[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

Quanah, all of this is with due respect - I really appreciate how much time you've put into this project.

> They were never a multi-line string in slapd.conf, either.  You could just format things to pretend they were multi-line strings.

But this is irrelevant within the scope of usability. As far as the sysadmin is concerned, slapd.conf allowed multi-line strings for ACLs and schemas. This yielded great readability as shown in the screenshots in the original message.

> I use Net::LDAP perl module to handle ACL updates.  It's quite simple.  The same thing could likely be done in python.  Plus replacing an entire ACL in cn=config is trivial, since you can delete the existing ACL using the {#} value, and you can insert new ACLs trivially but using a weight of where you want to insert it.

I don't think writing a custom ldap client is "simple". Or, as David Blank-Edelman requests, perhaps you have some example code showing how simple it is? I have written ldap scripts in perl, python, and php - so I'm not asking as a newbie. I'm having trouble imagining this being any more user-friendly than a decent LDAP client like Apache Directory Studio - which still isn't as readable as ACL .conf files. One could always pay special attention to the script's output/ui to make it more readable, but that's not trivial; I think something good would require ACL and schema parsing.

> You can optionally enable this at build time in OpenLDAP 2.4.30 for testing.  As it is an experimental feature, YMMV.

I have seen that in various threads. I'm happy to test it, but primarily I'm interested in cn=config entry deletion being a stable feature eventually. Just my $0.02.