[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple system-wide ldap.conf files



Howard Chu writes:
>Hallvard B Furuseth wrote:
>> I'd like to add support for multiple system-wide ldap.conf files.
>> Our site needs one which comes with the LDAP package, and one which
>> the host admin can create to override.
>
> You can already specify an additional config file using the LDAPCONF
> environment variable. Just put that in the system wide cshrc and shell
> profile.

Good idea.  That should take care of most of it.  Though I think there
are hosts were "just" is the wrong word:-)  And I need to check what's
going on with system accounts that have shells like /bin/false.
Hopefully they setuid() from an account with a real shell.

Deferring the rest to my "nice to have" list for now...

>> One way would be to add this to include/ldap_defaults.h:
>>      /* Array initializer for system-wide LDAP configuration files.
>>       * The contents of late files override earlier ones.
>>       * Update the FILES section of doc/man/man5/ldap.conf.5 to match.
>>       */
>>      #define LDAP_CONF_FILELIST { LDAP_CONF_FILE }
>> after the line
>>      #define LDAP_CONF_FILE LDAP_SYSCONFDIR LDAP_DIRSEP "ldap.conf"
>
> Not sure that hardcoding more paths is a good idea.
>
>> Another way: An ldap.conf directive "tryinclude<filename>" so the
>> package's ldap.conf can include the host-specific ldap.conf.  Also
>> allows a user's ldap.conf to include some package's ldap.conf, if
>> needed.  And it allows include-loops, so there should be a "max include
>> depth" limit.
>
> An include directive might be OK. It should simply record the trail of
> files it has already opened and refuse to include a file twice.

OK.  I think s/has already opened/currently has open/ though.
If file1 does some setup and then includes file2, that should
mean "let file2, if it exists, override the settings in file1".

-- 
Hallvard