[Date Prev][Date Next]
Re: Access Control development and cn=config
Anyways, it would be interesting to pursue a slapd.conf(5)-less
slapd(8). Initially the server would start up without no
configuration, listening only on ldapi:// and running with
access controls allowing only the owner of slapd(8) process
to read/write to the directory (use ldapi:// SASL/EXTERNAL for
authentication). Then, by a series of LDAP add, modify, and
extended operations, the owner could configure the directory
as desired. In general, changes to configuration items would
take effect immediately. So, adding an ACL would change the
policy being enforced.
And to persist the configuration between slapd(8) instances,
the configuration would be written to disk (LDIF) or database
files. While an admin could, in theory, muck with these
files, that practice would be undocumented and unsupported.
Instead of popping up on ldapi://, why not just distribute a
default initial config in LDIF form and slapadd it? (That default
initial config might only contain enough data to allow connection
from a gui configurator tool)
If that much worked, the actual backend used wouldn't matter,
though an LDIF-style backend would be nice for unexpected
situations and development. There was some mention that this
should probably be in separate files, potentially for each entry.
Is there any standard for "exploded" LDIF on the filesystem yet?