[Date Prev][Date Next]
Re: back-config again
At 07:29 PM 3/28/2004, Howard Chu wrote:
>More notes on LDAP-enabling the slapd configuration mechanism...
>One step towards making the slapd configuration easily presentable in LDAP is
>to use LDIF for the config file format. There will be a cn=config backend
>implicitly defined, and everything will branch out underneat this.
Well, if we're assuming we only presenting the configuration file
using LDAP, yes, that does seem like an early step.
However, I question whether "presenting the configuration file using
LDAP" is best approach.
I instead thinking we should consider REPLACING the configuration file
with a structured, object-oriented configuration base (e.g., directory
objects) and (almost all) configuration would simply be done via LDAP.
LDIF would only be used as input to slapadd/ldapmodify and output to
slapcat/ldapsearch. That is, slapd would not read any configuration file.
(Now, maybe the configuration backend would sit atop a LDIF backend,
but the configuration backend could just as well sit ontop of
However, this is a far larger architectural shift than what you propose.
>The actual backend is implemented by specific modules corresponding to
>specific objectclasses. E.g., objectClass OpenLDAPbdbDatabase will contain
>attributes for a back-bdb configuration. Each backend type will export a
>table of functions to implement their respective objectclasses.
>The idea is somewhat reminiscent of the back-ftree backend.
>There are still some issues regarding order-dependent config info (like ACLs,
>sasl-regexp, database order). I have an idea to use attribute tagging to help
>out here, e.g.:
I rather we just change the format to include a precedence field:
acls: 1: access to attrs=userPassword by anon auth
acls: 2: access to * by self write by users read