[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Installation openLDAP in Debian

To: Howard Chu <hyc@symas.com>
Subject: Re: Installation openLDAP in Debian
From: LALOT Dominique <dom.lalot@gmail.com>
Date: Thu, 21 Apr 2011 09:47:42 +0200
Cc: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>, Simone Piccardi <piccardi@truelite.it>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=zhf7IBxk5nVjUshwTiDVLM7XMUtew3QeOIAoE7v9nX8=; b=BhZp3stBeBR9o3EXdigfLVgM4FLN12TCGBBreo5ovm0Hc4CYbPkm3H0RA9xwCAhYG9 W6qo9ESgieNTNvUGcH4HeTthUHJExtYFH3dLKBfaGa2r8nfFxTAnQmWVuLfoNjSbDmMQ W6nCbCjBSPv0kMiGE8sGeoTNV3qiYZAWM/0oQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=PPqx+Fj9bJptJ2HQpcf4jNZjUqv9i5zgS3JKYecOrtJaMRreeVveK21j8Te2Y0Ro0r wRnxqlJSgYUfOvgUzyuzStSU2IJASFJfSzIT03gDwEqutuLS96ACgoRZsDlku6EO9Ana T7fp4oH1ChYPRp3ZWeyDkLFO1YlVk5AQCnwEc=
In-reply-to: <4DAFB416.3040109@symas.com>
References: <BANLkTikfeAfRqNVEJdvRcoXz2SMk_eOrPg@mail.gmail.com> <BANLkTik15pcioQzSq06Go3Nx5QkW45VF8A@mail.gmail.com> <4DAF2019.4000800@truelite.it> <4DAF329D.3040509@symas.com> <BANLkTimtGCPzrnEnPKFNkimM00Lv9gdbng@mail.gmail.com> <4DAF469A.8000301@symas.com> <BANLkTi=F6LZGofbcLrJJ_84EiYbCEDAffQ@mail.gmail.com> <4DAFB416.3040109@symas.com>

Hello Howard,

Nothing else to discuss? When I started a long time ago, the learning edge was a little bit easier, as to start your configuration you don't need to use ldap tools. You know the problem of chicken and eggs.
On other ldap servers, software comes with a GUI to configure. If you don't do that and you get rid of slapd.conf I imagine that lots of beginners will try some other solutions than OpenLDAP and that would be a pity.
And a configuration tool can help to glue the dependences between directives. It's harder and harder to understand what to put, where, and the side effects. I was just playing around with ProxyAuth, using directives, slaptest OK, but I am not using SASL which should be (after a day to test) something required. But my slaptest is OK..

Another example: We have several independant for the moment databases that are glued together. That's not the same config and we need to have an acl part with limits and rights. If I do that with cn=config, I have to write an ldap programm to add, modify, delete attributes.
Using an include acl.conf in slapd.conf, just rsync acl.conf and restart. And the comments in slapd.conf are very usefull.
Please do not remove slapd.conf or add a configure tool.

Dom

2011/4/21 Howard Chu <hyc@symas.com>

Jose Ildefonso Camargo Tolosa wrote:

On Wed, Apr 20, 2011 at 4:18 PM, Howard Chu<hyc@symas.com> wrote:

Jose Ildefonso Camargo Tolosa wrote:

On Wed, Apr 20, 2011 at 2:53 PM, Howard Chu<hyc@symas.com> wrote:

The tree of files is not meant for you to ever look at or modify
directly.
Just use slapcat or ldapsearch. If you know anything about LDAP at all
this
is MUCH easier than editing flat text files, since you can use any LDAP
tool
(commandline or GUI) to do all the administration.

I don't find complex to directly modify the files, actually, I find it
easier than having to write a ldif modification script every time I
need to apply a change! I just go ahead and edit the corresponding
ldif file on slapd.d

You are editing the backing store of a slapd internal database. If slapd is
running while you're doing this, you will probably corrupt the database.
Even if slapd is not running, you'll probably corrupt the database.

Ok, I'll fall for this: how in the world can I corrupt a text (ldif)
file? I have done that for quite some time, and I have never had a
single issue with it. Off course, I need to restart slapd to make it
use my changes, but it is not big deal on my environment (for other
environments, you can use ldapmodify (or similar) and make changes on
the fly).

There are many possibilities. The most obvious is leaving random whitespace at the end of a line, which frequently trips up people who manually edit flat text files. I won't go into the other possibilities because frankly, it's an internal implementation detail and not worth mentioning. Suffice to say, if you're not going to take the word of the programmer who designed and implemented all of this that editing by hand is prone to corruption, then we have nothing further to discuss.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

--
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot

Follow-Ups:
- Re: Installation openLDAP in Debian
  - From: Howard Chu <hyc@symas.com>

References:
- Installation openLDAP in Debian
  - From: "D. R. Paudel" <rajme690@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Simone Piccardi <piccardi@truelite.it>
- Re: Installation openLDAP in Debian
  - From: Howard Chu <hyc@symas.com>
- Re: Installation openLDAP in Debian
  - From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Howard Chu <hyc@symas.com>
- Re: Installation openLDAP in Debian
  - From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: new entry lost on multi-master setup (two scenarios)
Next by Date: Re: Installation openLDAP in Debian
Index(es):
- Chronological
- Thread