[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions about the Monitor Backend

To: Howard Chu <hyc@symas.com>
Subject: Re: Questions about the Monitor Backend
From: Thierry Lacoste <lacoste@miage.univ-paris12.fr>
Date: Sat, 9 May 2009 10:17:42 +0200
Cc: openldap-software@openldap.org
In-reply-to: <4A051D53.2090301@symas.com>
References: <F1CFD9BD-D5AB-4438-BC60-0602A359B2AA@miage.univ-paris12.fr> <4A051D53.2090301@symas.com>


On 9 mai 09, at 08:06, Howard Chu wrote:

Thierry Lacoste wrote:

Hello,

I have recently upgraded from 2.3.24 to 2.4.16.
I find two points confusing in the "Monitor Backend" section
of the B annex "Upgrading from 2.3.x" in the admin guide
(http://www.openldap.org/doc/admin24/appendix-upgrading.html#Monitor%20Backend
).

First my slapd happily starts even when I have no rootdn in my
"database monitor" section.


The admin guide says:

A monitor (slapd-monitor(5)) now needs a rootdn entry. If you do nothave one, slapd will fail to start up with an error message like so:

monitor_back_register_entry_attrs(""):base="cn=databases,cn=monitor" scope=onefilter="(namingContexts:distinguishedNameMatch:=dc=example,dc=com)":unable to find entry

           backend_startup_one: bi_db_open failed! (1)
           slap_startup failed (test would succeed using the -u switch)

Am I the only one to not experience this? Or is it going to happensomewhere in the 2.4 series?

Second the example of the admin guide reads:
       database monitor
       rootdn cn=monitor
       rootpw change_me

Is it on purpose that the rootdn equals the hadcoded suffix of the
monitor database?
Yes.
In the "Monitor" section of the admin guide, the example reads:
        database monitor
        rootdn "cn=monitoring,cn=Monitor"
        rootpw monitoring

The choice of the rootdn seems much more intuitive
Seems less intuitive to me... "root" means the base / origin /trunk / whatever. Calling something that is clearly *below* the rootthe "rootdn" is nonsensical. The fact that it's been standardpractice for others says to me that those other folks' brains weremuddled when they defined all these things.

So I guess you would say the same thing about this example which isquite ubiquitous:

        suffix "dc=example,dc=com"
        rootdn "cn=Manager,dc=example,dc=com"

but then it seems
a bit weird to not use it in the ACL below:
You seem to have forgotten that the current database's rootdn alwaysignores all ACLs on that database. The purpose of this ACL is toallow the "uid=Admin" identity that resides in some *other* databaseto have privileges in this database.
         access to dn.subtree="cn=Monitor"
              by dn.exact="uid=Admin,dc=my,dc=org" write
              by users read
              by * none


Thanks a lot.

Thierry.

Follow-Ups:
- Re: Questions about the Monitor Backend
  - From: Howard Chu <hyc@symas.com>

References:
- Questions about the Monitor Backend
  - From: Thierry Lacoste <lacoste@miage.univ-paris12.fr>
- Re: Questions about the Monitor Backend
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Questions about the Monitor Backend
Next by Date: Re: Questions about the Monitor Backend
Index(es):
- Chronological
- Thread