Re: Understanding dynamic configuration

[btb@bitrate.net]

On Jan 20, 2013, at 13.59, Ori Bani wrote:

> Hello,
> 
> I'm struggling a little with understanding the dynamic configuration
> system (sorry, but wanted to say my vote is for file-based config; the
> way some of this config has been put into LDAP feels forced and
> unnecessarily convoluted).  Specifically, I'm having a hard time
> getting my mind around how to manage and secure the configuration
> database.

your vote would likely mean more if it were cast *after* you overcame these difficulties, rather than before.

> What's tripping me up is how to reconcile the separate ldif files that
> contain global server-level configuation settings and config database
> level settings with what I understand to be the recommended way to
> manage those things -- using OpenLDAP client tools.

all of these "ldif" files are internal to slapd.  i don't understand what would need to be reconciled.  simply leave them alone.

> When starting a fresh server (CentOS6.3, installed from yum if that
> matters here), it's not clear to me how I can bind using ldapadd in
> order to modify global server settings.  Right now, I suspect the
> trouble is that the default databases have been created without a
> olcRootPw.  Do I have to violate best practices just long enough to
> add that setting to the cn=config/olcDatabase={0}config.ldif file?

the slapd configuration is stored in an ldap database.  you interact with it the same way you interact with any other ldap database.  if you could not access a "regular" ldap database via ldap commands, would you start mucking about in the files on the filesystem?  no - you would use the slapcat and slapadd commands.  as such, this is no different.  it's even specifically called out in man 8 slapadd.

> After that, do I bind to "cn=config" in order to change global
> configuration settings using the base DN "cn=config"? (The olcRootDN
> is in the config database ldif file is "cn=config")

you bind to the configuration database [cn=config] whenever you want to look at or change the config.  the rootdn is not "in a file".  stop thinking like that.  it is in the config database.  inspect the contents of the config database with ldap* or slap* tools - again, just like any other ldap database.

> To modify settings for the configuration database itself, do I also
> use the same bind ("cn=config") but use a base DN of
> "olcDatabase={0}config.ldif,cn=config"?

i'm not sure what you're asking about regarding basedn here.  all of the configuration is stored in the ldap database with suffix cn=config.  there are of course subentries/branches/etc which correspond to various aspects of the config.  as with any ldap database, you bind to it with whatever credentials are suitable, regardless of where in the tree you plan on "working".

> I'm also curious, many of the examples I see for things like
> cn=Modules don't use the full DN, which I think is
> cn=Modules,cn=config.  Why is this?

what examples?

> I've read the website docs, the man pages, but I don't see any
> information that addresses how to initially bind to and start
> configuring the server in the Right Way.

while this aspect of the documentation continues to mature, there is quite a lot already available.  did you read the admin guide?  section 5 has significant discussion of exactly this.  additionally, getting the software from somewhere else [e.g. centos], which has been already built and configured by someone else who decided how you should use it, and then commenting here that it has been hard to figure out how it has been set up strikes me as a bit imprudent.