[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: requesting clarification of slapd.conf-versus-slapd.d configuration

On Wed, 26 Apr 2006, Howard Chu wrote:

>Eric Irrgang wrote:
>> On Thu, 20 Apr 2006, Howard Chu wrote:
>>> What directives are you talking about getting repeated? Few of them
>>> tolerate being specified redundantly. But the whole point of the config
>>> directory is to show you the active configuration as slapd is using it.
>>> So, the better question for you is, how does slapd behave with repeated
>>> directives?
>> Specifically, I have used an approach of separating out database
>> definitions into separate include files so that the main slapd.conf file
>> could have broader read permissions than the more sensitive parts that
>> include things like rootdn password hashes.  In a database specification I
>> may include separate security strenth factors than the global section
>> specifies.
>As noted in
>not all global directives support multiple instances. The security
>strength factor is set for the entire server, it has no per-database
>settings. The last setting in the configuration is what stays in effect.

No complaints here, but that seems to be inconsistent with the man pages
and my own experience.

>From SLAPD.CONF(5) distributed with OpenLDAP 2.3.21:

security <factors>
          Specify a set of security strength  factors  (separated
          by  white space) to require (see sasl-secprops's minssf
          option for a description of security strength factors).
          The  directive  may  be  specified globally and/or per-

I specify ssf in the database section so that encryption is required for
operations in dc=blahblah but anonymous can retrieve the root DSE from the
null search base without encryption.  Now, I haven't tried setting
different security parameters in different backends in the same server, so
maybe that's what you are talking about?

Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342