[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Securing cn=config and allowing micro-engineering

On 20/10/2011 2:24 ÎÎ, Howard Chu wrote:

Where do you get this "knowledge"? From Zytrax? slaptest tests "the server configuration" - it doesn't matter whether it is in slapd.conf or slapd.d.

I checked man slaptest (e.g. here: http://www.manpagez.com/man/8/slaptest/) which is titled: "slaptest - Check the suitability of the OpenLDAP slapd.conf file"; yet (my fault; I didn't read thoroughly) I now see that at the Description section it says: "It opens the slapd.conf(5) configuration file or the slapd-config(5) backend..."

So, if slaptest checks slapd.d config then fine!

Manually editing slapd.d files is the surest way of causing a problem that prevents slapd from restarting.

OK, understood!

Obvious approach:
  slapcat -n0 -F old/slapd.d > config.ldif
  edit config.ldif
  slapadd -n0 -F new/slapd.d -l config.ldif
  test using new/slapd.d

OK, I see. Valuable info.

Finally, there might be cases where ... someone would need to move to slapd.conf configuration

Ask your buddies at Zytrax, they seem to think so.

Hey, Howard, give me a break. I am just trying to research the whereabouts of my new environment (after migration). I have no affiliation with the guys at Zytrax. I just mentioned their witnessed experience.

However, one could say that Zytrax don't mean to cause any harm; after all, they advocate the use of openldap - although we non-experts on OpenLDAP cannot tell if there are minor or major flaws in their "documentation". Their documents probably look appealing to LDAP newcomers because they follow a how-to attitude, which might feel especially helpful for initial deployments.

As far as the OpenLDAP Project is concerned, conversion from slapd.conf to slapd.d is a one-way trip. Migrate everything else forward.

That's what we want too (this is why we migrated in the first place)! cn=config is great in that it includes everything in the directory. I am sure that the OpenLDAP project team will also be adding more and more to this fine structure (at least progressively), like support for comments/descriptions, esp. in ACLs (my thoughts on ACL sorting and commenting in another thread).

Thanks for your valuable time,