[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

Simone Piccardi wrote:
> On 07/02/2014 18:36, Quanah Gibson-Mount wrote:
> > --On Friday, February 07, 2014 2:25 PM +0100 Simone Piccardi
> > 
> > <piccardi@truelite.it> wrote:
> >> Not to mention that slapd.conf is still far more readable that any
> >> slapd.d ldif...
> > 
> > Definitely not.  slapd.conf allows people to put things in all
> > sorts of random order that slapd "fixes" when it reads in the
> > slapd.conf file.
> 
> I never got any problem with it having always used a it in a correct
> order with well commented directives. But if ordering is needed not
> having it enforced in the file configuration syntax is a design
> defect of slapd, not a shortcoming of using a text file for
> configuration.
> 
> > cn=config enforces correct ordering, so with cn=config you can tell
> > exactly what is happening, where it can be a muddled mess with
> > slapd.conf.
> 
> Using apache, postfix, bind, and so on I usually know quite well what
> is happening, just having a text configuration file. And I can use a
> generic text editor to modify it, and I don't need to feed the
> configuration to the program using some dedicated tool or talking
> the specific protocol they are serving.
> 
> I agree that the current slapd.conf has lot problems and is prone to
> abuse, and if you tell me that rewriting it in a saner way or simply
> mantaining it is too much a burden for developers, I will not raise
> any further objection.
> 
> But this does not change the fact that slapd.conf is far more
> readable than a cn=config ldif file, were the use of LDIF syntax
> force the use of that ugly curly brace index prefix to order things,
you are right, but is is easy to reformat things

> and make visible irrelevant (for the sake of configuration)
> informations like entryCSN, createTimestamp, and the like.
> 
> Perhaps I'm just getting old, but I still prefer the traditional Unix
> way to configure services, by the simple use of human (almost)
> readable text configuration files.
same to me ;-) but ldif may also looks nice

# ldapsearch -LLLY external -H ldapi:/// -b 'cn=config' '(olcaccess=*)' olcaccess 2>/dev/null|fmt_olcAccess

dn: olcDatabase={-1}frontend,cn=config
olcAccess: to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by * break
olcAccess: to dn.exact=""
  by * read
olcAccess: to dn.base="cn=Subschema"
  by * read

dn: olcDatabase={0}config,cn=config
olcAccess: to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by * break

dn: olcDatabase={1}hdb,cn=config
olcAccess: to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="cn=admin,dc=kronprinz,dc=xx" write
  by * none
olcAccess: to dn.base=""
  by * read
olcAccess: to *
  by self write
  by dn="cn=admin,dc=kronprinz,dc=xx" write
  by * read

# cat $(which fmt_olcAccess)

#!/bin/sed -rf
# Author: Harry Jede
# produce human readable but still machine parseable
# olcAccess lines and removes the ordering numbers in {}
# because humans don't need them, really.

# the hole script
s/^(olcAccess: )\{[[:digit:]]+\}(.*$)/\1\2/
$!{H;d}
${H;g;s/\n //g;s/[[:space:]]+by /\n  by /g}



> 
> Regards
> Simone


-- 

Harry Jede