[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: requesting clarification of slapd.conf-versus-slapd.d configuration

To: Howard Chu <hyc@symas.com>
Subject: Re: requesting clarification of slapd.conf-versus-slapd.d configuration
From: Eric Irrgang <erici@motown.cc.utexas.edu>
Date: Thu, 27 Apr 2006 12:50:35 -0500 (CDT)
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <444FFF43.7080803@symas.com>
References: <Pine.GSO.4.58.0604191706090.25318@grapevine.cc.utexas.edu> <44474549.6010102@symas.com> <Pine.GSO.4.58.0604261725000.5126@grapevine.cc.utexas.edu> <444FFF43.7080803@symas.com>

On Wed, 26 Apr 2006, Howard Chu wrote:

>Eric Irrgang wrote:
>> On Thu, 20 Apr 2006, Howard Chu wrote:
>>
>>> What directives are you talking about getting repeated? Few of them
>>> tolerate being specified redundantly. But the whole point of the config
>>> directory is to show you the active configuration as slapd is using it.
>>> So, the better question for you is, how does slapd behave with repeated
>>> directives?
>>
>> Specifically, I have used an approach of separating out database
>> definitions into separate include files so that the main slapd.conf file
>> could have broader read permissions than the more sensitive parts that
>> include things like rootdn password hashes.  In a database specification I
>> may include separate security strenth factors than the global section
>> specifies.
>
>As noted in
>http://www.openldap.org/lists/openldap-devel/200507/msg00099.html
>not all global directives support multiple instances. The security
>strength factor is set for the entire server, it has no per-database
>settings. The last setting in the configuration is what stays in effect.

No complaints here, but that seems to be inconsistent with the man pages
and my own experience.

>From SLAPD.CONF(5) distributed with OpenLDAP 2.3.21:

security <factors>
          Specify a set of security strength  factors  (separated
          by  white space) to require (see sasl-secprops's minssf
          option for a description of security strength factors).
          The  directive  may  be  specified globally and/or per-
          database.

I specify ssf in the database section so that encryption is required for
operations in dc=blahblah but anonymous can retrieve the root DSE from the
null search base without encryption.  Now, I haven't tried setting
different security parameters in different backends in the same server, so
maybe that's what you are talking about?

-- 
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342

References:
- requesting clarification of slapd.conf-versus-slapd.d configuration
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>
- Re: requesting clarification of slapd.conf-versus-slapd.d configuration
  - From: Howard Chu <hyc@symas.com>
- Re: requesting clarification of slapd.conf-versus-slapd.d configuration
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>
- Re: requesting clarification of slapd.conf-versus-slapd.d configuration
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: requesting clarification of slapd.conf-versus-slapd.d configuration
Next by Date: Re: tpool cleanup?
Index(es):
- Chronological
- Thread