[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-config again



At 07:29 PM 3/28/2004, Howard Chu wrote:
>More notes on LDAP-enabling the slapd configuration mechanism...
>
>One step towards making the slapd configuration easily presentable in LDAP is
>to use LDIF for the config file format. There will be a cn=config backend
>implicitly defined, and everything will branch out underneat this.

Well, if we're assuming we only presenting the configuration file
using LDAP, yes, that does seem like an early step.

However, I question whether "presenting the configuration file using
LDAP" is best approach.

I instead thinking we should consider REPLACING the configuration file
with a structured, object-oriented configuration base (e.g., directory
objects) and (almost all) configuration would simply be done via LDAP.

LDIF would only be used as input to slapadd/ldapmodify and output to
slapcat/ldapsearch.  That is, slapd would not read any configuration file.

(Now, maybe the configuration backend would sit atop a LDIF backend,
but the configuration backend could just as well sit ontop of
BDB/HDB/LDBM.)

However, this is a far larger architectural shift than what you propose.

>The actual backend is implemented by specific modules corresponding to
>specific objectclasses. E.g., objectClass OpenLDAPbdbDatabase will contain
>attributes for a back-bdb configuration. Each backend type will export a
>table of functions to implement their respective objectclasses.
>
>The idea is somewhat reminiscent of the back-ftree backend.
>
>There are still some issues regarding order-dependent config info (like ACLs,
>sasl-regexp, database order). I have an idea to use attribute tagging to help
>out here, e.g.:

Yuk.

I rather we just change the format to include a precedence field:
        acls: 1: access to attrs=userPassword by anon auth
        acls: 2: access to * by self write by users read

Kurt