[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd.d Config File

To: Ted Johnson <whatawonderfulworldweliveintoo@yahoo.com>
Subject: Re: Slapd.d Config File
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 16 Oct 2006 00:32:37 +0200
Cc: openldap-software@openldap.org
In-reply-to: <20061015220853.25278.qmail@web58409.mail.re3.yahoo.com>
References: <20061015220853.25278.qmail@web58409.mail.re3.yahoo.com>
User-agent: Mail/News 1.5.0.7 (X11/20060916)

Ted Johnson wrote:

----- Original Message ----
From: Pierangelo Masarati <ando@sys-net.it>
To: Ted Johnson <whatawonderfulworldweliveintoo@yahoo.com>
Cc: OpenLDAP-software@openldap.org
Sent: Sunday, October 15, 2006 5:28:09 PM
Subject: Re: Slapd.d Config File

Ted Johnson wrote:
> * Does someone out there in OpenLDAP-land have a slapd.d conf file
> they could share?
Try "/usr/local/libexec/slapd -f slapd.conf -F ./slapd.d
your-already-existing-empty-configuration-dir"

In my original mail I've never specified what path you were supposed to find slapd in.

Interesting. It complained there was no slapd binary.

Where your binaries are located, and what path you use is not relevant to this discussion.

Now, that worried me. I ran a search and found a binary here: /usr/local/libexec/slapd Now, since it wasn't in a bin dir, I didn't think that would work, but I didn't think it would hurt anything either, so I ran your command but with an absolute path to that binary, and violá! there were the files.
> * Are the following still correct?
>         pidfile        /var/run/ldap/slapd.pid
>         argsfile    /var/run/ldap/slapd.args
>         modulepath    /usr/lib/openldap
>         pam_ldap
pam_ldap has never been a valid slapd.conf directive
How does one include modules, then?

I don't understand what "pam_ldap" may have to do with slapd's modules. Also, I don't understand why you talk about modules if you don't have any idea of what they're supposed to do. Note that, unless you build slapd with module support, and you build components as modules, they will be statically built into slapd. The fact that you use statically built-in or run-time loaded modules, in any case, has nothing to do with a general discussion on using cn=config; I suggest to keep the two discussions separate.

Also, do you know of a good reference that would list all the modules with which OpenLDAP works and a description of them? Googled and got zip.

./configure --help.


>         sasl-host ldap.2012.vi
>         TLSRandFile            /dev/random
>         TLSCipherSuite         HIGH:MEDIUM:+SSLv2
>         TLSCertificateFile      /etc/ssl/openldap/ldap.pem
>         TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
>         TLSCACertificatePath   /etc/ssl/openldap/
>         TLSCACertificateFile    /etc/ssl/cacert.pem
>         TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
>         TLSVerifyClient demand # ([never]|allow|try|demand)
a hash mark ('#') followed by text is interpreted as an argument to the
command that starts the line, not as a comment (as I assume you mean it).

No. Thanks.

>         loglevel 256
>         database        bdb
>         suffix        "dc=2012,dc=vi"
>         rootdn        "cn=admin,dc=2012,dc=vi"
>         directory    /var/lib/ldap
>         index        objectClass                        eq,pres
>         access: to dn.base="/var/lib/ldap" by root read
No colon (':') after "access" is allowed in the "access" access control
directive
>         database monitor
The above seems to be a collection of partially incorrect slapd.conf
statements.  Provided you fix what's wrong, it should be fine to
generate the cn=config database following indications above.  Note that
you don't have to generate the cn=config database unless you intend to
use it, and I suggest you don't until you understand all the
implications and its general usefulness.  From your message, it appears
you didn't understand it yet, and you got the false perception that the
traditional way of configuring slapd is no longer valid, which is
absolutely not true.

Well, I was just following directions ;) ***This list*** told me to ask my beginner questions at ldap@umich.edu.

The questions you just asked are OpenLDAP specific, and in fact you got OpenLDAP specific answers (as good as mine can be, at least). I don't see how that list could have helped you thru details of very recent OpenLDAP development. I'm not saying you can't ask beginner's questions; of course they're welcome as soon as they can lead to improving your (and others') understanding of how things work. It seems to me that starting with cn=config while you don't appear to have a clear understanding of how OpenLDAP's slapd works sounds a bit too ambitious. All in all, cn=config is a __very__ new feature. My point is that there's tons of info out there about how to configure slapd via slapd.conf(5), and yet too little about how to do it using cb=config (and the most authoritative documentation for both is the Admin Guide <http://www.openldap.org/doc/admin23/>). So I suggest you stick with slapd.conf(5) by now; it's up to you to follow advice, though :).

*That* list recommended all sorts of material to study. And there is a __lot__ of confusion created from following these divergent suggestions. Unfortunately, the documentation on openldap.org is __very__limited__ and needs to be supplemented.

The project is open; the FAQ <http://www.openldap.org/faq/data/cache/1.html> is interactive, and <http://www.openldap.org/devel/contributing.html> details how to contribute, if you think the documentation needs to be supplemented. Saying that may sound a bit offensive to all persons that spent their spare time in writing a fair amount of documentation (> 3 MB of man pages; 16 chapters of Admin Guide; ~2000 nodes of FAQ; ...). If you can suggest specific improvements to specific portions of documentation, feel free to post them; if all you have to say is "__very__limited__", well... (silently counting to a billion...)

Maybe easy for you guys, but I live on top of a mountain in the middle of nowhere in the Dominican Republic with my trusty satellite dish...and getting books here via Amazon takes longer than you'd think and costs a fortune. So, I have to rely on what's available online...and in this case, it's been disappointing, to say the least.

All documentation on OpenLDAP.org is plain HTML or txt (man pages), so downloading it shouldn't be a big deal. Note that all the indications you got so far from me have been taken from the Admin Guide <http://www.openldap.org/doc/admin23/>. I don't know what documentation you read so far, but if you didn't read (and understand) the Admin Guide I strongly urge you to do so. Man pages like slapd.conf(5), slapd.access(5) and backend (and overlay) specific pages, like slapd-bdb(5) may be of help in understanding the details of each statement.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Prev by Date: Re: slapd, bdb, 32-bit -> 64-bit
Next by Date: Re: Re: slapd, bdb, 32-bit -> 64-bit
Index(es):
- Chronological
- Thread