[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Installation openLDAP in Debian

2011/4/22 Simone Piccardi <piccardi@truelite.it>
Il 21/04/2011 11:05, Howard Chu ha scritto:
> If you don't understand LDAP and LDIF then you cannot effectively
> administer an LDAP server. Period. There is no chicken and egg here -
> you must understand LDAP. You must know what "DIT" means. You must know
> what a DN is. You must know what a schema is. You must know what an
> attribute is. There is no bypassing this required knowledge.
> When you know what these things are, cn=config is just another DIT, that
> you manage just like every other DIT. The learning curve for cn=config
> is shorter than for slapd.conf, because once you learn the essential
> elements of LDAP, you also know all the essentials for configuring
> slapd. Otherwise, you have to learn LDAP + LDIF + slapd.conf syntax,
> which history has shown practically everybody gets *wrong*. The web is
> full of bogus slapd.conf examples with directives scattered all over the
> place, instead of in their proper order and location. Our ITS is
> frequently littered with such junk, configs created by people who
> hastily copy/pasted something they read from some howto somewhere,
> without understanding what they were really doing.
Sorry but I cannot agree to this. Using cn=config, at least for now, is
far more complex. Saying that's just another DIT is misleading.

To understand configuration you need to understand what that DIT
contents means, and the syntax you have to use for it. So you have to
learn LDAP + LDIF + cn=config syntax.

And as far I can see the cn=config syntax is far more complex than the
one of slapd.conf.

Probably I'm stupid but still I see as very hard to read all that {N}
placed all around that you need to use as special values for DN's, and
the same is for all those olcSomeThing attributes and those olcSomeClass
objectclass that you have to use.

So something like:

slapadd -n0
dn: cn=config
objectClass: olcGlobal
cn: config

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: MySecretPassword

for me is not easier to understand than saying change the rootpw line on
the database stanza of your slapd.conf.

And sorry, probably its a bad habit, but I'm used to put comments in my
configurations files, and I cannot see how I can do this here.


I completely agree. As I said, a little statistic to understand what people use could be interesting. For me comments and  a text file config is mandatory. I am not configuring mysql.cnf using a mysql database. As it has been said before, once your setup is done, you barely change it. And a little restart is not a problem using replicas.
If some colleagues come after me (not specialized on ldap), they would be probably more comfortable with a traditional text file than using an ldap browser which just show DNs and attributes.
That's may be great to replicate cn=config, but from some mails I red, it seems not so easy. The harder it is to configure, the less people use.


Dominique LALOT
Ingénieur Systèmes et Réseaux