[Date Prev][Date Next]
Re: Securing cn=config and allowing micro-engineering
On 20/10/2011 2:24 ÎÎ, Howard Chu wrote:
Where do you get this "knowledge"? From Zytrax? slaptest tests "the
server configuration" - it doesn't matter whether it is in slapd.conf
I checked man slaptest (e.g. here:
http://www.manpagez.com/man/8/slaptest/) which is titled: "slaptest -
Check the suitability of the OpenLDAP slapd.conf file"; yet (my fault; I
didn't read thoroughly) I now see that at the Description section it
says: "It opens the slapd.conf(5) configuration file or the
So, if slaptest checks slapd.d config then fine!
Manually editing slapd.d files is the surest way of causing a problem
that prevents slapd from restarting.
slapcat -n0 -F old/slapd.d > config.ldif
slapadd -n0 -F new/slapd.d -l config.ldif
test using new/slapd.d
OK, I see. Valuable info.
Finally, there might be cases where ... someone would need to move to
Ask your buddies at Zytrax, they seem to think so.
Hey, Howard, give me a break. I am just trying to research the
whereabouts of my new environment (after migration). I have no
affiliation with the guys at Zytrax. I just mentioned their witnessed
However, one could say that Zytrax don't mean to cause any harm; after
all, they advocate the use of openldap - although we non-experts on
OpenLDAP cannot tell if there are minor or major flaws in their
"documentation". Their documents probably look appealing to LDAP
newcomers because they follow a how-to attitude, which might feel
especially helpful for initial deployments.
As far as the OpenLDAP Project is concerned, conversion from
slapd.conf to slapd.d is a one-way trip. Migrate everything else forward.
That's what we want too (this is why we migrated in the first place)!
cn=config is great in that it includes everything in the directory. I am
sure that the OpenLDAP project team will also be adding more and more to
this fine structure (at least progressively), like support for
comments/descriptions, esp. in ACLs (my thoughts on ACL sorting and
commenting in another thread).
Thanks for your valuable time,