Full_Name: Gavin Henry Version: N/A OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (212.159.59.85) Dear All, If we are to suppose that slapd-config is to provide 100% remote configuration, then directories should be created as set in: olcDbDirectory set_lg_dir Questions/Needs: 1. How to handle existing directories on mkdir? 2. Some global cn=config setting to say what cn=config is allowed to do 3. Plus many more I'm sure. Thanks, Gavin. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/
changed notes moved from Incoming to Development
changed notes
ghenry@suretecsystems.com wrote: > Dear All, > > If we are to suppose that slapd-config is to provide 100% remote configuration, > then directories should be created as set in: > > olcDbDirectory > set_lg_dir > > > Questions/Needs: > > 1. How to handle existing directories on mkdir? > 2. Some global cn=config setting to say what cn=config is allowed to do > 3. Plus many more I'm sure. Some of this touches on issues raised in ITS#4535. We probably need to answer those points first. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Feedback
<quote who="Howard Chu"> > ghenry@suretecsystems.com wrote: > >> Dear All, >> >> If we are to suppose that slapd-config is to provide 100% remote >> configuration, >> then directories should be created as set in: >> >> olcDbDirectory >> set_lg_dir >> >> >> Questions/Needs: >> >> 1. How to handle existing directories on mkdir? >> 2. Some global cn=config setting to say what cn=config is allowed to do >> 3. Plus many more I'm sure. > > Some of this touches on issues raised in ITS#4535. We probably need to > answer > those points first. Understood. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
<quote who="ghenry@suretecsystems.com"> > <quote who="Howard Chu"> >> ghenry@suretecsystems.com wrote: >> >>> Dear All, >>> >>> If we are to suppose that slapd-config is to provide 100% remote >>> configuration, >>> then directories should be created as set in: >>> >>> olcDbDirectory >>> set_lg_dir >>> >>> >>> Questions/Needs: >>> >>> 1. How to handle existing directories on mkdir? >>> 2. Some global cn=config setting to say what cn=config is allowed to do >>> 3. Plus many more I'm sure. >> >> Some of this touches on issues raised in ITS#4535. We probably need to >> answer >> those points first. > > Understood. > In another step towards 100% remote admin/config, could we store StartTLS certs in the directory for slapd usage, replacing the need for: TLS* config path hardcoding.? Gavin.
ghenry@suretecsystems.com wrote: > In another step towards 100% remote admin/config, could we store StartTLS > certs in the directory for slapd usage, replacing the need for: > > TLS* config path hardcoding.? One step at a time... Ordinarily I would store certs in an entry with the same DN as the cert. This would mean creating a directory entry for your server name, as well as directory entries for any client certs you wanted to use. That's probably not the ideal way to go here. We could store the certs directly, in attributes under cn=config. We could also just store DNs in the config attributes, pointing to certs in some other database entries. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/
<quote who="hyc@symas.com"> > ghenry@suretecsystems.com wrote: >> In another step towards 100% remote admin/config, could we store >> StartTLS >> certs in the directory for slapd usage, replacing the need for: >> >> TLS* config path hardcoding.? > > One step at a time... Sure, I just wanted to have this wish recorded somewhere ;-) > Ordinarily I would store certs in an entry with the > same DN as the cert. This would mean creating a directory entry for your > server name, as well as directory entries for any client certs you wanted > to > use. That's probably not the ideal way to go here. > > We could store the certs directly, in attributes under cn=config. We could > also just store DNs in the config attributes, pointing to certs in some > other > database entries. Understood. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > >
see discussion on -devel, ITS#4535