[Date Prev][Date Next]
Re: requesting clarification of slapd.conf-versus-slapd.d configuration
On Wed, 26 Apr 2006, Howard Chu wrote:
>Eric Irrgang wrote:
>> On Thu, 20 Apr 2006, Howard Chu wrote:
>>> What directives are you talking about getting repeated? Few of them
>>> tolerate being specified redundantly. But the whole point of the config
>>> directory is to show you the active configuration as slapd is using it.
>>> So, the better question for you is, how does slapd behave with repeated
>> Specifically, I have used an approach of separating out database
>> definitions into separate include files so that the main slapd.conf file
>> could have broader read permissions than the more sensitive parts that
>> include things like rootdn password hashes. In a database specification I
>> may include separate security strenth factors than the global section
>As noted in
>not all global directives support multiple instances. The security
>strength factor is set for the entire server, it has no per-database
>settings. The last setting in the configuration is what stays in effect.
No complaints here, but that seems to be inconsistent with the man pages
and my own experience.
>From SLAPD.CONF(5) distributed with OpenLDAP 2.3.21:
Specify a set of security strength factors (separated
by white space) to require (see sasl-secprops's minssf
option for a description of security strength factors).
The directive may be specified globally and/or per-
I specify ssf in the database section so that encryption is required for
operations in dc=blahblah but anonymous can retrieve the root DSE from the
null search base without encryption. Now, I haven't tried setting
different security parameters in different backends in the same server, so
maybe that's what you are talking about?
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342