[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Securing cn=config and allowing micro-engineering

On 20/10/2011 9:03 ÎÎ, Quanah Gibson-Mount wrote:

slapcat -n0 -F old/slapd.d > config.ldif
edit config.ldif
slapadd -n0 -F new/slapd.d -l config.ldif
test using new/slapd.d

I would note that OpenLDAP 2.5 (when released) adds a "slapmodify" command per my request. It allows you to do offline modifications of cn=config in a way similar to ldapmodify. This will also keep the CRC checksum intact.

slapmodify will surely be an important addition. (Although v2.5 might not be that close.)


Can we use:

   slapadd -n0 -F new/slapd.d -l config.ldif

while slapd is running?

Documentation states: Your slapd should not be running when you do this (i.e. when using slapadd) to ensure consistency of the database... But this command does not really interfere with the current database (which is in old/slapd.d). So please clarify.

If not, could this functionality be added to slaptest, so that it can be run while slapd is running? (e.g. add "-l <config.ldif>" option, which, if used in conjunction with "-F <newconfdir>", it will build the config from <config.ldif> in <newconfdir>).