OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Development/4829
Full headers

From: ghenry@suretecsystems.com
Subject: slapd-config should create olcDbDirectory
Compose comment
Download message
State:
0 replies:
5 followups: 1 2 3 4 5

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 2 Feb 2007 10:52:22 GMT
From: ghenry@suretecsystems.com
To: openldap-its@OpenLDAP.org
Subject: slapd-config should create olcDbDirectory
Full_Name: Gavin Henry
Version: N/A
OS: N/A
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (212.159.59.85)


Dear All,

If we are to suppose that slapd-config is to provide 100% remote configuration,
then directories should be created as set in:

olcDbDirectory
set_lg_dir


Questions/Needs:

1. How to handle existing directories on mkdir?
2. Some global cn=config setting to say what cn=config is allowed to do
3. Plus many more I'm sure.

Thanks,

Gavin.

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/


Followup 1

Download message
Date: Sat, 17 Feb 2007 07:45:37 -0800
From: Howard Chu <hyc@symas.com>
To: ghenry@suretecsystems.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#4829) slapd-config should create olcDbDirectory
ghenry@suretecsystems.com wrote:

> Dear All,
> 
> If we are to suppose that slapd-config is to provide 100% remote
configuration,
> then directories should be created as set in:
> 
> olcDbDirectory
> set_lg_dir
> 
> 
> Questions/Needs:
> 
> 1. How to handle existing directories on mkdir?
> 2. Some global cn=config setting to say what cn=config is allowed to do
> 3. Plus many more I'm sure.

Some of this touches on issues raised in ITS#4535. We probably need to answer 
those points first.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   Chief Architect, OpenLDAP     http://www.openldap.org/project/



Followup 2

Download message
Date: Sat, 17 Feb 2007 18:43:29 -0000 (UTC)
Subject: Re: (ITS#4829) slapd-config should create olcDbDirectory
From: "Gavin Henry" <ghenry@suretecsystems.com>
To: "Howard Chu" <hyc@symas.com>
Cc: openldap-its@openldap.org
<quote who="Howard Chu">
> ghenry@suretecsystems.com wrote:
>
>> Dear All,
>>
>> If we are to suppose that slapd-config is to provide 100% remote
>> configuration,
>> then directories should be created as set in:
>>
>> olcDbDirectory
>> set_lg_dir
>>
>>
>> Questions/Needs:
>>
>> 1. How to handle existing directories on mkdir?
>> 2. Some global cn=config setting to say what cn=config is allowed to do
>> 3. Plus many more I'm sure.
>
> Some of this touches on issues raised in ITS#4535. We probably need to
> answer
> those points first.

Understood.

>
> --
>    -- Howard Chu
>    Chief Architect, Symas Corp.  http://www.symas.com
>    Director, Highland Sun        http://highlandsun.com/hyc
>    Chief Architect, OpenLDAP     http://www.openldap.org/project/
>



Followup 3

Download message
Date: Sun, 18 Feb 2007 22:09:21 -0000 (UTC)
Subject: Re: (ITS#4829) slapd-config should create olcDbDirectory
From: "Gavin Henry" <ghenry@suretecsystems.com>
To: openldap-its@openldap.org
<quote who="ghenry@suretecsystems.com">
> <quote who="Howard Chu">
>> ghenry@suretecsystems.com wrote:
>>
>>> Dear All,
>>>
>>> If we are to suppose that slapd-config is to provide 100% remote
>>> configuration,
>>> then directories should be created as set in:
>>>
>>> olcDbDirectory
>>> set_lg_dir
>>>
>>>
>>> Questions/Needs:
>>>
>>> 1. How to handle existing directories on mkdir?
>>> 2. Some global cn=config setting to say what cn=config is allowed
to do
>>> 3. Plus many more I'm sure.
>>
>> Some of this touches on issues raised in ITS#4535. We probably need to
>> answer
>> those points first.
>
> Understood.
>

In another step towards 100% remote admin/config, could we store StartTLS
certs in the directory for slapd usage, replacing the need for:

TLS* config path hardcoding.?

Gavin.




Followup 4

Download message
Date: Sun, 18 Feb 2007 15:39:07 -0800
From: Howard Chu <hyc@symas.com>
To: ghenry@suretecsystems.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#4829) slapd-config should create olcDbDirectory
ghenry@suretecsystems.com wrote:
> In another step towards 100% remote admin/config, could we store StartTLS
> certs in the directory for slapd usage, replacing the need for:
> 
> TLS* config path hardcoding.?

One step at a time... Ordinarily I would store certs in an entry with the 
same DN as the cert. This would mean creating a directory entry for your 
server name, as well as directory entries for any client certs you wanted to 
use. That's probably not the ideal way to go here.

We could store the certs directly, in attributes under cn=config. We could 
also just store DNs in the config attributes, pointing to certs in some other 
database entries.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   Chief Architect, OpenLDAP     http://www.openldap.org/project/



Followup 5

Download message
Date: Mon, 19 Feb 2007 07:19:32 -0000 (UTC)
Subject: Re: (ITS#4829) slapd-config should create olcDbDirectory
From: "Gavin Henry" <ghenry@suretecsystems.com>
To: hyc@symas.com
Cc: openldap-its@openldap.org
<quote who="hyc@symas.com">
> ghenry@suretecsystems.com wrote:
>> In another step towards 100% remote admin/config, could we store
>> StartTLS
>> certs in the directory for slapd usage, replacing the need for:
>>
>> TLS* config path hardcoding.?
>
> One step at a time...

Sure, I just wanted to have this wish recorded somewhere ;-)


> Ordinarily I would store certs in an entry with the
> same DN as the cert. This would mean creating a directory entry for your
> server name, as well as directory entries for any client certs you wanted
> to
> use. That's probably not the ideal way to go here.
>
> We could store the certs directly, in attributes under cn=config. We could
> also just store DNs in the config attributes, pointing to certs in some
> other
> database entries.

Understood.

>
> --
>    -- Howard Chu
>    Chief Architect, Symas Corp.  http://www.symas.com
>    Director, Highland Sun        http://highlandsun.com/hyc
>    Chief Architect, OpenLDAP     http://www.openldap.org/project/
>
>
>


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org