re: Access Control development and cn=config

[Matthew Backes <lucca@csun.edu>]

> Anyways, it would be interesting to pursue a slapd.conf(5)-less
> slapd(8).   Initially the server would start up without no
> configuration, listening only on ldapi:// and running with
> access controls allowing only the owner of slapd(8) process
> to read/write to the directory (use ldapi:// SASL/EXTERNAL for
> authentication).   Then, by a series of LDAP add, modify, and
> extended operations, the owner could configure the directory
> as desired.  In general, changes to configuration items would
> take effect immediately.  So, adding an ACL would change the
> policy being enforced.
>
> And to persist the configuration between slapd(8) instances,
> the configuration would be written to disk (LDIF) or database
> files.  While an admin could, in theory, muck with these
> files, that practice would be undocumented and unsupported.

Instead of popping up on ldapi://, why not just distribute a
default initial config in LDIF form and slapadd it?  (That default
initial config might only contain enough data to allow connection
from a gui configurator tool)

If that much worked, the actual backend used wouldn't matter,
though an LDIF-style backend would be nice for unexpected
situations and development.  There was some mention that this
should probably be in separate files, potentially for each entry.

Is there any standard for "exploded" LDIF on the filesystem yet?

Matthew Backes
lucca@csun.edu